Scenario :
I have created a API service using NestJS and deployed it to azure app service using docker container image type.
Question:
Can we achieve directory traversal through the deployed API URL to access the deployed container
files
https://sample.azurewebsites.net/sampleEndpoint/../../etc/
If possible how to protect the NestJS service from the directory traversal attack ?
Related
I'm facing issue with my multiple project solution in .net core webAPI. I've gatewayAPI which internally makes call to different microservices via http call.
Gateway API URI exposed to outer world which has domain as azure app name but the internal calls from gateway to microservices are configured with http://localhost:5001/{apiEndPoint} which is working fine in my local machine but after deploying it on azure app service I'm getting below error:
PostToServer call URL:'http://localhost:5001/api/authservice/authenticate' with Exception message An attempt was made to access a socket in a way forbidden by its access permissions. (localhost:5001).
Can someone please help me with this, I'm new to azure and learning on my own but could not find any solution for this yet.
PS: After going through some YouTube videos and blogs I got to know we have to use AKS but I'm not confident in that.
Would really appreciate any help on this issue.
The Gateway API you deployed to azure app service, it doesn't support custom port usage for 5001. Azure App Service only supports port 80|443(HTTP|HTTPS).
If you must use multiple ports in your actual project, then it is recommended to check whether Azure Cloud Service meets your needs. But it not the best choice.
The Best Practice:
Microservices architecture design
In short,create a Azure Gateway service, and your other microservice can be deployed in any where.(azure app service, vm or aks)
You just make sure you can access your microservices in your internal or public network environment.
If you're just learning, or the app isn't actually used by a lot of users, you can try the following suggestions:
Use SignalR (not azure signalr) to replace the websocket in your current project.
You have on azure app service, you can deploy your Gateway API Application to app service, and your other microservices can be deployed to Virtual Application in azure app service.
I have created an Azure App Service inside an Internal App Service Environment. I want to make API App publicly available using Application Gateway.
Can anyone suggest me how to do it?
I created an App service and run a Docker image and I would like to allow only certain url to access it.
To be more specific I am running the docker image of https://shields.io/ which provides the badges for my OS project hosted in GitHub. So what I am looking for is to allow only all repositories of my GitHub organization e.g https://github.com/myorganization/repo1, https://github.com/myorganization/repo2 to request service from the Azure app
I don't think you'll be able to achieve that with just an app service. I think a URL will be easily spoofed. I suggest looking at securing a webhook. What you can do is create a function or logic app that can verify the hash you've configured for webhook. If it matches, you can forward the request to your app service. To protect the app service, you can add it and the function app to a Vnet and restrict traffic so that your docker app only receives traffic from the function app.
I am new to Azure and cannot find any resource on the Internet on this, although I would think this is a common task.
I have a Vue.js frontend and Spring Boot backend. Auth using JWT. Front and back are two separate projects in separate repositories.
Now, I want the whole deployed on Azure, preferably via some Azure release pipelines triggered by Azure repos.
In what Azure products should I deploy these two projects? Should they be both in a separate VM? Also, how do I configure the frontend to use the correct base url of the backend so that it can fetch data?
Your frontend should be deployed to Azure Storage:
https://medium.com/#matthewleak/deploying-a-static-website-to-azure-storage-using-azure-devops-fa0bed457d07
Your spring boot can be deployed on App Service:
https://medium.com/microsoftazure/the-power-of-azure-devops-projects-for-java-apps-cda6c69bef0e
I have published and hosted asp .net core web app using azure pipelines. Web app running inside docker container. I want programmatically provision another web app using docker image which was available in azure container registry. The web app should run on a separate url. This url can be configurable. A user will be able to give a name for the web app and can create a web app. I hope to create a separate app for doing this task. Is it possible to do that?