Getting different response from AWS CLI whe going through forward/browser proxy
76 views
Skip to first unread message
Teimatini Marin
Nov 29, 2022, 10:24:19 PM11/29/22
to wiremock-user
Hi Tom and All,
First of all I wanna thank Tom and everybody else involved in WireMock! I've tried a couple of different options for mocking/service-virtualization recentrly and I've found WireMock the most advanced, easy to use and well designed. Good job guys!
Unfortunnaly, I'm facing a issue... hope you guys can point me on the right direction here?
I'm trying to use WireMock as a forward proxy to call it mainly from AWS CLI. Most of the calls would be forwarded to AWS server and only returning some stubbing for some concrete API Calls.
The issue I came with is that I'm getting a different response from the APIs when I use the proxy... how it works is:
* the aws cli make the api calls
* calls are signed by the client
* signature is validate by the server. For this, AWS retrieve some Headers from the request, regenerates the signature (same way the client did)
* compares both signature, the one in the request and the one generated by them.
* the aws cli make the api calls
* calls are signed by the client
* signature is validate by the server. For this, AWS retrieve some Headers from the request, regenerates the signature (same way the client did)
* compares both signature, the one in the request and the one generated by them.
And this is the issue... signature is not matching when going thru the poxy but it does when I go directly to aws.
For me it looks like if WireMock were changing or removing some Headers. Would this be even possible/expected?
Do you guys can think on any possible cause of this behaviour? Or, any way to debug it (by the way, I'm not able to install WireShark here...)?
I'm starting the wiremock as follows:
$ java -jar wiremock-jre8-standalone-2.35.0.jar --port 9999 --enable-browser-proxying --trust-all-proxy-targets --verbose
$ java -jar wiremock-jre8-standalone-2.35.0.jar --port 9999 --enable-browser-proxying --trust-all-proxy-targets --verbose
logs attached...
And this is how I'm testing
$ export HTTPS_PROXY=127.0.0.1:9999
$ aws sts get-caller-identity --no-verify-ssl
/usr/local/Cellar/awscli/2.9.1/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
$ unset HTTPS_PROXY
$ aws sts get-caller-identity --no-verify-ssl
/usr/local/Cellar/awscli/2.9.1/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'sts.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
{
"UserId": "AIDAYKNT6H2XXXXXXXZ3M",
"Account": "5721XXXXXXXX",
"Arn": "arn:aws:iam::5721XXXXXXXX:user/big-data-dev"
}
$ export HTTPS_PROXY=127.0.0.1:9999
$ aws sts get-caller-identity --no-verify-ssl
/usr/local/Cellar/awscli/2.9.1/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
$ unset HTTPS_PROXY
$ aws sts get-caller-identity --no-verify-ssl
/usr/local/Cellar/awscli/2.9.1/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'sts.us-east-1.amazonaws.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
{
"UserId": "AIDAYKNT6H2XXXXXXXZ3M",
"Account": "5721XXXXXXXX",
"Arn": "arn:aws:iam::5721XXXXXXXX:user/big-data-dev"
}
This last part is the expected response ^^^
Thanks in advance for any help!
Thanks in advance for any help!
Teimatini Marin
Reply all
Reply to author
Forward
0 new messages