Deployed Azure WebApp gives 403 - azure

My issue:
When I try access the main URL for my web app, Azure replies with a '403 - You do not have permission to view this directory or page'.
Context:
I have deployed a Python webapp to Azure using the Pipeline/Release on DevOps (Azure Web App Deploy task seems to run successfully with the artifact generated by the Pipeline). I have previously deployed Python Function Apps successfully with a similar pipeline (different app type of course, and sku).
The Kudu SCM page works e.g.,: myapp.scm.azurewebsites.net
All logs seem to indicate the webapp deployment was successful. If I use CMD or Powershell from the SCM, I can see my app.py (for Flask) is in the correct location. The deployment has my requirements under the site packages installed including Flask.
The app runs quite successfully on my local machine via 'flask run', after I activate the virtual environment.
Yet when I try connect to myapp.azurewebsites.net, I get a 403 on the plain route. Anything after it like /test or /myapi returns a 404.
Something I do not see in any of the logs I can access via Kudu is mention of 'gunicorn', which I believe is what Azure uses by default. I just want to see some kind of log output somewhere to show that flask or gunicorn or something has successfully loaded app.py and is listening for incoming connections.
Maybe you do not know why I would get 403's, but you might know where I should be seeing the aforementioned logs.
TIA for any suggestions.
EDIT:
Something to add is that if I enable logs, and connect to the logstream then I do see logs generated as I access Kudu. This suggests some Application & Web Server are running - at least for whatever container runs that side of things.
It even notes the failed connections from Postman for the actual myapp.azurewebsites.net, but has nothing other than a line indicating that there is a 403.
My app has been stripped down to the most bare app.py with no includes other than Flask and routes which simply return a string. Most includes in requirements.txt have also been stripped out.
Still same issue.

I do have an answer after a couple of days worth of pulling my hair out.
Turns out that the 403's were not actually a permissions issue.
az webapp list-runtimes --os windows
The list shows no runtimes available for Python/Flask Web App. This is why I could not find any gunicorn or Flask logs - neither are set up. Azure deployed the artifact's zip and called it a day.
To rectify this, the DevOps Pipeline/Release must run on Linux. The Azure Web App Deploy task, when set to "Web App on Linux", will have Python runtime stacks available. Once selected, these will allow for a startup command to be specified. (Such as flask run --host=0.0.0.0 --port=8000)
Furthermore in azuredeploy.json the "Microsoft.Web/serverfarms" must have a "kind" specified to include "linux". It also requires:
"properties": {"reserved" : true}
Once deployed, logs indicate that docker is being set to an internal port of 8000 while the default 'flask run' which is executed would use 5000.
Ideally: use gunicorn with port mapping but, to get things going, tell flask to use port 8000.

Related

redirect URI in Azure web app authentication

I have browsed various questions here on SO, but none seem to have helped.
So, I have the following setup on Azure. I had a simple flask app running, which I could access using https://xyz.azurewebsites.net.
I was trying to look at the example here (https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-python-web-app?tabs=linux). I can reproduce this example fine when I have the local server running and specifying the redirect uri as http://localhost:5000/getAToken.
Now, I want to use my deployed app, so I changed the redirect URI in the azure portal under authentication as
https://xyz.azurewebsites.net/getAToken
However, this always returns the redirect URI mismatch error.
On the flask side, I have kept the configuration as:
REDIRECT_PATH = "/getAToken"
Although I tried putting the full absolute URL as well and it did not work.
I have followed the same document which you have provided and able to access the Application even after deploying to Azure App Service.
In app_config.py, change the authority_template to
authority_template = "https://{b2c_tenant}.b2clogin.com/{b2c_tenant}.onmicrosoft.com/{signupsignin_user_flow}"
OR
Copy paste the tenant and user_flow value directly.
authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
Local Output:
Deploy the Application to Azure App Service:
Create a new repository in GitHub and push the VSCode to it.
OR
If you face any issues in pushing the code to Git.
Create a new repository, copy and clone the application which you have provided.
Your Repository:
And change the values in app_config.py accordingly (from your local VSCode).
In Azure Portal => Create a new App Service with Run time Stack Python.
From Deployment center => Deploy the code using GitHub Actions.
Add the Redirect URI of the deployed Application in App registration.
https://YourDeployedAppName.azurewebsites.net/getAToken
Here my deployed app name is myadb2c.So, update the Redirect URI as below.
https://myadb2c.azurewebsites.net/getAToken
***Workflow in GitHub Repository: ***
Deployed Application Output:

