network – Is there way to know what headers can be accepted by HTTP server?

No, not really. There is no part of the HTTP protocol where the server is expected to list headers it is interested in. It’s not common practice for servers to do either – I have never seen anything like that anywhere.

You could guess the name or try to brute force it. But unless the name is obvious, you are very unlikely to succeed since the brute force has to be done online, one HTTP request per guess.

If you have access to the source code (or even the binaries) that the server is running, you could find the answer there. Or perhaps some leaked documentation or social engineering could provide you with this information.

So if there is no obvious way to exploit this, does it mean that a bypass like that is a secure thing? Absolutely not. Expect your source code to be leaked. Secrets should be separate from source code, and easily replaced. A hardcoded backdoor like that is the opposite.

I don’t know if you were considering making one. But please don’t.

http – How to properly notify a client from the server side in Golang (broadcasting)?

http – How to properly notify a client from the server side in Golang (broadcasting)? – Software Engineering Stack Exchange

url rewriting – IIS URL Rewrite http to https with multiple subfolder

How can I set the correct redirect for all subfolders?
Is it happening to me at the moment that everything is working properly, but some that are not found, return to static.

This is what my wwwroot file looks like, can I just set up this web.config file?

enter image description here

Or I have to configure for each subfolder-> web.config file separately.

The current web.config I tried.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <defaultDocument>
            <files>
                <clear />
                <add value="Default.asp" />
                <add value="default.html" />
                <add value="index.php" />
                <add value="Default.htm" />
                <add value="index.htm" />
                <add value="index.html" />
                <add value="iisstart.htm" />
                <add value="default.aspx" />
            </files>
        </defaultDocument>
        <rewrite>
            <rules>
                <rule name="Http to HTTPS" enabled="true" stopProcessing="true">
                    <rule name="NoSSL - folder" enabled="true" stopProcessing="true">
                        <match url="^SubFolder1/.*" />
                            <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            </conditions>
                        <action type="None" />
                    </rule>
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

hybrid solution – HTTP Error 400. The request hostname is invalid using SharePoint Application Proxy

Has anyone else experienced this error after completing the SharePoint Application Proxy deployment?

I have the Proxy connector set up and I have added all the required information in my Azure Active Directory(Internal URL and SPN for SSO). When I run the Test Application Proxy Configuration report, I have all green checkmarks(picture below). So I am confused as to why I am getting this error.

enter image description here

REST call (HTTP) to get ALL files (including from all sub-folders of sub-folders) starting from a certain SharePoint Path

I need to write the HTTP query (will call it from a Python script) to get ALL the files (including from all sub-folders of sub-folders) starting from a specific SharePoint Path. I need to run this on a SharePoint 2016 installation.

My Path is something like: https://<my-sharepoint-host>/<subsite>/<library-name>/folder1/sub-folder1

I’ve been making a lot of attempts around this:

https://<my-sharepoint-host>/<subsite>/_api/web/Lists/GetByTitle('<library-name>')/items?$select=FileLeafRef,File&$expand=File

I could obtain a long list of items (files and folders) with the needed info; below is am extract from such an item:

...
, {
    "odata.type": "SP.Data.EngineeringItem",
    "File": {
        "odata.type": "SP.File",
        "Name": "sample.pptx",
        "ServerRelativeUrl": "<my-sharepoint-host>/<subsite>/<library-name>/some-other-folder-path/.../not-needed.pptx",
    },
    "FileLeafRef": "sample.pptx"
},

...
, {
    "odata.type": "SP.Data.EngineeringItem",
    "File": {
        "odata.type": "SP.File",
        "Name": "sample.pptx",
        "ServerRelativeUrl": "<my-sharepoint-host>/<subsite>/<library-name>/folder1/sub-folder1/needed.docx",
    },
    "FileLeafRef": "sample.pptx"
},

THE PROBLEM is that I cannot filter them more than this. I’m getting the content of the whole library, and I can’t figure out how to filter based on the folder path (in my example, folder1/sub-folder1)

How could I do that ?

I tried adding &$filter=... but I could not figure out how to refer to the ServerRelativeUrl field.

Also, where could I find a list of accepted values to use with?$select=... ?

Thank you.

document library – SharePoint Rest API(add file) request returning http 500 when using Transfer-Encoding chunked

I’m hitting my SharePoint online site, to add files to the ‘Shared Documents’ list.

Trying from postman, I can get the access token (https://accounts.accesscontrol.windows.net/xxxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxx/tokens/OAuth/2) and also add file to SharePoint successfully (_api/web/getfolderbyserverrelativeurl('Shared Documents')/Files/add(overwrite=true, url='myfile.json').

