如何允许来自网络外部站点的内部 MVC Web Api [英] How to allow internal MVC Web Api from external site outside the network
问题描述
我有一个 MVC Web API(托管在 IIS 中),它位于 wwwroot 文件夹中,可以在网络中本地访问.我可以执行如下 api 调用:http://mylocalapi:133/api/Values/得到,我得到一个结果.
I have a MVC Web API (hosted in IIS) which is in the wwwroot folder and locally accessible within the network.I can execute api calls like this: http://mylocalapi:133/api/Values/Get and I get a result.
我有一个外部站点 http://example.org,我想执行相同的 http://mylocalapi:133/api/Values/Get.
I have an external site which is http://example.org and I would like to execute the same http://mylocalapi:133/api/Values/Get.
面向外部的站点和内部 API 站点都托管在同一台服务器上(但可以不同,例如网络外的第 3 方供应商)
Both the external facing site as well as the internal API site is hosted on the same server (but it can be different, for example a 3rd party vendor outside of the network)
我在我的 API 中设置了这样的 CORS:
I have CORS set up in my API like this:
[EnableCors(origins: "http://example.org", headers: "*", methods: "*")]
但我不断收到以下错误:
But I keep getting the following error:
XMLHttpRequest 无法加载 http://mylocalapi:133.请求的资源上不存在Access-Control-Allow-Origin"标头.因此不允许访问源http://example.org".
所以绕过它,我在我的外部站点中创建了一个虚拟目录 (APICALLS) 并创建了一个指向本地 IIS 站点的 web.config 文件:
So get around it, I created a virtual directory (APICALLS) in my external site and created a web.config file which will point to the local IIS site:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="true" destination="http://mylocalapi:133" exactDestination="true" />
</system.webServer>
</configuration>
当我这样做时,我尝试像这样访问 API:http://example.org/APICALLS/api/Values/Get 但我收到以下错误:
When I do that, I try to access the API like this: http://example.org/APICALLS/api/Values/Get but I get the following error:
XMLHttpRequest cannot load http://mylocalapi:133. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.org' is therefore not allowed access.
我做错了什么以及如何解决问题.
What am I doing wrong and how can I resolve the issue.
推荐答案
您不能从 JavaScript 访问仅限内部的站点,因为 JavaScript 在客户端运行,在最终用户的机器上,在您的内部网络之外.通过 JavaScript 访问 API 的唯一方法是 1) 将 API 公开给外部网络或 2) 在您的外部站点中创建代理.
You cannot access an internal-only site from JavaScript, as JavaScript runs client-side, on the end-user's machine, outside of your internal network. The only way to hit the API via JavaScript is to either 1) expose the API to the external network or 2) create a proxy within your external site.
代理基本上是一个或多个提供外部访问的操作,然后将调用转换为您的内部 API.最简单的情况是,您可以有一个基本上响应以下内容的操作:
The proxy would be basically an action or actions that offer external access, and then translate the calls to your internal API. At the simplest, you could have a single action that basically responds to something like:
https://foo.com/api?endpoint=/internal/api/endpoint/&someParam=foo
然后,该操作将在查询字符串中获取此信息,并使用该信息通过 HttpClient 之类的方式向您的内部 API 发出请求.但是,这种方法几乎暴露了您的整个内部 API,因此您不妨在此时将其移到外面.更好的方法是为您需要通过 JavaScript 进行的特定内部 API 调用创建特定端点(操作方法).
The action would then take this information in the query string and use that to make a request to your internal API via something like HttpClient. However, this approach pretty much exposes your whole internal API, so you might as well just move it outside at that point. The better approach would be to create specific endpoints (action methods) for specific internal API calls you need to make via JavaScript.
更新
如果没有上下文,很难在这里给你任何真正的方向.假设有一个内部 API 端点返回一个小部件列表,并且您想通过 AJAX 检索这个小部件列表.你需要类似的东西:
It's difficult to give you any real direction here without context. Let's say that there's an internal API endpoint that returns a list of widgets and you want to retrieve this list of widgets via AJAX. You would need something like:
public async Task<ActionResult> GetWidgets()
{
// fetch widgets from internal API via HttpClient
return Json(widgets, JsonRequestBehavior.AllowGet);
}
然后,您的 AJAX 将在您的网站上调用此操作方法的 URL,该方法在后台调用内部 API.
Then, your AJAX would call the URL for this action method on your website, which under the hood calls the internal API.
这篇关于如何允许来自网络外部站点的内部 MVC Web Api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
