The ArcGIS Viewer for Silverlight passes escaped URLs to the designated proxy page. The proxy page distributed with the Silverlight viewer knows how to decode the URL so as to validate it against the list of allowed URLs.

When testing this proxy with .NET, however, I found that it does not know how to handle escaped URLs, so it fails with a MustMatch error.

For example, when attempting to view a secured service from the Silverlight viewer, the following URL is executed:

http://..com/proxysl/proxy.ashx?http%3a%2f%2fserver%2farcgis%2frest%2fservices%2fGP%3ff%3djson

Instead of:

http://..com/proxysl/proxy.ashx?http://server/arcgis/rest/services?f=json

The exact error I see through Fiddler is as follows:

Proxy is being used for an unsupported service (proxy.config has mustMatch="true"): http%3a%2f%2fservices2.arcgis.com%2f9e1lIDHxagNWiG3G%2farcgis%2frest%2fservices%2fCollectorApp2%2fFeatureServer%3ff%3djson

Because this proxy page doesn't decode the escaped URL prior to validating it, it fails.

To reproduce:
white list http://services.arcgisonline.com/
and then try to proxy:
http://services.arcgisonline.com/spmefolder/somepage.html

Proxy returns 500 instead of 404.

when the url requested has less folders than whats in the proxy.config, we encounter an index out of bounds error.

before we loop through the items and compare them we need to test to see if there are less items in the request string array and if so, abort immediately. cc @esoekianto

If no traffic service is specified within the proxy, directions and routing in JS apps will not work correctly. Add this to doc.

Not sure if issue with my code, IIS setup or the proxy page.

Using .NET version, IIS7 on 2008R2 server.

Sometimes the Javascript API ID request fails to get passed to server.

Then, as if by magic, it all works. Last time this change happened it was bang on 12:30 - so don't know if something refreshed on server to fix this.

I refresh the proxy application after making changes.

Spurious changes to the alowedReferers, making the URL incorrect work straight away - all requests get blocked.

JSP proxy proxies pages it shouldn't while saying it doesn't....

proxy.jsp?http://www.example.com (assuming this URL is not allowed) returns a 403 Forbidden, but then shows both the error message and the proxied page.

`{"error": {"code": 403,"details": ["The proxy tried to resolve a prohibited or malformed 'url'. The server does not meet one of the preconditions that the requester put on the request."], "message": "403 - Forbidden: Access is denied."}}<!doctype html>

Currently the Java proxy always looks for the server url and if its not found it will not proxy. Setting mustMatch to false should allow the proxy to proxy any site and not require that a server url is specified. This property is useful when testing and should be supported.

https://github.com/Esri/resource-proxy/blob/master/Java/proxy.jsp#L771

Update the proxy so that if a location starts with // any protocol (http or https) will be accepted. The php and java proxies already support this behavior.

Update the proxy so that /rest is not required.

If my configuration file have two entries for one domain, then it should pick the "longest" or closeset match.

Sample:

<serverUrl url="http://sampleserver6.arcgisonline.com/"
    matchAll="true"/>
<serverUrl  url="http://sampleserver6.arcgisonline.com/arcgis/rest/services/SaveTheBay/FeatureServer/0"
    username="user1"
    password="user1"
    matchAll="true"/>

Then the following query should work (not give 499):
http://localhost/proxytesting/php/testcase2/proxy.php?http://sampleserver6.arcgisonline.com/arcgis/rest/services/SaveTheBay/FeatureServer/0/

(only tested in php - where it fails because it uses the first one)

WORKAROUND:
Reorder the two items in the config file, and everything works fine.

Need to doc that only the owner can authorize use of hosted services when working with resource proxy.

I know that proxy should only work with token-based arcgis server, but is there any way to allow the url for arcgis server that is not set for token based but window authentication only

This includes but not limited to : ETag, Content-Encoding and caching related headers.

Downloaded the ZIP, copied PHP folder the Apache web server folder, made sure read/write permissions were set where appropriate. Following steps in PHP README.md file where it states to test the proxy was installed correctly by typing in

http://[yourmachine]/PHP/proxy.php?http://services.arcgisonline.com/ArcGIS/rest/services/?f=pjson

results in an error "{"error":{"code":412,"details":["Detected malformed 'logFile' in configuration. Make sure this app has write permissions to specified log file in configuration. The server does not meet one of the preconditions that the requester put on the request."],"message":"Proxy failed due to configuration error."}}"

The error goes away as soon as I manually create the proxy_log.log file.

Try with any server url that is not whitelisted.

For invalid json format to a valid proxied service, the AGS server returns error message in html format.
Let the proxy pass it along to the browser.

to reproduce add extra double quote at the end of the url.
http://services.arcgisonline.com/ArcGIS/rest/services/?f=invalidFormat

As per HTTP RFC 2616, Content-type is not mandatory

This line could cause RTE
if (con.getContentType().contains("text") ||
con.getContentType().contains("json") ||
con.getContentType().contains("xml")) {

For the "1.0" release:

• Update CHANGELOG.md
• Update the version number in the 3 proxy files.
• Tag with "v1.0" - see https://github.com/Esri/resource-proxy/tags
• Release as "1.0" - see https://github.com/Esri/resource-proxy/releases

Is there any interest in supporting wildcards for referrer and server? For example:

allowedReferers="http://*.myorganization.com"

Or, a better solution might be a regex match, for example:

url="(https?:\/\/)?(\w+)(.myorganization.com)"

I'm dealing with over 50 subdomains accessing one application, so this way I could white-list them all. Maybe mine is an unusual case, and an unnecessary complication to the base proxy.

requests for supporting .css are incorrectly aimed at the web server hosting the proxy

try proxying
http://services.arcgisonline.com/arcgis/rest/services

in web traffic you will see a failed request aimed at the server hosting your proxy
(ie http://localhost:50961/arcgis/rest/static/main.css)

when we changed the logic to split uris into an array of strings we forgot that we don't want this comparison to be case sensitive.

//inside GetConfigServerUrl() it should be
if (!configUriParts[i].ToLower().Equals(uriParts[i].ToLower())) break;

i will submit a pull request for this shortly in another feature specific branch. my own master branch is still ahead of the remote.

See for example http://httpd.apache.org/docs/2.2/howto/htaccess.html :

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Based on this documentation, list of supported format in REST API includes f=lyr, f=nmf, f=kmz and so on, http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#/Output_formats/02r3000000wq000000/

When we do this, "http://services.arcgisonline.com/arcgis/rest/services/world_physical_map/mapserver?f=lyr", we actually get the actual lyr file as download file, but when we proxy it "http://localhost/proxy.ashx?http://services.arcgisonline.com/arcgis/rest/services/world_physical_map/mapserver?f=lyr", then we get "proxy.ashx" as download file

link to one authoritative document on tags with examples in main readme and link from indivdual project readmes.

it would be a good idea to mention in the help that intelligent text editors like Notepad++ are valuable when working with XML, but we also need to make sure that the formatting is okay in Notepad too because people use it to edit these files all the time.

If you copy/paste the README.md file's sample proxy config XML and try to use it against the route service, errors arise saying that it can't find a specific URL. The serverURL should be changed for these services to read HTTPS instead of HTTP.

Considering the growth of node.js and pervasiveness of javascript, what about to build a proxy page that executes in node.js?

This would remove the requirement for a php, or java, or .net server engine for a full-stack javascript programmer.

Adding a link to https://github.com/Esri/resource-proxy/releases should help git-newbies quickly find the right thing to download.

Current instructions in main README.md only say:

• Download and unzip the .zip file or clone the repository.

After doing a file upload using Web API code to a Geoprocessing Service which takes a file as an input, an error message will surface like below.   Feature service attachments are not affected by this bug.

//http://sampleserver6.arcgisonline.com/arcgis/rest/services/911CallsHotspot/GPServer/uploads/upload

{
"error": {
"code": 500,
"message": "Error in upload Item for service 911CallsHotspot",
"details": []
}
}

Here is Web API code to repro this issue.

https://gist.github.com/phpmaps/9791947

The problem resides in the file upload request sent out from the proxy.  Adding these lines will allow Charles / Fiddler to capture the request and see the values being passed.  The issue is tied to the request text "boundary".  It seems the PHP cURL extension makes boundary automatically.

Adding these lines to proxy allows the problem to be visualized in Charles and Fiddler to debug the traffic.

curl_setopt($this->ch, CURLOPT_PROXY, "127.0.0.1");
curl_setopt($this->ch, CURLOPT_PROXYPORT, 8888);

Boundaries are written to separate POSTed values and when filename="/private/var/tmp/64X64.png" is in the request, it fails.

------------------------------b31d8b5a3f93
Content-Disposition: form-data; name="file"; filename="/private/var/tmp/64X64.png"
Content-Type: application/octet-stream

âPNG

IHDR@@™iqfiiCCPICC ProfileH
≠WgXS…ûSí@HhÅH Ω  “´Ù^§
6BH(!ÇàÿêE÷Çäÿ–◊»¢"veÏ˝bAAYu±ÅrÁP‘}ˆÓø;yŒÃõwfi˘Êõo 3Äl[$JAÂHfä√¸<YsbbYîáÅ?`(lNÜ»#44¸kz�ja∫nFÿ˙WŸˇÆP‡Ú28 °∞:ûõ¡IÖ¯(X3G$ŒÄDÿ”[î)"àAà˜8q78~wåi"¬º†¶)õ-NÄ>yV'⁄ë•

When the filename in boundary is like this filename="64X64.png" life is good.

------------------------------b31d8b5a3f93
Content-Disposition: form-data; name="file"; filename="64X64.png"
Content-Type: application/octet-stream

âPNG

IHDR@@™iqfiiCCPICC ProfileH
≠WgXS…ûSí@HhÅH Ω  “´Ù^§
6BH(!ÇàÿêE÷Çäÿ–◊»¢"veÏ˝bAAYu±ÅrÁP‘}ˆÓø;yŒÃõwfi˘Êõo 3Äl[$JAÂHfä√¸<YsbbYîáÅ?`(lNÜ»#44¸kz�ja∫nFÿ˙WŸˇÆP‡Ú28

When life is good the response looks like this.

{
"success": true,
"item": {
"itemID": "ieb07775b-523a-4461-807b-141cdbd25d0e",
"itemName": "64X64.png",
"description": null,
"date": 1395866245830,
"committed": true,
"serviceName": "911CallsHotspot.GPServer"
}
}

For the f=oops case, the browser is showing the gzipped content without telling the browser that it is gzipped (and thus need unzipping). This applies to PHP (and in the #64 pull request for JSP as well).

// Missing header
Content-Encoding:gzip

Test for example with curl as: curl http://example.com/proxy.jsp?http://services.arcgisonline.com/ArcGIS/rest/services/?f=OOPS | gunzip

remove a closing tag in the proxy.config and afterward you will encounter the error below when attempting to fetch a page:

{error: {code: Forbidden,message:"There is an error in XML document (32, 5). http://elevation.arcgis.com"}}

it seems weird to me that an error like this should be categorized as '403 Forbidden'

the same issue occurs when calling the proxy with no url defined (ie: "http://localhost/sproxy/proxy.ashx"), but in that case, a 403 arguably makes sense.

JSP code gets returned when error occurs instead of returning error in json format

With this config, try proxying any url.

