[Libwebsockets] http 403

Andy Green andy at warmcat.com
Thu Mar 21 22:12:36 CET 2019



On 22/03/2019 05:06, Kun Zhao wrote:

> But why curl works? There must be something different in the headers 
> libwebsockets sent out.

  - Curl doesn't send origin as you can see from your logs.

  - The minimal example asks lws to send origin by default because 
that's what other servers demand to see.

  - the server in this case has a policy to 403 anyone that either sends 
origin that isn't exactly what it wants or who sends any origin header 
(which is a perfectly valid thing to send in http).

-Andy

> On Thu, Mar 21, 2019 at 3:52 PM Andy Green <andy at warmcat.com 
> <mailto:andy at warmcat.com>> wrote:
> 
> 
> 
>     On 22/03/2019 01:59, Kun Zhao wrote:
>      > Hi Andy,
>      >
>      > I'm trying to get a JSON from
>     https://www.bitmex.com/api/v1/instrument
>      > REST API. I tried my own libwebsockets app and
>      > libwebsockets_test_client, both of them are failed with 403.
>     However, I
>      > can use curl to get the JSON without any problems. How do I
>     figure out
>      > what is wrong with libwebsockets?
> 
>     Something "wrong with libwebsockets", eh.
> 
>      > Attached are the detailed log of curl and libwebsockets_test_client.
>      > Hopefully, that will give you more information.
> 
>     I did this to the minimal http client (and gave it --h1)
> 
>     diff --git
>     a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
> 
>     b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
>     index d8ce24212..202eb3264 100644
>     ---
>     a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
>     +++
>     b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
>     @@ -155,7 +155,7 @@ int main(int argc, const char **argv)
>                       i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
>               } else {
>                       i.port = 443;
>     -               i.address = "warmcat.com <http://warmcat.com>";
>     +               i.address = "www.bitmex.com <http://www.bitmex.com>";
>               }
> 
>               if (lws_cmdline_option(argc, argv, "--h1"))
>     @@ -164,9 +164,9 @@ int main(int argc, const char **argv)
>               if ((p = lws_cmdline_option(argc, argv, "-p")))
>                       i.port = atoi(p);
> 
>     -       i.path = "/";
>     +       i.path = "/api/v1/instrument/active";
>               i.host = i.address;
>     -       i.origin = i.address;
>     +//     i.origin = i.address;
>               i.method = "GET";
> 
>               i.protocol = protocols[0].name;
> 
>     I tried a few thiongs for origin but it seems that server just rejects
>     any request with origin header.
> 
>     https://tools.ietf.org/html/rfc6454#section-7
> 
>     Other servers require it... anyway there's nothing "wrong with
>     libwebsockets", your request must comply with whatever policy the
>     server
>     has decided to implement.  In this case, apparently, "don't send me
>     origin or you will get a 403".
> 
>     -Andy
> 


More information about the Libwebsockets mailing list