Node app deployed to Azure App Service : Error: The service is unavailable

I followed a tutorial on deploying a simple Node app from VSCode using the Azure App Service extension.
The app runs fine locally.
When I deploy I get this output:
Creating resource group "appsvc_linux_centralus" in location "centralus"...
Successfully created resource group "appsvc_linux_centralus".
Ensuring App Service plan "appsvc_linux_centralus" exists...
Creating App Service plan "appsvc_linux_centralus"...
Successfully created App Service plan "appsvc_linux_centralus".
Creating new web app "XXX-node-users-api"...
Created new web app "XXX-node-users-api": https://XXX-node-users-api.azurewebsites.net
21:28:12 XXX-node-users-api: Creating zip package...
21:28:33 XXX-node-users-api: Starting deployment...
Error: The service is unavailable.
In the portal there is nothing listed in Diagnose and solve problems. How can I tell why the service in unavailable (which it does show when I click on the link)?
UPDATE:
I followed the same process with a different Node app (which I got from another MS tutorial) and I got this:
Using existing resource group "appsvc_linux_centralus".
Ensuring App Service plan "appsvc_linux_centralus" exists...
Successfully found App Service plan "appsvc_linux_centralus".
Creating new web app "nodejs-docs-hello-world-20190805"...
Created new web app "nodejs-docs-hello-world-20190805": https://nodejs-docs-hello-world-20190805.azurewebsites.net
22:13:06 nodejs-docs-hello-world-20190805: Creating zip package...
22:13:07 nodejs-docs-hello-world-20190805: Starting deployment...
22:14:31 nodejs-docs-hello-world-20190805: Fetching changes.
22:14:31 nodejs-docs-hello-world-20190805: Cleaning up temp folders from previous zip deployments and extracting pushed zip file /tmp/zipdeploy/59khfmlp.zip (0.00 MB) to /tmp/zipdeploy/extracted
22:14:31 nodejs-docs-hello-world-20190805: Central Directory corrupt.
Error: Deployment to "nodejs-docs-hello-world-20190805" failed. See output channel for more details.
I get the feeling I'm doing something obvious wrong or the extension is mangling the code. Where do I start?
Thanks
I tried to deploy my app (the first one I tried to deploy to Azure) to Heroku which in comparison was simple and the logs trivially easy to get.
Doing this pointed to two changes I needed to make. I could then deploy to Azure using the VS Code extension.
There was not a npm start script in package.json so I added one.
The port was being set statically. Which, for Heroku at least, is not allowed. Changed
var server = app.listen(3000, function () {
to
var server = app.listen(process.env.PORT || 3000, function () {
Interestingly the second repo I tried already used both of these techniques so I'm no wiser as to how I might address that.

How to deploy pgadmin4 docker image on azure web app?

I am unable to run docker image dpage/pgadmin4 on azure web app (Linux) which is available on docker hub.
I have installed Docker in my Linux machine and was able to run that docker image locally. Then I created Web app in Azure with options as given below:
OS: Linux
Publish: Docker Image
App service plan: Linux app service
After creating web app, I added two env variables in App Settings section:
PGADMIN_DEFAULT_EMAIL : user#domain.com
PGADMIN_DEFAULT_PASSWORD : SuperSecret
Finally login screen is visible but when I enter above credentials, it doesn't work and keeps redirecting to login page.
Update: If login is working properly, screen appears as shown below.
!(pgadmin initial screen)
After several retries i once got an message (CSRF token invalid) displayed in the right-top corner of the login screen.
For CSRF to properly work there must be some serverside state? So I activated the "ARR affinity" in the "General Settings" on the azure "Configuration".
I also noticed in the explamples on documentation the two environment-variables PGADMIN_CONFIG_CONSOLE_LOG_LEVEL (which is in the example set to '10') and PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION (which is in the example set to 'True').
After enabling "ARR" and setting PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION to False the login started to work. I have no idea what PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION is actually doing, so please take that with caution.
If thats not working for you, maybe setting PGADMIN_CONFIG_CONSOLE_LOG_LEVEL to 10 and enabling console debug logging can give you a clue whats happening.
For your issue, I do the test and find that it's really a strange thing. When I deploy the docker image dpage/pgadmin4 in Azure service Web App for Container through Azure CLI and set the app settings, there is no problem to log in with the user and password. But when I deploy it through the Azure portal, then I meet the same thing with you.
Not sure what is the reason, but the solution is that set the environment variables PGADMIN_DEFAULT_EMAIL and PGADMIN_DEFAULT_PASSWORD through the Azure CLI like below:
az webapp config appsettings set --resource-group <resource-group-name> --name <app-name> --settings PGADMIN_DEFAULT_EMAIL="user#domain.com" PGADMIN_DEFAULT_PASSWORD="SuperSecret"
If you really want to know the reason, then you can make feedback to Microsoft. Maybe it's a bug or some special settings.
Update
The screenshot of the test on my side here:

Azure functions developing locally - cannot register EventHub triggered function

I want to develop locally my Azure Function App and later publish it to Azure Portal.
I am using Azure Functions Core Tools command line and all my functions are in Node.js
Currently, I managed to download my functions locally and fetch their settings with command:
func azure functionapp fetch-app-settings
So after that my local.settings.json has correct settings values. When I make any changes I am also able to publish them succesfully to Azure Portal.
The problem is now that I have two functions in my app, one is Http Triggered and the second is EventHub triggered.
When I try run locally host with:
func host start
I get the following output from console:
[10.12.2017 13:03:47] Found the following functions:
[10.12.2017 13:03:47] Host.Functions.HttpTriggerJS1
[10.12.2017 13:03:47]
[10.12.2017 13:03:47] Job host started
[10.12.2017 13:03:47] The following 1 functions are in error:
[10.12.2017 13:03:47] EventHubTriggerJS1: The binding type 'eventHubTrigger' is not registered. Please ensure the type is correct and the binding extension is installed.
And when I try to run locally this EventHubTriggerJS1 function with curl:
curl --request POST -H "Content-Type:application/json" --data '{"input":"sample queue data"}' http://localhost:7071/admin/functions/EventHubTriggerJS1
then nothing happens, so I guess this is a problem of this trigger registration.
The HttpTriggerJS1 runs perfectly, I can access it under
http://localhost:7071/api/HttpTriggerJS1
So, do you have any idea where might be a problem in configuring? BTW Is it possible to have locally function and connect to the remote EventHub in portal?
I was unable to reproduce your error on the Version 1.0 runtime.
I reproduced the error in 2.0. I believe 2.0 does not support event hubs yet,
https://github.com/Azure/azure-webjobs-sdk-script/wiki/Azure-Functions-runtime-2.0-known-issues#functional-gaps
try installing the extensions
func extensions install --package Microsoft.Azure.WebJobs.Extensions.EventHubs -v 3.0.0-beta4
Can you provided more detail about your functions, and the steps you took to create them?
HttpTriggerJS1 was created locally and then published to the portal following the steps outlined in https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local ?
EventHubTriggerJS1 was created in the portal? in the same Function App?
Do not mix local development with portal development in the same function app. When you create and publish functions from a local project, you should not try to maintain or modify project code in the portal.

Azure NodeJS console log

I have a Visual Studio Enterprise MSDN subscription so I decided to move from Heroku to Microsoft Azure because I used to pay: now I don't. My Service Plan is the D1.
I wish I can trail the console.log strings of my Node JS application deployed on my Azure platform. My service plan is the shared one named
I deployed the app code on BitBucket and linked my repo to the application with a correct destribution. Correct means I see the green check flag. I deployed, on the main folder of the app, a file named IISNode.yml, here is the content:
nodeProcessCommandLine: "D:\Program Files (x86)\nodejs\0.12.6\node.exe"
loggingEnabled: true
debuggingEnabled: false
devErrorsEnabled: false
node_env: production
The firse line I copied from the iisnode.yml created by Azure itselves. The other lines I am not quite sure about the exact meanings of all of them, but I figured they were enough. If I visit the url: http://MY_APP_NAME.scm.azurewebsites.net/DebugConsole I can click on Tools->Log Stream menu but the page remains on loading.
I can reach the Azure Portal, enter my node app, Tools -> Application Log and Web Server log. The application log shows this (I think quite interesting) message:
System.ApplicationException: The trace listener AzureBlobTraceListener is disabled. ---> System.InvalidOperationException: The SAS URL for the cloud storage account is not specified. Use the environment variable 'DIAGNOSTICS_AZUREBLOBCONTAINERSASURL' to define it.
at Microsoft.WindowsAzure.WebSites.Diagnostics.AzureBlobTraceListener.RefreshConfig()
I have not reached informations about this "environment variable", and I can0t guess what the BLOB container has to do with my log application. And: what is the correct value for this variable? And if there is any, why is that one correct?
The Web Servier log is are empty. I can see http activities from the monitor of the app on the same portal, but still no log.
Am I missing something ? I decided to install Visual Studio, maybe this will help? I hope this has tools to be integrated with Azure for good. Meanwhile, where is the console log of my (Extremely Simple) node application?
You can view your logs in real time if you use the azure SCM interface. This can usually be accessed on the following url
https://{{ name of webapp }}.scm.azurewebsites.net/api/logstream
All your console output from your application is redirected here.
You can also use curl:
curl -u {{ deploymentCredentialsUsername:deploymentCredentialsPassword }} https://webapp-name.acm.azurewebsites.net/api/logstream
Otherwise you could use the nodejs azure cli. Install it with
npm install -g azure-cli
Switch to asm mode:
azure config mode asm
Then you can proceed to look at the logs from your terminal:
azure site log tail {{ webapp name }}
You can add an item in iisnode.yml named logDirectory, set the value as iisnode for example, then the application will create a folder in this name in your root directory and store files with stdout and stderr captures in it. You can refer to https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/iisnode.yml#L94 for the details for this configuration.
You can store logs in files whatever you need via console.log(), then the application will create a html file index.html in the log folder to provide logs. You can visit the logs via the URL: http://<you_app_name>.azurewebsites.net/<log_file_name>/index.html
Additionally, you can leverage Node.js console class to customize logger, refer to https://nodejs.org/api/console.html#console_new_console_stdout_stderr for the sample
If you are using the Azure Portal web interface, you can find the console.log output under the Log Stream section under Monitoring.
Refer to the screenshot below:

Resources