Trusted Intermediary connecting to ES through private network

Erlend_Wollan · April 24, 2017, 2:22pm

Having both the app server (trusted intermediary) and EventStore hosted on the same machine and I’m facing no difficulties.
I receive requests from the client which the the app server verifies and it forwards the request (with an added ‘ES-TrustedAuth’ header w/value i.e. “root; admin, other”) to the EventStore HTTP API which handles it.

I am now attempting to have app server and EventStore be located on two separate machines within the same local/private network.

From the app server i forward the incoming client request to http://10.0.0.x:2113/streams/somestream" with the ‘ES-TrustedAuth’ as usual.
Ports 2113 (and 1113 for good measure) is open on the EventStore node firewall.

Can’t seem to get a response though. I can ping 10.0.0.x just fine. I’m suspecting I need to throw in ‘username:password@’ to the url or some other form of credential setup? I have made sure EventSource is running with an HTTP listener approved user (and Event Source is starting w/–enable-trusted-auth).

Greg_Young1 · April 24, 2017, 2:35pm

It should be fine for TrustedAuth to come from another node. Can you
access the es node from the other node with curl?

Greg_Young1 · April 24, 2017, 2:36pm

actully let me double check the code just to make sure we didn't put a
safety check to only allow loopback

Erlend_Wollan · April 24, 2017, 2:41pm

curl.exe -i -H “Accept:application/vnd.eventstore.events+json” “http://10.0.0.x:2113/streams/somestream” -u username:password
is currently giving me “HTTP Error 400. The request hostname is invalid.”

mandag 24. april 2017 15.36.42 UTC+1 skrev Greg Young følgende:

Greg_Young1 · April 24, 2017, 2:49pm

Ah this is a different issue. What is your config? You likely need to
add a prefix

Erlend_Wollan · April 24, 2017, 3:01pm

Two standard Azure nodes w/Win 2012 server.
EventStore.ClusterNode.exe --db=./db --log=./logs --run-projections=all --start-standard-projections --disable-http-caching --enable-trusted-auth
Opened for TCP 1113,2113 in/out on the two nodes.
Everything running close to default at the moment.

PS C:\Windows\system32> curl.exe -i -H “Accept:application/vnd.eventstore.events+json” “http://10.0.0.x:2113/streams/somestream”

HTTP/1.1 400 Bad Request

Content-Type: text/html; charset=us-ascii

Server: Microsoft-HTTPAPI/2.0

Connection: close

Content-Length: 334

Bad Request

Bad Request - Invalid Hostname

HTTP Error 400. The request hostname is invalid.

mandag 24. april 2017 15.49.43 UTC+1 skrev Greg Young følgende:

Erlend_Wollan · April 24, 2017, 3:46pm

For the system I’m trying to reach:

PS C:\Windows\system32> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : STAGING-DB01

Primary Dns Suffix . . . . . . . : xxx.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : xxx.local

reddog.microsoft.com

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : reddog.microsoft.com

Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter

Physical Address. . . . . . . . . : 00-0D-3A-B3-00-B3

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.0.0.7(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Monday, April 24, 2017 2:59:22 PM

Lease Expires . . . . . . . . . . : Thursday, May 31, 2153 11:57:14 PM

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 168.63.127.14

DNS Servers . . . . . . . . . . . : 10.0.0.4

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.reddog.microsoft.com:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . : reddog.microsoft.com

Description . . . . . . . . . . . : Microsoft ISATAP Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

mandag 24. april 2017 16.01.03 UTC+1 skrev Erlend Wollan følgende:

Greg_Young1 · April 24, 2017, 4:16pm

"EventStore.ClusterNode.exe --db=./db --log=./logs
--run-projections=all --start-standard-projections
--disable-http-caching --enable-trusted-auth"

Where are you setting the ip address to listen to?

Erlend_Wollan · April 24, 2017, 4:53pm

That was the missing piece. Thanks for your patience.

Final config:
EventStore.ClusterNode.exe --db=./db --log=./logs --run-projections=all --start-standard-projections --disable-http-caching --enable-trusted-auth --ext-ip=10.0.0.7

mandag 24. april 2017 17.16.38 UTC+1 skrev Greg Young følgende: