3 层架构上的 SSL 问题

Question

We are setting up an Angular/MVC web application on our client's infrastructure where they have several stringent security policies. We have web / App /DB in 3 separate VMs running on windows. We have installed self-signed SSL certificates on Web & App server. No connection to DB from web allowed and No connection from browser directly to Application server allowed.

Issue here is when I access the web application URL from a client browser (IE/Edge) we can see the page rendered but we aren't getting the response from app API server on the login page when we submit. Client has made it clear that all requests to app server have to be from web server and it won't accept requests from the client browser.

I wanted to know if my app server is considering this request to be originating from web server or from the client browser? App server will only accept SSL(443) connections from web server.

Any information would be helpful.

Answer 1

The API consumed by your angular/frontend application always will be called from the client's browser.You have must HTTP connection open and public facing in your API server so that the angular application can consume your API from any browser. To restrict the API from other media rather than your application you have to add CORS policy in your backend API. so the ultimate solution stands like this:

• Open HTTP and HTTPS port and public face your API server
• Add CORS policy in your backend API so that without your angular application no other media can consume your API.