How to disable App Service authentication for a path? - azure-web-app-service

I enabled identity federation V2 for an App Service that hosts a single page app. This works fine but now I need to disable it again for routes that start with /.well-known/ because that's where I store files that don't require authentication, e.g. apple-app-site-associations.
In previous versions, I was able to upload an authorization.json file to my App Service to disable authentication for this path, but this no longer works?
{
"routes": [
{
"path_prefix": "/",
"policies": {
"unauthenticated_action": "RedirectToLoginPage"
}
},
{
"path_prefix": "/.well-known/",
"policies": {
"unauthenticated_action": "AllowAnonymous"
}
}
]
}

I'm still unsure why the old way of configuring path exclusions stopped working, but I figured out how to do it with V2 configuration.
First migrate to file-based configuration as documented here: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-file-based#enabling-file-based-configuration
In short, copy all config from Microsoft.Web/sites/<siteName>/config/authsettingsV2 to a file in your wwwroot folder, e.g. wwwroot/auth.json. This file will be accessible over HTTP so remove secrets from configuration as documented. Set platform.configFilePath to auth.json and restart the app service.
Once you've confirmed that everything still works with file-based configuration, you can add path exclusions to the configuration file.
{
"platform": {
"enabled": true
},
"globalValidation": {
...
"excludedPaths": [
"/.well-known/apple-app-site-association",
"/.well-known/assetlinks.json"
]
},
...
}
Restart the app service one more time for changes to take effect.

If you're trying this 12/2022, it seems that "configFilePath" is not working for quite some time (evidence)
If you change directly on Azure Resource Explorer, it works.

Related

Why my file is not added to the appImage (electron app)

I have an electron app which uses a database opened with the following code:
const fs = require("fs")
const sqlite = require("aa-sqlite")
await sqlite.open('cregr_db.db');
My package.json contains :
"build": {
"appId": "crergr",
"linux": {
"target": [
"AppImage"
],
"icon": "icon512.png"
},
"win": {
"target": "NSIS",
"icon": "icon256.ico"
},
"extraFiles": [
"cregr_db.db"
]
},
the cregr_db.db is in the same folder as my *js, index.html and style.css.
Everything runs fine when launched from the root directory of my app.
If I run the app image from elsewhere, I have an exception when I query the database and, in fact, the database file is not displayed in the file hierarchy.
I can not post an image here but you can find one at http://alainbe.free.fr/files.png
What I am doing wrong ?
Thanks for your help.
In fact, the db file was probably added but in an ASAR archive so can't be read by the code posted above.
The solution I chose was to distribute the app without building an ASAR archive and in this case, everything works exactly like you are testing your app (tested on Linux and Windows).
There is a strong warning about building an app without an ASAR. I chose not to pay attention because any way there are ways to unpack the ASAR and see the code and besides, my app is GPL'ed.

What is the proper configuration to persist edgeAgent storage?

