I would like to allow some ports from a network, and more ports from an IP of this network. I am not sure how to do it. Is it possible to have something like this in my custom zone.xml ?
<?xml version="1.0" encoding="utf-8"?>
<zone>
<rule family="ipv4">
<source address="192.168.0.100"/>
<service name="nrpe"/>
<service name="ssh"/>
</rule>
<source address="192.168.0.0/24"/>
<service name="ssh"/>
</zone>
It means I want to open ssh for all 192.168.0.0 network and open ssh and nrpe from 192.168.0.100. It seems we can't have more than one element in a rich rule.
Thanks in advance,
B.
I found how to do it. I have to split in 2 parts rich rules :
<?xml version="1.0" encoding="utf-8"?>
<zone>
<rule family="ipv4">
<source address="192.168.0.100"/>
<service name="ssh"/>
</rule>
<rule family="ipv4">
<source address="192.168.0.100"/>
<service name="nrpe"/>
</rule>
<source address="192.168.0.0/24"/>
<service name="ssh"/>
</zone>
B.
Related
I'm trying to get a reverse proxy set up by using Azure Websites, roughly following this guide that explains how to modify ApplicationHost.config on such a website - but it doesn't work for me.
I've have this applicationHost.xdt:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" />
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" />
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" />
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
I put it in the site directory of my web app.
The transforms appear to get executed (from the transform log):
2017-09-06T12:12:20 StartSection Executing InsertIfMissing (transform line 8, 50)
2017-09-06T12:12:20 on /configuration/system.webServer/rewrite/allowedServerVariables/add
2017-09-06T12:12:20 Applying to 'allowedServerVariables' element (no source line info)
2017-09-06T12:12:20 EndSection Done executing InsertIfMissing
I have indeed four of those blocks.
I still get 500s on setting the headers with rewrite. The detailed error message contains this:
<h3>HTTP Error 500.50 - URL Rewrite Module Error.</h3>
<h4>The server variable "HTTP_X_UNPROXIED_URL" is not allowed to be set. Add the server variable name to the allowed server variable list.</h4>
Not sure what to do at this point. Any ideas?
I faced the same issue with the TomSSL article, #David Ebbo's comment ultimately got me to the answer, but felt it was worth adding this to save people some time. It's because applicationHost.config is missing xdt:Locator="Match(name)":
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
<rewrite xdt:Transform="InsertIfMissing">
<allowedServerVariables xdt:Transform="InsertIfMissing">
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
The key to investigating these issues is to determine whether the problem is with the transform not doing the right thing, or with the applicationhost.config not working as you expect.
You can check the generated applicationhost.config in D:\local\Config from Kudu console.
See this page for more details about this.
Having an issue with restricting IP security.
I have made a web.config file and placed it in the folder I am trying to restrict see below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">
<clear />
<add ipAddress="123.456.789" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
I have also adjusted the applicationHost.config to:
<section name="ipSecurity" overrideModeDefault="Allow" />
However when browsing to a file in that folder I get a 403.
I have restarted IIS and IP address is correct.
What am I missing?
Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.
I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
Technical Information
Azure Website
Installed IIS Manager Site Extension by shibayan
Scenario
I have implemented a reverse proxy on my Azure Website, however the receiving server doesn't get any indication of whether the initial request was over HTTPS or not.
What I want to do is send the HTTPS flag of ON/OFF from the initial request to the proxied server, via a custom HTTP Header.
In Theory
Using shibayan's IIS Manager Site Extension, I can edit the applicationHost.xdt file, give it a Transform to insert an <allowedServerVariables> tag and that should allow me to set a custom HTTP Header.
In Practise
I've configured my rewrite rule as such:
<rule name="Proxy" stopProcessing="true" xdt:Transform="Replace" xdt:Locator="Match(name)">
...
<serverVariables>
<set name="HTTP_X_USE_HTTPS" value="{HTTPS}" />
</serverVariables>
...
</rule>
And have attempted a few combinations of where to put the <serverVariables> tag...
Attempt one:
As described in this answer.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" xdt:Transform="Insert" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_USE_HTTPS" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
Result:
HTTP Error 500.50 - URL Rewrite Module Error.
The server variable "HTTP_X_USE_HTTPS" is not allowed to be set. Add
the server variable name to the allowed server variable list.
Attempt two:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="~1[app service name]" overrideMode="Allow">
<system.webServer>
<proxy enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" xdt:Transform="Insert" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_USE_HTTPS" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</location>
</configuration>
Result: HTTP 500.50
Attempt three:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="" overrideMode="Allow">
<system.webServer>
<proxy enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" xdt:Transform="Insert" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_USE_HTTPS" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</location>
</configuration>
Result: HTTP 503
Attempt four:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="[app service name]" overrideMode="Allow">
<system.webServer>
<proxy enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" xdt:Transform="Insert" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_USE_HTTPS" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</location>
</configuration>
Result: HTTP 503
I am aware that in the applicationHost.config file for an Azure Website there are a few places that <system.webServer> can be defined, such as under the following elements:
<configuration>
<configuration><location>
...however I've tried these combinations to no avail.
Questions
Is there another possible location?
Have I misconfigured my .xdt file in any way?
Am I missing something from my applicationHost.config?
You have to create a applicationHost.xdt file under the site folder d:\home\site\applicationHost.xdt with this content:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_X_USE_HTTPS" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
Now you can use the new variable in your web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Proxy">
<serverVariables>
<set name="HTTP_X_USE_HTTPS" value="{HTTPS}"/>
</serverVariables>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
See also https://azure.microsoft.com/en-us/documentation/articles/web-sites-transform-extend/ or https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
I have implemented autoscaling using the Enterpise Library Autoscaling Block, pretty much as described in the tutorial.
So the first time when I am running load test for my site it's increasing the instance count by one.
And when I am running load again then CPU usage is 100% but it's not increasing the instance count. And when CPU usage is 0% it's not decreasing the instance count.
So what is wrong here?
I have following Rules and Service XML. Rules XML:
<?xml version="1.0" encoding="utf-8" ?>
<rules xmlns="http://schemas.microsoft.com/practices/2011/entlib/autoscaling/rules">
<constraintRules>
<rule name="default" enabled="true" rank="1"
description="The default constraint rule">
<actions>
<range min="2" max="5" target="ServiceWebRole"/>
</actions>
</rule>
</constraintRules>
<reactiveRules>
<rule name="ScaleUpOnHighUtilization" rank="10"
description="Scale up the web role" enabled="true">
<when>
<any>
<greaterOrEqual operand="WebRoleA_CPU_Avg_5m" than="60"/>
</any>
</when>
<actions>
<scale target="ServiceWebRole" by="1"/>
</actions>
</rule>
<rule name="ScaleDownOnLowUtilization" rank="11"
description="Scale up the web role" enabled="true">
<when>
<all>
<less operand="WebRoleA_CPU_Avg_5m" than="40"/>
</all>
</when>
<actions>
<scale target="ServiceWebRole" by="-1"/>
</actions>
</rule>
</reactiveRules>
<operands>
<performanceCounter alias="WebRoleA_CPU_Avg_5m"
performanceCounterName="\Processor(_Total)\% Processor Time"
source="ServiceWebRole" timespan="00:05:00" aggregate="Average"/>
</operands>
</rules>
Service XML:
<?xml version="1.0" encoding="utf-8" ?>
<serviceModel
xmlns="http://schemas.microsoft.com/practices/2011/entlib/autoscaling/serviceModel">
<subscriptions>
<subscription name="My subscription name"
certificateThumbprint="My subscription certificateThumbprint"
subscriptionId="My subscriptionId"
certificateStoreLocation="LocalMachine" certificateStoreName="My">
<services>
<service dnsPrefix="productionservice" slot="Production" scalingMode="Scale">
<roles>
<role alias="ServiceWebRole" roleName="ServiceWebRole"
wadStorageAccountName="targetstorage"/>
</roles>
</service>
</services>
<storageAccounts>
<storageAccount alias="targetstorage"
connectionString="DefaultEndpointsProtocol=https;AccountName=autoscale;AccountKey=storageaccountkey">
</storageAccount>
</storageAccounts>
</subscription>
</subscriptions>
</serviceModel>