Our Azure Web App's applicationhost.config contains the desired server variables in <allowedServerVariables>, but we're still seeing the error message:
The server variable "HTTP_X_UNPROXIED_URL" is not allowed to be
set. Add the server variable name to the allowed server variable list.
(Viewed via Kudu) Assumed relevant section from D:\local\Config\applicationhost.config on the Azure Web App:
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_UNPROXIED_URL" />
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" />
<add name="HTTP_X_ORIGINAL_HOST" />
<add name="HTTP_ACCEPT_ENCODING" />
</allowedServerVariables>
<globalRules />
<outboundRules />
<providers />
<rewriteMaps />
<rules />
</rewrite>
HTTP_X_UNPROXIED_URL is there in the section "allowedServerVariables". Is the error message referring to some other location that also has to be edited?
Related
I'm trying to configure Azure App Service Reverse Proxy to expose webserver in Azure Virtual Network to the internet and I had limited success - it's working when I'm not using encrypted connection between reverse proxy and target server.
Here is my currently working configuration:
web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<rewrite>
<rules>
<rule name="ForceSSL" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Proxy" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://example.com/{R:1}" />
<serverVariables>
<set name="HTTP_X_UNPROXIED_URL" value="http://example.com/{R:1}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="CheckContentType">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/plain|text/xml|application/rss\+xml)" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
applicationHost.xdt
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
IP Address of the server has been replaced by example.com
When I change web.config rewrite rule and HTTP_X_UNPROXIED_URL to https I get following IIS Error
Detailed Error Information:
Module ApplicationRequestRouting
Notification ExecuteRequestHandler
Handler ApplicationRequestRoutingHandler
Error Code 0x80072f8f
Requested URL https://example.com:80/
Physical Path D:\home\site\wwwroot
Logon Method Anonymous
Logon User Anonymous
Request Tracing Directory D:\home\LogFiles
This suggests, that for some reason it's trying to request https on port 80.
I tried to follow guide from here: https://www.patrickob.com/2018/11/10/adding-ca-certs-to-the-trusted-root-store-for-web-apps-hosted-in-an-ase/
I have added my organizations root cert to SSL certificated and added WEBSITE_LOAD_ROOT_CERTIFICATES setting.
Any help will be appreciated.
WEBSITE_LOAD_ROOT_CERTIFICATES is only supported in an App Service Environment, its not supported in multi-tenant app services. If the endpoint on-premises is signed by a certificate not using a public CA at this time there's no direct workaround to make this work outside of updating the certificate or possibly writing a simple proxy app that can ignore SSL cert validation (I typically wouldn't recommend this option unless you do the cert validation yourself in code).
On our DNN site hosted in an Azure app service, we have the following custom rule set on our web.config:
<rewrite>
<rules>
<rule name="Proxy" stopProcessing="true">
<match url="^base3/?(.*)" />
<action type="Rewrite" url="https://(a website hosted in aws s3)/tx/{R:1}" />
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
<set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
<set name="HTTP_X_Blog" value="1" />
</serverVariables>
</rule>
</rules>
We have also setup the following in our applicationHost.xdt
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
<add name="HTTP_X_Mischief" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
<add name="HTTP_X_Blog" xdt:Transform="Insert" xdt:Locator="Match(name)"/>
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
However, when trying to navigate to it (https://(our azure webapp.com)/base3/index.html) we constantly get the error The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. which is confusing because this was the rewrite rule we have used on our other sites.
We even tried the same approach on a fresh app service and the rewrite rule above works just fine..
Trying to figure out what's wrong through heuristic analysis, on our web.config the rewrite rule now works if:
under <system.webServer>
<modules runAllManagedModulesForAllRequests="true">
then commenting <add name="UrlRewrite" type="DotNetNuke.HttpModules.UrlRewriteModule, DotNetNuke.HttpModules" preCondition="managedHandler" />
However, the main site breaks now..
How do we implement a rewrite rule that works properly with DotNetNuke.HttpModules.UrlRewriteModule, DotNetNuke.HttpModules??
UPDATE
<configSections>
<section name="RewriterConfig" type="URLRewriter.Config.RewriterConfigSerializerSectionHandler,URLRewriter" />
</configSections>
......
<RewriterConfig>
<Rules>
<RewriterRule>
<LookFor>^default/([0-9]+)/([_0-9a-z-]+)</LookFor>
<SendTo>11.aspx?id={R:1}</SendTo>
</RewriterRule>
</Rules>
</RewriterConfig>
PRIVIOUS
About the function of url rewrite, the reason is the Web Server integrated by App Service cannot have full control. You can refer my answer in another post .
You can use the Application Gateway to implement the url rewriting function.
I have upgraded the Node.js version to 8.8.1, and updated this in the process environmental variables, iisnode.yml, Web.config and package.json.
Nonetheless, requests going to the app now get rejected with the following error:
The iisnode module is unable to start the node.exe process. Make sure
the node.exe executable is available at the location specified in the
https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config>system.webServer/iisnode/#nodeProcessCommandLine
element of web.config. By default node.exe is expected in one of the
directories listed in the PATH environment variable.
I tried to update the file path in Kudu to reflect the path to the node.exe I'm interested in ("D:\Program Files (x86)\nodejs\8.1.1\node.exe"), but got an error saying I was not authorized to do this.
The relevant files:
iisnode.yml:
nodeProcessCommandLine: "D:\Program Files (x86)\nodejs\8.1.1\node.exe"
loggingEnabled: true
devErrorsEnabled: true
Web.config
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your Node.js application, please visit
-->
<configuration>
<appSettings>
<!--
<add key="StorageAccountName" value="" />
<add key="StorageAccountKey" value="" />
<add key="ServiceBusNamespace" value="" />
<add key="ServiceBusIssuerName" value="" />
<add key="ServiceBusIssuerSecretKey" value="" />
-->
</appSettings>
<system.webServer>
<!-- mimeMap enables IIS to serve particular file types as specified by fileExtension. -->
<staticContent>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
</staticContent>
<modules runAllManagedModulesForAllRequests="false" />
<!-- Web.Debug.config adds attributes to this to enable remote debugging when publishing in Debug configuration. -->
<!--<iisnode watchedFiles="web.config;*.js;routes\*.js;views\*.pug"/>-->
<!-- Remote debugging (Azure Website with git deploy): Comment out iisnode above, and uncomment iisnode below. -->
<iisnode watchedFiles="web.config;*.js;routes\*.js;views\*.pug"
loggingEnabled="true"
devErrorsEnabled="true"
nodeProcessCommandLine="D:\Program Files (x86)\nodejs\8.8.1\node.exe --debug"/>
<!-- indicates that the server.js file is a Node.js application
to be handled by the iisnode module -->
<handlers>
<add name="iisnode" path="index.js" verb="*" modules="iisnode" />
<!-- Remote debugging (Azure Website with git deploy): Uncomment NtvsDebugProxy handler below.
Additionally copy Microsoft.NodejsTools.WebRole to 'bin' from the Remote Debug Proxy folder.-->
<add name="NtvsDebugProxy" path="ntvs-debug-proxy/blablabla" verb="*" resourceType="Unspecified"
type="Microsoft.NodejsTools.Debugger.WebSocketProxy, Microsoft.NodejsTools.WebRole"/>
</handlers>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
</hiddenSegments>
</requestFiltering>
</security>
<rewrite>
<rules>
<clear />
<!-- Remote debugging (Azure Website with git deploy): Uncomment the NtvsDebugProxy rule below. -->
<rule name="NtvsDebugProxy" enabled="true" stopProcessing="true">
<match url="^ntvs-debug-proxy/.*"/>
</rule>
<!-- Don't interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<rule name="app" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="iisnode.+" negate="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="index.js" />
</rule>
</rules>
</rewrite>
</system.webServer>
<!-- Remote debugging (Azure Website with git deploy): uncomment system.web below -->
<system.web>
<httpRuntime targetFramework="4.5"/>
<customErrors mode="Off"/>
</system.web>
</configuration>
In iisnode.yml, you have nodeProcessCommandLine pointing to 8.1.1 instead of 8.8.1. Maybe that's just it?