I am working on an Azure IoT Edge project. Currently I am going through the production readiness checklist. I followed the documentation to use storage on the host filesystem for the edgeAgent and edgeHub modules.
When I run sudo iotedge check edgeHub is OK but edgeAgent raises a warning:
‼ production readiness: Edge Agent's storage directory is persisted on the host filesystem - Warning
The edgeAgent module is not configured to persist its /tmp/edgeAgent directory on the host filesystem.
Data might be lost if the module is deleted or updated.
Please see https://aka.ms/iotedge-storage-host for best practices.
√ production readiness: Edge Hub's storage directory is persisted on the host filesystem - OK
Here is a snippet from the deployment template:
"systemModules": {
"edgeAgent": {
"type": "docker",
"settings": {
"image": "mcr.microsoft.com/azureiotedge-agent:1.0",
"createOptions": {
"HostConfig": {
"Binds": [
"/home/pi/iotedge/edgeAgent/storage/:/iotedge/storage/"
]
}
}
},
"env": {
"storageFolder": {
"value": "/iotedge/storage/"
}
}
},
"edgeHub": {
"type": "docker",
"status": "running",
"restartPolicy": "always",
"settings": {
"image": "mcr.microsoft.com/azureiotedge-hub:1.0",
"createOptions": {
"HostConfig": {
"Binds": [
"/home/pi/iotedge/edgeHub/storage:/iotedge/storage/"
],
"PortBindings": {
"5671/tcp": [
{
"HostPort": "5671"
}
],
"8883/tcp": [
{
"HostPort": "8883"
}
],
"443/tcp": [
{
"HostPort": "443"
}
]
}
}
}
},
"env": {
"storageFolder": {
"value": "/iotedge/storage/"
}
}
}
},
As of release 1.0.9, there's an issue where edgeAgent's configuration doesn't update unless its image tag is updated. Two options from your current state:
Use a specific tag in the image settings (always recommended). E.g. mcr.microsoft.com/azureiotedge-agent:1.0.9
Delete the edgeAgent container on the device: docker rm -f edgeAgent. It will get restarted in under 30 secs and the new storageFolder env var will be picked up.
Run 'iotedge check' again after the container is update, and this warning should go away.
I have followed the same documentation and was able to avoid the production readiness checklist warnings on my Raspberry Pi 3.
1) I have configured the "Binds" as per the documentation Link module storage to device storage
"Binds":["/etc/iotedge/storage/:/iotedge/storage/"]
2) I have provided the user access on the HostStoragePath, from SSH terminal.
sudo chown 1000 /etc/iotedge/storage/
sudo chmod 700 /etc/iotedge/storage/
3) Restarted Raspberry Pi 3, to make sure the grant access takes into effect.
Make sure you have host storage folders available on your edge device.
Make sure to provide the user full access on those folders.
Try the deployment with your updated manifest, it should probably work.

UnauthorizedAccessException for static files when using IIS

I am developing a web application using ASP.Net core MVC. Initially to get started I manually copied the bootstrap and jQuery directly under wwwroot/lib folder. This worked fine.
To make the code maintainable, I thought it would be better to use client side library manager like libman.
This is what I have got in libman.json
{
"version": "1.0",
"defaultProvider": "unpkg",
"libraries": [
{
"library": "bootstrap#4.1.3",
"destination": "wwwroot/lib/bootstrap/"
},
{
"provider": "cdnjs",
"library": "jquery#3.3.1",
"destination": "wwwroot/lib/jquery/"
}
]
}
When I restore the client side library, I can see the files correctly restored under lib folder
Now when I compile and test the app locally using IIS, I am getting 500 error in developer tools while fetching bootstrap.css, jquery.js and bootstrap.js
When I tried to load bootstrap.css directly, I get 500 and message that access to the file is denied
UnauthorizedAccessException: Access to the path 'C:\code\wwwroot\lib\bootstrap\dist\css\bootstrap.css' is denied.
Any thoughts what would be causing this error?

Node app create production build for live web site - static files (no node running on webhost)

I have a question which sounds maybe trivial, but I feel like I life behind the moon.
In those default React Apps, which are initialised by
npm install -g create-react-app
create-react-app my app
I build whatever with this app and in the end of the day, I put in
npm run build
and it builds static files that I can upload via ftp to my existing Webspace with my domain live in the internet. No Haruko, no AWS, no installing node anywhere.
Now my question, how can I do the same with a random node.js ?
I find a gazillion tutorials how to build apps on an server on localhost and even many on how to install node in some webspace.
But how do I generate those 'static files' that I just upload via FTP and dones? Am I the only one who wants to do it that way?
If so, what is wrong with that thinking?
I'm using web-boost static site generator with page-speed optimizations.
You have to explicitly show all the routes you are going to convert from dynamic application into static ones like this:
{
"routes": {
"/": {
"view": "index.twig",
"vars": {
"title": "Home page",
"greeting": "Hello world!"
},
"assets": {
"js/index.min.js": [
"js/index.js"
]
}
},
"/user": {
"view": "user.twig",
"vars": {
"title": "User's page",
"greeting": "Hi John Doe!"
},
"assets": {
"css/user.min.css": [
"styles/bootstrap.min.css",
"styles/user.scss"
]
}
}
}
}
and then run compile command and deploy your static pages into AWS.S3 bucket for example.

CORS with Azure function from localhost (not CLI)

We are using axios in a vue.js app to access an Azure function. Right now we are getting this error:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
We are trying to set response headers in the function this way:
context.res = {
body: response.data,
headers: {
'Access-Control-Allow-Credentials': 'true',
'Access-Control-Allow-Origin': 'http://localhost:8080',
'Access-Control-Allow-Methods': 'GET',
'Access-Control-Request-Headers': 'X-Custom-Header'
}
}
Has anyone run across this error?
To set CORS working locally when you are not using CLI and you are using Visual Studio/ VS Code - you need to add local.settings.json file into your project if it's not there.
Make sure "Copy to output directly" set to "copy if newer"
Then in your "local.settings.json" you can add CORS": "*" like so:
{
"IsEncrypted": false,
"Values": {
},
"Host": {
"LocalHttpPort": 7071,
"CORS": "*"
}
}
More info:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local
For v3+ the following works:
p.s. note that location of Hosts is on the same level as Values and not under it (as in the answer by azadeh-khojandi https://stackoverflow.com/a/48069299/2705777)
Configure CORS in the local settings file local.settings.json:
{
"Values": {
},
"Host": {
"CORS": "*"
}
}
We got it working. It was a configuration in our Azure function. You go to "Platform Features" then "CORS". We added http://localhost:8080 to the list of "Allowed Origins" and then everything worked.
Elaboration For Production Environment Issues
I was having a problem on localhost, and on production (firebase hosted), trying to get my JavaScript Web app to interact with an Azure Function.
Cross-Origin Resource Sharing (CORS) allows JavaScript code running in a browser on an external host to interact with your backend.
In Azure Functions, click the features tab, and click the CORS block under "networking and security".
Add your domain as an allowed origin and hit save. This will fix the issue.
Had same problem. On root of backend project, there's a file local.settings.json.
Added "CORS": "*" and "CORSCredentials": false in that file (following is the example), did mvn clean package -DskipTests=true on root, and mvn azure-functions:run -DenableDebug on the azure function directory.
{
"IsEncrypted": false,
"Values": {
"FUNCTIONS_WORKER_RUNTIME": "<language worker>",
"AzureWebJobsStorage": "<connection-string>",
"AzureWebJobsDashboard": "<connection-string>",
"MyBindingConnection": "<binding-connection-string>"
},
"Host": {
"LocalHttpPort": 7071,
"CORS": "*",
"CORSCredentials": false
},
"ConnectionStrings": {
"SQLConnectionString": "<sqlclient-connection-string>"
}
}
Reference:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=macos
For those of you who are doing all of the above, but still not getting anything to work, it could be that your local.settings.json file is completely ignored. I don't know if this is because I'm using v3.
Go to Properties of your Project -> Debug -> Application arguments ->
host start --build --port 7071 --cors * --pause-on-error
Start your application
I had the same issue and the culprit was actually a typo in the Blazor-embedded-URI which Firefox displayed as a CORS error. Solution was just to realize that it had nothing to do with CORS and fix the mis-typed URI.
You can enable the CORS from hosted environment in function app to add the web app URL refer the below screenshot.
Enable CORS in Function app
Note: TO allow all mark as "*"
Please note that CORS policies should be activated on the server where the resource is hosted.
In my case, despite I was testing my API in local, I was accessing a resource on the real blob storage, where no CORS policy was set.
Activating the CORS policy on the blob storage solved the issue, in my case.

Resources