We observe that the TCP connections are sometimes reset by Google Application Engine. The exact behavior is following:
TCP handshake is done (SYN, SYN/ACK, ACK)
Http POST is sent by client
Google Application servlet sends RST
See the attached screenshot. Any reason for that? Should we simply send the POST request again on client?
BR
STeN
Related
In Firefox 57 you can intercept the body of http requests as well as responses (using filterResponseData). Is it possible to do the same for web sockets?
I do not think you can use the API to look at the WebSocket communication.
The webRequestAPI only applies to the WebSocket handshake, which is still normal HTTP. But once the HTTP upgrade is complete, it will no longer be observable by the API.
To quote from a related bugfix on Chrome:
Support WebSocket in WebRequest API.
This CL makes WebRequest API support intercepting the WebSocket handshake
request. Since the handshake is done by means of an HTTP upgrade request, its
flow fits into HTTP-oriented WebRequest model. Additional restriction applies,
that WS request redirects triggered by extensions are ignored.
Note that WebRequest API does not intercept:
Individual messages sent over an established WebSocket connection.
WebSocket closing connection
As Mozilla typically tries to follow the Chrome extension, I would expect that Firefox should behave the same.
For servers written in tcp raw socket like nginx, how do servers correctly detect and handle non HTTP messages among HTTP messages(skip those bytes and move to the next valid http messages)?
It doesn't. If the first request on the connection doesn't start with a valid HTTP request line, it closes the connection. No other detection, no skipping, no moving to the next message.
A search for 'raw' at nginx.org returned no results.
I am currently designing a web application using AngularJS. In this I am fetching and posting data via Rest API(s) with different methods. The data I retrieving is fetched in the form of JSON.
Problem:
Issue here is, while I am using https, the data sent and received via HTTP requests can still be seen in proxy tool or traffic monitors. All the JSON can be easily read from this.
Each of my request has a token attached in it's header which takes care of authentication. However, once authorized, there is some part I don't want to be displayed in/ caught in such monitoring tools.
Question:
This data is stored in an encrypted way in database and all, however while coming via HTTP request, it is first decrypted and then sent. How can I hide/protect this data?
You can't.
If you give it to the client, then the client has to be able to see it.
If the user has configured their browser to proxy requests, then the proxy is the client.
Once the data leaves your server in an HTTP response then anyone/anything thing the user of the client wants to trust with that data can access it. You don't have control at that point.
proxy tool or traffic monitors will see https data only if the client has accepted the man-in-the-middle (MITM) by installing the ssl certificate used by the MITM:
To see the content (other than the host name) of an https connection, someone who is neither the client or the server must do a MITM.
If someone do a MITM with a certificate not trusted by the client, the client will reject the connection.
WARNING: If the server do NOT use HSTS, the person doing the MITM can do an SSLSTRIP attack if the first connection is http. In that case, the MITM do not need a trusted certificate because the connection will stay in plain text (http)
I am writing an apache module and I am wondering how to handle the case where my ap_rwrite tries to write something back to the client and the client does not respond to it.
Does the call to ap_rwrite block until that happens?
Can I set a timeout on that? If so, what is it called?
Thanks!
The client does not respond to server again. HTTP is a request-response protocol, the client send a request to the server and server sends a response to client. Client should not respond to server.
If you mean how to know if the client receives the response maybe you can alter the default timeout, but if the socket is closed or other network error, the function 'ap_rwrite' will notice you with an error.
I must develop proxy server that work with only HTTP 1.0 in Linux and by c .
I need some hint to start developing .
I assume you are confident in using linux and the language c (no hints for that, else don't start with developing a proxy)
Read and understand the RFC 1945 HTTP/1.0 (pay attention to the specific mentioning of proxy)
Determine what kind of proxy you want (web/caching/content-filter/anonymizer/transparent/non-transparent/reverse/gateway/tunnel/...)
Start developing the server
Basic steps
Open port
Listen on port
Get all request sent from the client to that port (maybe make the whole thing multithreaded to be able to handle more than 1 request at a time)
Determine if it is a valid HTTP 1.0 request
Extract the request components
Rebuild the request according to what type of proxy you are
Send the new request
Get the response
Send response to client
How to create a proxy server:
Open a port to listen on
Catch all incoming requests on that report
Determine the web address requested
Open a connection to the host and forward the request
Receive response
Send the response back to the requesting client
Additionally: Use threads to allow for multiple requests to the server.