addProxyRule and insecure rest/info checks

3737
8
04-10-2014 09:13 AM
MattLane
Occasional Contributor II
I recently added an ArcGIS Server layer to a web app where the source does not support https. I've set up the addProxyRule, configured the proxy config, and the layer loads just fine and I can see the proxy being used in the network traffic.

However, the initial request to the rest/info?f=json is always without using the proxy, and it causes my page to lose it's end-to-end security because it 'displays insecure content'. Is this a bug in the api? It exists in 3.7, 3.8, 3.9.

urlUtils.addProxyRule({ proxyUrl: '/proxy/proxy.ashx', urlPrefix: 'gis.fema.gov' });
fl = new FeatureLayer('http://gis.fema.gov/REST/services/NSS/FEMA_NSS/MapServer/0');


The page at 'https://<MYURL>' was loaded over HTTPS, but displayed insecure content from 'http://gis.fema.gov/REST/info?f=json': this content should also be loaded over HTTPS.
0 Kudos
8 Replies
MattLane
Occasional Contributor II
To summarize, I can't use the proxy in an https site to load AGS services from a non-https site without getting the mixed content warnings and scaring away security conscious users.

The first call to the host server for server info/capabilities just never seems to use the proxy.

Would love to hear from ESRI about this.
0 Kudos
JohnGravois
Frequent Contributor
hi matt,

the request you're referring to is made automatically by the API to gauge whether or not the remote server supports CORS (and whether subsequent POSTs across domains would require the use of a proxy).

i'm not sure if in designing the API anyone intended that it should be possible to ensure that you could guarantee that the second leg of all traffic to a particular server could be encrypted to give end users the perception that encryption was in place end to end.  If SSL is a concern to end users and you intend on hosting an application over HTTPS, its probably worth configuring your servers to support it as well.
0 Kudos
MattLane
Occasional Contributor II
Hey John, thanks for the reply.

Unless I'm missing what you are saying, my problem isn't my own servers, they are all ssl enabled and fully certed, it's requesting layers from others (namely gis.fema.gov, see example). Using the proxy on my server for services on that server works great, it's the initial check for CORS that you mentioned that disregards the proxy and causes me the http over https warning that is giving me indigestion.

It seems my options are either go forward with warnings from the browser, convince fema to enable https traffic on their servers, or create a custom proxy on my servers.
0 Kudos
JohnGravois
Frequent Contributor
matt,
thanks for the clarification.  i definitely appreciate the difficulty given that you don't administer all the services leveraged in your application, but the recommendation when designing SSL sites is definitely consistent use of the protocol (to avoid the exact problem you are running into).
0 Kudos
MichaelVolz
Esteemed Contributor
What does it mean to create a custom proxy on my servers?

Does it mean just adding an additional URL reference in the proxy.config file that might be found in a Proxy folder on the webserver?

<serverUrl url="http://gis.fema.gov/REST/services/NSS/FEMA_NSS/MapServer/0"
                   matchAll="false"/>
0 Kudos
MattLane
Occasional Contributor II
the recommendation when designing SSL sites is definitely consistent use of the protocol

Sorry if I sound frustrated, but it would be consistent use of the protocol if the CORS check honored the proxy rule. Why allow me to set a proxy rule for a service and then not use it for all calls to that service?
0 Kudos
MattLane
Occasional Contributor II
What does it mean to create a custom proxy on my servers?

Does it mean just adding an additional URL reference in the proxy.config file that might be found in a Proxy folder on the webserver?

<serverUrl url="http://gis.fema.gov/REST/services/NSS/FEMA_NSS/MapServer/0"
                   matchAll="false"/>


I was referring to making my own web service, similar in function to the esri proxy, that would just relay and return all requests to a specific third party service.
0 Kudos
JohnGravois
Frequent Contributor
matt,

no need to apologize.  i understand where you're coming from.  by 'consistent use of protocol', i was referring to hardcoding or using protocol relative urls to ensure that only https resources are requested from https apps.  this isn't the same as attempting to intercept all requests to specific http resources and pass them through an https proxy instead.

the sticking point here is that you had an expectation that using .addProxyRule() would guarantee each and every request made to a particular url would use a proxy and it just doesn't work that way currently.
0 Kudos