Skip to content

Instantly share code, notes, and snippets.

@oliverheilig

oliverheilig/xsitoken.md

Last active September 2, 2015 15:46
Show Gist options
  • Save oliverheilig/3676f511cbee5922a906 to your computer and use it in GitHub Desktop.
Save oliverheilig/3676f511cbee5922a906 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
xsitoken.md

Hiding your xServer internet token

The xServer internet token is an API-key used to authenticate and bill the requests.

If a client-application accesses xServer internet directly, the token can be sniffed by intercepting the traffic or looking into the code. However, the API-key cannot be used to access any security relevant customer data. If you don’t want to expose the token to the client, you can proxy the xServer internet access in your application server and inject your token here.

Here are two scenarios to create a proxy that injects an xServer internet token.

1. Use Apache as Proxy

You can add a virtual host to proxy your xServer-Requests, by configuring the httpd-vhosts.conf. The xServer can be acessesed with the authentication of your WebServer then, while the requests are relayed and the token is injected.

In httpd.conf add required modules by uncommenting the LoadModule for proxy_module, proxy_html_module, proxy_http_module and xml2enc_module and uncomment the # Include conf/extra/httpd-vhosts.conf

The virtual host sections in httpd-vhosts.conf have these scheme then:

<VirtualHost *:80>
    # enable SSL/TLS Protocol Engine for proxy
    SSLProxyEngine On 
                
    <Location /xmap>
        # The text after "Basic " is "xtok:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" base64-encoded
        RequestHeader set Authorization "Basic eHXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXjQ="
                       
        ProxyPass https://xmap-eu-n-test.cloud.ptvgroup.com/xmap
        ProxyPassReverse https://xmap-eu-n-test.cloud.ptvgroup.com/xmap
    </Location>
                
    <Location /WMS>
        # your xerver internet token
        RequestHeader set xtok "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" 
                               
        ProxyPass https://xmap-eu-n-test.cloud.ptvgroup.com/WMS
        ProxyPassReverse https://xmap-eu-n-test.cloud.ptvgroup.com/WMS
    </Location>
                
    <Location /xlocate>
        # The text after "Basic " is "xtok:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" base64-encoded
        RequestHeader set Authorization "Basic eHXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXjQ="
                               
        ProxyPass https://xlocate-eu-n-test.cloud.ptvgroup.com/xlocate
        ProxyPassReverse https://xlocate-eu-n-test.cloud.ptvgroup.com/xlocate
    </Location>

2. Use ASP.NET as Proxy

For ASP.NET, you can add a generic xServer-handler to inject your token. See here

https://github.com/ptv-logistics/XServerAspProxy

for a reference implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment