API responses only when origin is my domain name

eric_xl2 years ago

I want api response only when calling from one of my domains, tested web.origin in traccar.xml with no luck (restarted, service and os).
compiled server with intellij and at least response header changed to the configured domain (edited corsResponseFilter.java) in line 39:

    private static final String ORIGIN_ALL = "http://myserverdomain.com";

I've configured apache to redirect web interface to a secure connection, and everything is working ok;
But still responding to any domain, could you help me how to achieve that ?

Request

HTTP/1.1 200 OK
Date: Thu, 13 Oct 2022 20:06:55 GMT
Server: Jetty(10.0.12)
Strict-Transport-Security: max-age=31536000
Content-Type: application/json
access-control-allow-headers: origin, content-type, accept, authorization
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: http://myhiddendomainname.com
Content-Length: 576
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

From

GET /api/server HTTP/1.1
Host: myhiddendomainname.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Connection: keep-alive
Cookie: JSESSIONID=node01457p4sfsenn1d8isc8dm4gem371.node0

Apache conf to secure connection

ServerName gps.myhiddendomainname.com
    # ServerAlias gps.myhiddendomainname.com
    DocumentRoot /var/www/gps.myhiddendomainname.com/html

    #<Directory /var/www/gps.myhiddendomainname.com/html>
    #    Options -Indexes +FollowSymLinks
    #    AllowOverride All
    #</Directory>

    ProxyPass /api/socket ws://localhost:9862/api/socket
    ProxyPassReverse /api/socket ws://localhost:9862/api/socket

    ProxyPass / http://localhost:9862/
    ProxyPassReverse / http://localhost:9862/


    ErrorLog /var/log/httpd/gps.myhiddendomainname.com-error.log
    CustomLog /var/log/httpd/gps.myhiddendomainname.com-access.log combined

SSLCertificateFile /etc/letsencrypt/live/gps.myhiddendomainname.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gps.myhiddendomainname.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on

PS: traccar 5.4 Rocky 8, apache.

Anton Tananaev2 years ago

What exactly do you mean by responding to any domain? How are you requesting it?

eric_xl2 years ago

For example: If someone calls to my server from any online api test tool, it responds without problems:

Eg: https://reqbin.com/

Anton Tananaev2 years ago

It depends on how those tools work. They might not respect CORS.

eric_xl2 years ago

In that case, some tips about traccar server hardening? I mean, set up my server in a way it only respond to our second app server

Anton Tananaev2 years ago

You can probably set up a firewall to only allow certain IP address.