<ProxyConfig mustMatch="true"> <serverUrls> <serverUrl url="//static.arcgis.com" /> </serverUrls> </ProxyConfig>

The simple url test works :http://[yourmachine]/DotNet/proxy.ashx?http://services.arcgisonline.com/ArcGIS/rest/services/?f=pjson:

however when I put the proxy in the silverlight viewer setting, then the request got error "no map service found...."

if trying to retrieve private content via a portal query like below, its not appropriate for the proxy to exchange its OAuth token for a server token and results in an error from the server itself.

sample request:
http://org.maps.arcgis.com/sharing/rest/search?q=noahz&f=pjson

perhaps we can skip this step entirely if the request url is anything other than "rest/services" (ie: rest/community, rest/search)
https://github.com/Esri/resource-proxy/blob/master/DotNet/proxy.ashx#L371

error code should be http status code if status code is >= 400
e.g.
try ?f=invalid format to see error message

{error: {code: BadRequest,message:"The remote server returned an error: (400) Bad Request. http://services.arcgisonline.com?f=asdfasdf"}}

The php proxy seems to run fine with PHP 5.3. Should the "Check PHP version 5.4.2 or newer?" item be removed or the version number in that check changed?

I have a web map that is shared to 'organization only'. Storing the credentials for that web map in the proxy works with the .NET proxy but fails with php.

Need to check the Java proxy too.

This should have been removed from the original as we do not have the ability to register services as an item, rather an app.

Go to https://github.com/Esri/resource-proxy/tree/master/PHP

In the XML Example section > this specific part

  <serverUrl
      url="http://route.arcgis.com"
      matchAll="true"
      oauth2Endpoint="https://www.arcgis.com/sharing/oauth2"
      clientId="6Xo1x5L1tz7k9Kn2dc"
      clientSecret="5dca5d50d0e6fe422c867b6efcf969b6ca2"
      rateLimit="120"
      rateLimitPeriod="60">
  </serverUrl>

Proxying the exact same URL specified in the config does not work when it doesn't have an ending /. This is sort of on purpose, but maybe this logic could be improved.

For example, if the config has http://server.arcgisonline.com/arcgis/rest then you can't proxy http://example/DotNet/proxy.ashx?http://server.arcgisonline.com/arcgis/rest - but http://example/DotNet/proxy.ashx?http://server.arcgisonline.com/arcgis/rest works fine.

The comment in the DotNet explains why:

//lets add a slash to the proxy.config url if not present before comparing to the request itself to fend off subdomain attacks (ie: gooddomain.org.baddomain.com)

I think the trailing slash should only be added to the server part, not to the path. This would also allow http://server.arcgisonline.com/arcgis/rest/services/folder to access multiple folders starting with folder.

PHP works great in this regard. I haven't tested JSP.

For example, proxy.php?http://services.arcgisonline.com returns a 200 page displaying the "Moved Permanently" message.

DotNet and JSP follows the "301" redirect, and display the service directory page fine.

Currently, the dotnet proxy looks for the config at ~/proxy.config. This causes problem if you don't have the proxy in the root of your dotnet web app. It should look for the config in the same folder as the proxy itself - which is what JSP and php proxies do.

error occurs at line
if (ProxyConfig.isUrlPrefixMatch("http%3a%2f%2f", uri) || ProxyConfig.isUrlPrefixMatch("https%3a%2f%2f", uri) )

I have an idea to add release number or build timestamp on the proxy page, so that we know which release version or when user download the proxy, and would help us in support when they call if something is not working.

If the proxy cannot reach a server, it should report that properly.
If I have a domain allowed in the config but my machine for some reason cannot reach that domain (maybe because of network issue or typos), then we should return consistent, helpful error code/msg.

Currently:

• PHP returns 200 and an empty page
• DotNet return 500 Internal Server Error (or 500.0 NameResolutionFailure if on the same machine) - which isn't too bad, but not consistent.
• Not sure about Java.

They should return the same error, maybe:
502 - Web server received an invalid response while acting as a gateway or proxy.

add a FAQ to the proxy documentation with miscellaneous 'gotchas'

An XSD schema would make it easier to edit the proxy.config file in Visual Studio and ensure that edits made to proxy.config are valid.

If number of requests exceed specified limit with in a given time, use error code 429 (Too Many Requests) instead of 402 (reserved for payment required)

It would be nice to change the http status code as well..