-1

We are setting up an Angular/MVC web application on our client's infrastructure where they have several stringent security policies. We have web / App /DB in 3 separate VMs running on windows. We have installed self-signed SSL certificates on Web & App server. No connection to DB from web allowed and No connection from browser directly to Application server allowed.

Issue here is when I access the web application URL from a client browser (IE/Edge) we can see the page rendered but we aren't getting the response from app API server on the login page when we submit. Client has made it clear that all requests to app server have to be from web server and it won't accept requests from the client browser.

I wanted to know if my app server is considering this request to be originating from web server or from the client browser? App server will only accept SSL(443) connections from web server.

Any information would be helpful.

Srigk
  • 1
  • 1
  • Any information from your site about the web server would be helpful. Usually your web server is an NGINX or Apache httpd. The browser should send the requests to the web server and the web server forwards the requests to the application server. It would help to now your web server configuration. – Thomas Sablik Jan 28 '21 at 09:53
  • your angular application does not run on the server. It eventually downloads in the client's browser and HTTP requests are call from the browser to the server. So people normally disallowed access to API by adding cors policy that will only allow your angular application to hit request. – Syed Mohammad Fahim Abrar Jan 28 '21 at 09:56

1 Answers1

-1

The API consumed by your angular/frontend application always will be called from the client's browser.You have must HTTP connection open and public facing in your API server so that the angular application can consume your API from any browser. To restrict the API from other media rather than your application you have to add CORS policy in your backend API. so the ultimate solution stands like this:

  • Open HTTP and HTTPS port and public face your API server
  • Add CORS policy in your backend API so that without your angular application no other media can consume your API.
Syed Mohammad Fahim Abrar
  • 785
  • 1
  • 7
  • 24
  • This is completely wrong. Of course, you can use a web server as reverse proxy to forward the requests: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ If you use a reverse proxy to forward requests to the application server you also fix the CORS problem without CORS header. – Thomas Sablik Jan 28 '21 at 10:02
  • @ThomasSablik does it block all request other than the angular app they are serving? – Syed Mohammad Fahim Abrar Jan 28 '21 at 10:08
  • It solves this problem: _"Client has made it clear that all requests to app server have to be from web server and it won't accept requests from the client browser."_ There won't be any direct requests from browser to application server. All request go through the reverse proxy. And all browser requests will go to the same origin. That solves the CORS problem. You are recommending to open security holes even though the client doesn't allow it. Don't do that. – Thomas Sablik Jan 28 '21 at 10:09