But, we have an API gateway here, and when it receive our requests, it adds a Transfer-Encoding:chunked Header to the target (SharePoint in this case). It is a rule from our API gateway.

So, If I try send by postman, for example, a request (either token or add file) with Transfer-Encoding:chunked header, I’m getting http 500, with body (application/json;odata=nometadata):

{
   "odata.error": {
       "code": "-1, System.IO.IOException",
       "message": {
          "lang": "en-US",
          "value": "I/O error occurred."
       }
   }
}

My request:

POST mySPsite/_api/web/getfolderbyserverrelativeurl('Shared Documents')/Files/add(overwrite=true, url='myfile.json')
Content-Type: application/json
Authorization: Bearer 'mytokendata'
Accept: application/json;odata=nometadata
Transfer-Encoding: chunked
User-Agent: PostmanRuntime/7.13.0
Cache-Control: no-cache
Postman-Token: cf5b880a-159e-4570-aff6-a357c3ead08d
Host: mySPHost
Connection: keep-alive

Response:

HTTP/1.1 500
status: 500
Cache-Control: private, max-age=0
Transfer-Encoding: chunked
Content-Type: application/json;odata=nometadata;streaming=true;charset=utf-8
Expires: Wed, 30 Jun 2021 16:04:52 GMT
Last-Modified: Thu, 15 Jul 2021 16:04:52 GMT
Vary: Origin
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-SharePointHealthScore: 0
X-SP-SERVERSTATE: ReadOnly=0
DATASERVICEVERSION: 3.0
SPClientServiceRequestDuration: 30
X-AspNet-Version: 4.0.30319
SPRequestGuid: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
request-id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
MS-CV: xxxxxxxxxxxxxo/dBHw.0
Strict-Transport-Security: max-age=31536000
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com;
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.21430
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: xxxxxxxxxxxxxxxxxxxxxx Ref B: xxxxxxxxxxx Ref C: 2021-07-15T16:04:52Z
Date: Thu, 15 Jul 2021 16:04:51 GMT

How can I deal with Transfer-Encoding:chunked? Is there a solution for this case?

Prevent Firefox from sending a user-agent string in HTTP requests

Prevent Firefox from sending a user-agent string in HTTP requests – Webmasters Stack Exchange

go – How to properly implement a http endpoint processing in Golang

I am currently building an API to do some HTTP endpoint processing in Go. I have a snippet already prepared, I need some insights on how to make it better built then possibly if there are issues in the code I should address, please indicate as well. Golang users, please review and advise:

package endpoints


import (
    "database/sql"
    "net/http"
    "os"
    "path"

    echo "github.com/labstack/echo/v4"
)

var dbURL = os.Getenv("DB_URL")

func AddRoutes(g *echo.Group) {
    g.GET("/:id/info", getDatasetMeta)
}

func getDatasetMeta(c echo.Context) error {
    if ok, err := authenticateRequest(c.Request()); err != nil {
        return err
    } else if !ok {
        return echo.NewHTTPError(http.StatusForbidden)
    }

    id := c.Param("id")

    dbResp, err := http.Get(path.Join(dbURL, "datasets", id, "info"))
    if err != nil {
        return err
    }

    return c.Stream(dbResp.StatusCode, dbResp.Header.Get("Content-Type"), dbResp.Body)
}

func authenticateRequest(r *http.Request) (bool, error) {
    sessCookie, err := r.Cookie("session_id")
    if err != nil {
        return false, err
    }

    db, err := getDBConn()
    if err != nil {
        return false, err
    }

    row := db.QueryRowContext(r.Context(), "SELECT * FROM sessions WHERE cookie = ?", sessCookie.Value)
    if err = row.Scan(); err != nil {
        return false, err
    }

    return true, nil
}

func getDBConn() (*sql.DB, error) {
    }

The code is to process http endpoint to perform a simple web scraping tasks. I am new to Go and would really appreciate some comments. Thanks a million!

nginx doesn’t convert header to http_ variable

According to http://nginx.org/en/docs/http/ngx_http_core_module.html#http nginx takes http headers, does some conversions (set a prefix, replace dash with underscore) and provides them as variables:

arbitrary request header field; the last part of a variable name is the field name converted to
lower case with dashes replaced by underscores

I want to make use of such a variable like this:

location /whoami {
  add_header Content-Type text/plain;
  set $user "You are ${http_x_ssl_client_s_dn} and authenticating to ${host} and ${http_foo}.";
  return 200 $user;
}

I can be absolutely sure that the clientauth variable is set, but I receive this response: You are and authenticating to server and .

When I check if the header to variable conversion takes place even the second variable doesn’t exist. curl -H foo=bla https://server/whoami returns You are and authenticating to server and .. In this scenario I would have expected ... and bla.

This makes me think that the conversion is disabled, perhaps due to a configuration error or security setting that is on by default. But I didn’t find a way to enable it.

I’m using nginx 1.18.0 on Ubuntu 20.04.

google cloud platform – HTTP Status 405 ? Method Not Allowed when using Spring boot application and GCP load Balancer

I have an aplication made in spring boot, it recovers data from a remote PostgreSQL database. It works well locally (from local app to local db), from local host to remote db and with all resources on GCP cloud (vm with tomcat server that host the apllication and with a cloud SQL for PostgreSQL database). The last part of my PoC is to host my aplication in my instance group with a load balancer attached. When i reach my load balancer i can see my welcome page where i use spring security to login, but it isn work i recieve the next error:

HTTP Status 405 ? Method Not Allowed

Type Status Report

Message Request method 'POST' not supported

Description The method received in the request-line is known by the origin server but not supported by the target resource.
Apache Tomcat/9.0.30

Later I tried to reach my instance directly (with the ip of one of the vm of the instance group) without the load balancer and the app runs succesfully, what could it be the error? I am almost sure that is a load balancer issue. This is the lb Terraform code:

provider "google-beta" {
  project     = var.project
  region      = "us-central1"
  credentials = var.credentials
}

resource "google_compute_region_ssl_certificate" "ssl-crt" {
  provider    = google-beta
  project     = var.project
  name_prefix = "my-certificate-"
  region      = var.lb_region
  private_key = file("lb_http/certificate/privateKey.key")
  certificate = file("lb_http/certificate/certificate.crt")

  lifecycle {
    create_before_destroy = true
  }
}

resource "google_compute_forwarding_rule" "lb-front-HTTP" {
  provider              = google-beta
  project               = var.project
  name                  = var.lb_front_name
  load_balancing_scheme = "INTERNAL_MANAGED"
  port_range            = var.lb_front_port_range
  target                = google_compute_region_target_http_proxy.lb-proxy-http.self_link
  region                = var.lb_region
  network               = var.lb_network
  subnetwork            = var.lb_subnetwork
  # ip_address            = "10.10.20.5"
}

resource "google_compute_forwarding_rule" "lb-front-HTTPS" {
  provider              = google-beta
  project               = var.project
  name                  = "lb-https-front"
  port_range            = "443"
  load_balancing_scheme = "INTERNAL_MANAGED"
  # ip_address            = "10.10.20.5"
  target     = google_compute_region_target_https_proxy.lb-proxy-https.self_link
  region     = var.lb_region
  network    = var.lb_network
  subnetwork = var.lb_subnetwork
}


resource "google_compute_region_target_http_proxy" "lb-proxy-http" {
  provider = google-beta
  name     = var.lb_proxy_name
  region   = var.lb_region
  project  = var.project
  url_map  = google_compute_region_url_map.lb_url_map.self_link
}

resource "google_compute_region_target_https_proxy" "lb-proxy-https" {
  provider         = google-beta
  name             = "test-proxy"
  region           = var.lb_region
  project          = var.project
  url_map          = google_compute_region_url_map.lb_url_map.self_link
  ssl_certificates = (google_compute_region_ssl_certificate.ssl-crt.id)
}


resource "google_compute_region_url_map" "lb_url_map" {
  provider        = google-beta
  project         = var.project
  name            = var.url_map_name
  region          = var.lb_region
  default_service = google_compute_region_backend_service.lb-backend.self_link
}


resource "google_compute_region_backend_service" "lb-backend" {
  provider              = google-beta
  name                  = var.lb_backend_name
  region                = var.lb_region
  project               = var.project
  load_balancing_scheme = "INTERNAL_MANAGED"
  port_name             = var.lb_backend_port_name
  protocol              = var.lb_backend_protocol
  timeout_sec           = var.lb_backend_timeout
  health_checks         = (var.healthcheck_output)
  locality_lb_policy    = "ROUND_ROBIN"

  backend {
    group           = var.ig_id
    balancing_mode  = "UTILIZATION"
    capacity_scaler = 1.0
  }
}

Thx so much.

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheap USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Best Quality USA Private Proxies