In Azure WebApp, we defined DynamicIpRestriction as follows:.
<security>
<dynamicIpSecurity enableLoggingOnlyMode="false" enableProxyMode="true">
<denyByConcurrentRequests enabled="true" maxConcurrentRequests="10" />
<denyByRequestRate enabled="true" maxRequests="30" requestIntervalInMilliseconds="500" />
</dynamicIpSecurity>
<ipSecurity enableProxyMode="true" allowUnlisted="false" >
<add allowed="true" ipAddress="1.2.3.4" subnetMask="255.255.255.255" />
</ipSecurity>
<requestFiltering>
<requestLimits maxAllowedContentLength="524288000" />
</requestFiltering>
</security>
The WebApp consists of ASP.NET 4.8.
With this definition, if 10 requests were made at the same time, more than 11 requests were expected to be rejected at 403.
However, I started 100 concurrent threads in Apache JMeter and made 10 repeated requests, but never 403.
Is there a mistake in the definition?
I would appreciate your support.
I have set the Dynamic Ip Security in App Service. Using below steps
Goto App Service, Goto Advanced Tools under development tools Click on Go as below
Now it will take you to the below page as shown & Clik on Site Extensions
Goto Gallery & search for Dynamic and click on search button and add it.
After adding, we will be redirected to the below page where you can add your Dynamic Ip Security settings as below
-After updating the settings, Go back to Overview and click on Restart as below. So, the setting will update for app service
_ Open Apache JMeter as below
Use the URL of App Service and hit on execute
Goto view result in table to see the Output
Related
<security>
<dynamicIpSecurity enableLoggingOnlyMode="false" enableProxyMode="true">
<denyByConcurrentRequests enabled="true" maxConcurrentRequests="10" />
<denyByRequestRate enabled="true" maxRequests="30" requestIntervalInMilliseconds="500" />
</dynamicIpSecurity>
<ipSecurity enableProxyMode="true" allowUnlisted="false" >
<add allowed="true" ipAddress="1.2.3.4" subnetMask="255.255.255.255" />
</ipSecurity>
<requestFiltering>
<requestLimits maxAllowedContentLength="524288000" />
</requestFiltering>
</security>
The WebApp consists of ASP.NET 4.8. With this definition, if requests were submitted at the same time, more than 10 requests per 403 were expected to be rejected.
I would appreciate your support.
I have created a app service with DynamicIpAddress by following below steps
Goto Advanced tools -> click on Go
Goto Site Extensions
Goto Gallery and Search for Dynamic and click on search -> click on + and click on ok
Set the values as below and click update settings
restart the application service, after updating the settings
Set the user and time according to the settings you updated in the app service
Copy the App link and open JMeter using the link below
I have passed 35 users only 30 users had entered the page we can adjust the number according to our needs.
I have website that is Hosted in a Azure App Service. are there any options in azure so that I can put a password on the website. Ideally without changing the websites code.
Just a basic password or user name and password, doesn't need to be google or facebook login or AD login.
It is a .net based website and I have seen a few options to do this, but it means I have to change the code of the website in someway or another.
Surely with all that sophisticated cloud technology, I can go in to the portal and set a password at a server level? - Or is the only way to make some kind of change to the application?
It is possible to enable Basic Authentication for Azure Web Apps with some settings in the applicationHost.xdt. You can load some modules in this file on the start of your Web App.
Steps:
Navigate to your WebApp in the Azure Portal
In the left menu, search for the header Development Tools an select Advanced Tools (Kudu)
Use the Debug Console > CMD tool, to navigate to the WebApp directory: \home\site
Create a file named: applicationHost.xdt
Paste the following:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Locator="Match(path)">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="RESPONSE_WWW_AUTHENTICATE" xdt:Locator="Match(name)" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
<rules xdt:Transform="InsertIfMissing">
<rule name="BasicAuthentication" stopProcessing="true" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)">
<match url=".*" />
<conditions>
<add input="{HTTP_AUTHORIZATION}" pattern="^Basic dXNlcjpwYXNzd29yZA==" ignoreCase="false" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" statusReason="Unauthorized" statusDescription="Unauthorized" />
<serverVariables>
<set name="RESPONSE_WWW_AUTHENTICATE" value="Basic realm=Project" />
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Change the Basic Auth to your liking (default in example is: user:password)
Make sure the web.config rewrite rules don't contain <clear /> as this wil remove the effects from the applicationHost.xdt file
Save the file and Stop and Start your WebApp (a simple Restart will not suffice)
Notes:
Not sure if this works on Linux based WebApps..
You can add this step to you're deployment pipelines by using FTP
Update: I've noticed issues with applicationHost.xdt while using it on secondary Web App slots. Only the primary slot seems to work.
PS: Cross-post from my answer here.
You can use Authentication and authorization in Azure App Service.
Authentication/Authorization was previously known as Easy Auth.
Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions. This article describes how App Service helps simplify authentication and authorization for your app.
Source: Authentication and authorization in Azure App Service and Azure Functions.
EDIT:
The above is a solution to have a password protected App Service without changing any code whatsoever. At this point there is no alternative, as you can see in the open feedback issue Allow HTTP Basic authentication on basic apps
Hi everyone, we understand the demand for this feature, but we do not plan to support authentication at this level. We suggest using EasyAuth for this scenario.
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
EDIT 2:
This method forces the user to use google or facebook, etc...
This is not true. You can also create a user in your Azure Active Directory and use that one with Easy Auth. The username would be something like username#<YOUR-TENANT>.onmicrosoft.com
I have an API running and a front-end node server running for SSR purposes. Everything is on Azure using App Services.
Both the node server and client(s) make requests to the API.
I am trying to apply 'dynamicIpSecurity' in the web.config of my API, but do not want my node server IPs to be throttled by that security setting since it is a trusted 'client'.
Goal is to throttle all other client IPs through this setting in case a client decides to try ddos-ing me or load testing my API without my permission to find loopholes.
I currently have the the dynamic ip security settings commented out, but this is how they look.
<dynamicIpSecurity>
<!--Restricting single IP to make maximum of 20 concurrent request at a time-->
<denyByConcurrentRequests enabled="true" maxConcurrentRequests="20" />
<!--Restricting single IP NOT to make more than 50 requests within 3 seconds duration-->
<denyByRequestRate enabled="true" maxRequests="50" requestIntervalInMilliseconds="3000"/>
</dynamicIpSecurity>
In the article, <dynamicIpSecurity> could only use denyByConcurrentRequests and denyByRequestRate to blocking of requests from IP address based on The number of concurrent requests or
The number of requests over a period of time.
Although as the article said, <dynamicIpSecurity> could Allow list of IP addresses that will not be blocked. However, in web.config it could not configure, you could only do it in IIS.
So, if you still want to defines a list of IP-based security restrictions you could use <ipSecurity> like below:
<security>
<ipSecurity allowUnlisted="true">
<add ipAddress="192.168.100.1" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
</ipSecurity>
<dynamicIpSecurity enableLoggingOnlyMode="true">
<denyByConcurrentRequests enabled="true" maxConcurrentRequests="10" />
<denyByRequestRate enabled="true" maxRequests="30"
requestIntervalInMilliseconds="300" />
</dynamicIpSecurity>
</security>
When I browse to my Azure webapp URL, I am re-directed to some other URL. I don't have any re-write rules in my web.config file. How can I analyze what is causing this issue?
I had an asp site that was having similar re-direct issue with status code 302.
Below are the steps, that I followed to analyze the problem. I’ve enabled Freb logs on Azure and have documented the steps below.
Step 1: Update your Web Config
Enabling Failed Request Tracing will help identify where in the request pipeline the request is hanging.
To enable Failed Request Tracing on you Azure App Service, add the following code snippet to the wwwroot web.config of your App Service. Add it within the section.
<tracing>
<traceFailedRequests>
<remove path="*" />
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,
Cache,RequestNotifications,Module,FastCGI"
verbosity="Verbose" />
</traceAreas>
<failureDefinitions statusCodes="300-399" />
</add>
</traceFailedRequests>
</tracing>
NOTE: Here, If the request HTTP status is between 300 and 399, the request gets logged. You can log requests based on your error code.
Step 2 : Enable Failed Request Tracing from Azure Portal
Open Azure Portal and go to your App Service page. Enable Failed Request Tracing in the diagnostics logs section as shown in the figure below:
https://i.stack.imgur.com/WQbAk.png
Step 3 : Repro the Issue
Now, browse to the URL that is causing this issue and reproduce the issue and you should now have the FREB log file created .
Step 4 : Analyze the Logs
Browse to https://yourAppService.scm.azurewebsites.net and then select Debug Console on the tool bar as below.
https://i.stack.imgur.com/sfs7u.jpg
Now, few options would be displayed, you need to select LogFiles folder and then look for W3SVC***** folder as shown below:
https://i.stack.imgur.com/6ea9k.jpg
That’s where you see Freb log files in fr*****.xml format. You will notice an option to download the file as highlighted below:
https://i.stack.imgur.com/uPDxY.jpg
https://i.stack.imgur.com/Iusxc.jpg
In my repro, I had seen from the logs that my asp application was throwing 302 error and has a response redirect in my code.
https://i.stack.imgur.com/l1sno.png
Hope this works for you.
I am running IIS 8.5 on a Windows Server 2012 R2. I have configured a WebAPI (built on ASP.net) web site to use HTTPS (self-signed) with IIS Client Certificate Mapping for client certificate authentication. I am using the ManyToOneMapping where I have defined one local account to be associated to the client certificate with the incoming request. Furthermore, I have defined a Rule in the mapping so that if the "Subject" field in the certificate contains a certain string then it should allow the request.
Now, when I hit the url in the API application, Firefox prompts me to select the certificate to be used (as expected). And when i select one of the certificates that does not contain that string defined in the mapping Rule, the browser is still served with the resource. I was expected a forbidden response instead. So, it would appear that the Client Certificate mapping is not working as expected.
As I am new to IIS, I am wondering how I could go about to find out how to troubleshoot this situation. Thanks in advance.
Here is snippet from the applicationhost.config file:
<location path="SimpleApi" overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false">
<manyToOneMappings>
<add name="Authorized Access" description="Some long description" userName="SomeUser" password="[enc:AesProvider:removed:enc]">
<rules>
<clear />
<add certificateField="Subject" certificateSubField="OU" matchCriteria="Admin" />
</rules>
</add>
</manyToOneMappings>
<oneToOneMappings />
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
<location path="SimpleApi">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
</security>
</system.webServer>
</location>
The only possibility is you have other authentication mechanism enabled for your website and it is simply falling back to that authentication mechanism.
Check the Authentication module for your website in IIS and disable all other authentication mechanism.