I have an app that works locally but when I deploy it to azure POST requests receive a 404 response. Various answers suggest that I need to edit my web.config but I don't see what needs to be changed.
If it's relevant: My POSTs are to a path called /receive on the server, which should be handled by server.js
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your Node.js application, please visit
http://go.microsoft.com/fwlink/?LinkId=290972
-->
<configuration>
<appSettings>
<!--
<add key="StorageAccountName" value="" />
<add key="StorageAccountKey" value="" />
<add key="ServiceBusNamespace" value="" />
<add key="ServiceBusIssuerName" value="" />
<add key="ServiceBusIssuerSecretKey" value="" />
-->
</appSettings>
<system.webServer>
<!-- mimeMap enables IIS to serve particular file types as specified by fileExtension. -->
<staticContent>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
</staticContent>
<modules runAllManagedModulesForAllRequests="false" />
<!-- Web.Debug.config adds attributes to this to enable remote debugging when publishing in Debug configuration. -->
<iisnode watchedFiles="web.config;*.js" />
<!-- Remote debugging (Azure Website with git deploy): Comment out iisnode above, and uncomment iisnode below. -->
<!--<iisnode watchedFiles="web.config;*.js"
loggingEnabled="true"
devErrorsEnabled="true"
nodeProcessCommandLine="node.exe --debug"/>-->
<!-- indicates that the server.js file is a Node.js application
to be handled by the iisnode module -->
<handlers>
<add name="iisnode" path="server.js" verb="*" modules="iisnode" />
<!-- Remote debugging (Azure Website with git deploy): Uncomment NtvsDebugProxy handler below.
Additionally copy Microsoft.NodejsTools.WebRole to 'bin' from the Remote Debug Proxy folder.-->
<!--<add name="NtvsDebugProxy" path="ntvs-debug-proxy/eee3ec35-9835-494f-a07c-dc2f85619df0" verb="*" resourceType="Unspecified"
type="Microsoft.NodejsTools.Debugger.WebSocketProxy, Microsoft.NodejsTools.WebRole"/>-->
</handlers>
<rewrite>
<rules>
<clear />
<!-- Remote debugging (Azure Website with git deploy): Uncomment the NtvsDebugProxy rule below. -->
<!--<rule name="NtvsDebugProxy" enabled="true" stopProcessing="true">
<match url="^ntvs-debug-proxy/.*"/>
</rule>-->
<!-- Don't interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<rule name="app" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="iisnode.+" negate="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="server.js" />
</rule>
</rules>
</rewrite>
</system.webServer>
<!-- Remote debugging (Azure Website with git deploy): uncomment system.web below -->
<!--<system.web>
<httpRuntime targetFramework="4.5"/>
<customErrors mode="Off"/>
</system.web>-->
</configuration>
I tested your web.config file in my test node.js application, everything worked fine on my side. It should be any other reason which caused your issue. Could you kindly provide more info about your application, e.g. how you deploy to Azure Web Apps, what's your structure and any key code snippet related to the post functionality. These may help communities to detect the queston.
Meanwhile, you can try to leverage Log Stream tool to trace the all the info and stdout of your application while the Azure App is running.
You can login on your Azure Portal, navigate to Azure Apps blade, click Diagnostics Logs => Enable Application Logging (Filesystem), and then click Log stream to open the tool.
I am trying to log in to Azure Active Directory from my web page in cloud services. The log in screen comes up and I am able to log in OK. However when it sends me to my homepage it says "page cannot be displayed". In the Azure Active Directory configuration I added SSL localhost to the APP URI and Reply URL and configured the properties in VS2013 to show SSL = True and set the project URL to the localhost. I was able to access the page before I added the log in screen.
Relevant web.config settings:
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="login.windows.net/conpro.com/FederationMetadata/2007-06/…; />
<add key="ida:Realm" value="localhost:44307/"; />
<add key="ida:AudienceUri" value="localhost:44307/"; />
</appSettings>
Your web.config URI values need to include https://. I'd suggest taking a look at this sample app as well.