Comments (12)
dabeeeenster
commented on August 20, 2024
1
It looks like that 403 response is coming directly from the AWS ELB and not the Bullet Train app server. We do offer enterprise support packages for self hosted deployments if that is of interest?
from flagsmith-dotnet-client.
andrewshawcare
commented on August 20, 2024
1
We figured it out. There's a rule entitled, NoUserAgent_HEADER in the AWSManagedCommonRuleSet core rule set for AWS web application firewall (WAF): https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-baseline
We have excluded the rule for now to allow for Bullet Train traffic, but ideally Bullet Train would use a User-Agent header to ensure we can prevent malicious web requests (and be compliant with the AWS WAF's most used rule set).
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
1
Ah understood - that makes sense. I'll add a ticket to have SDK clients send user agents.
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
Thanks for the bug report - we'll take a look!
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
@malah-code are you able to reproduce this against the official hosted API?
from flagsmith-dotnet-client.
malah-code
commented on August 20, 2024
@dabeeeenster , Thanks for fast reply. I tested it with https://api.bullet-train.io/api/v1/ and it works. so are there any configs I miss in my own server setup? are there any security/firewall things I should do?
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
its hard to say without knowing exactly what your setup looks like. What version of the API are you running?
from flagsmith-dotnet-client.
malah-code
commented on August 20, 2024
Not sure where could I get the version
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
Will make a point of adding version info to the API. Can you describe how you are running the API? Docker etc?
from flagsmith-dotnet-client.
malah-code
commented on August 20, 2024
AWS Container.
Also I noticed that for the same request if I add User-Agent: sdfsdf , it work fine, but without User-Agent return 403 Forbidden
GET https://features.xyz.ca/api/v1/flags/ HTTP/1.1
X-Environment-Key: xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxy
User-Agent: sdfsdf
Host: features.xyz.ca
from flagsmith-dotnet-client.
dabeeeenster
commented on August 20, 2024
I'm not able to reproduce this Im afraid. Are you able to provide the exact two curl commands; 1 that fails and 1 that works?
from flagsmith-dotnet-client.
malah-code
commented on August 20, 2024
Here are both requests
from flagsmith-dotnet-client.
Related Issues (18)
- HttpClient is intended to be instantiated once and re-used throughout the life of an application HOT 1
- When identity is specified a redundant slash character is added in the end HOT 2
- Caching does not implement a max size HOT 3
- API is using deprecated endpoint HOT 1
- Implement SDK-side Caching HOT 7
- Don't log errors using Console.WriteLine HOT 3
- Can't install SDK on new projects HOT 6
- FlagsmithClient's interface was completely changed HOT 2
- When called consecutively, HasFeatureFlag method gets an error on the second run HOT 8
- MV evaluation is not consistent with API in local evaluation mode HOT 1
- Not getting flags after hitting request second time from method GetIdentityFlags HOT 5
- Flagsmith open feature provider HOT 1
- Question: DI registration example HOT 1
- Question: Cancellation token for async methods HOT 2
- Exception: System.ThrowHelper.ThrowInvalidOperationException_ConcurrentOperationsNotSupported HOT 5
- Identity overrides in local evaluation mode
- Fix package validation errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flagsmith-dotnet-client.