Loading

How to test SSL endpoints of DLB using cURL

Udgivelsesdato: Mar 2, 2024
Opgave

GOAL

DLB requires a CNAME record to work properly, but the user can test SSL endpoints and mapping rules with the IP address or MuleSoft provided DNS. 
Trin
1. HTTP request 
curl -H 'Host: <domain name>' http://<dlb name>.lb.anypointdns.net/something
In this way, a "Host" Header is in the HTTP request, so the server can direct the request to the right virtual host block. However, HTTP is not recommended as it is clear text request. Usually, "Inbound HTTP Mode" should be "Off" or "Redirect"

2. HTTPs request
Simply adding a "Host" header doesn't work with HTTPS. Those clients with SNI (Server Name Indication) enabled, which is the most common scenarios, send the hostname inside the TLS handshake (Client Hello). The server then chooses the correct certificate based on this information. Only after the TLS connection is successfully established it will send the HTTP-Request, which contains the "Host" header.

The correct way to test is to leverage "--resolve" option, like this 
curl --resolve '<domain name>:443:<IP>' https://<domain name>/something
Note "--resolve" takes a port number, so for HTTPS you would add ":443" after the domain name. Get the IP from the MuleSoft provided DLB domain by "dig" or "nslookup" 
dig <dlb name>.lb.anypointdns.net
nslookup <dlb name>.lb.anypointdns.net

3. Self-signed cert
Add "-k" to disable SSL validation and "-vI" for more information 
curl -k -vI --resolve '<domain name>:443:<IP>' https://<domain name>/something

 
Vidensartikelnummer

001114950

 
Indlæser
Salesforce Help | Article