How to Restrict the anonymous domain accessing my webisite - azure

! I have implemented a WebApp and SQL-DB.
added custom domain and SSL certificates (which bought at CA).
for SSL offloading purpose we configured an azure application gateway.
with all setup.
next, we configured azure traffic manager so that traffic manager decide active web app routing.
our concern is when I adding the CNAME record for traffic manager in GoDaddy it is routing to WebApp, everything is great.
but when I search "xxxx.com" Digwebinterface it shows all connections to WebApp
in this, I took the traffic manager CNAME record and added to another domain then the duplicate domain also accessing all my content of the website and even create a record in SQL also.
in this scenario I losing my website restriction unauthorized domain can map site
any suggestion and insights it would be grateful to
thank you

The simple way is to create a filter in your code for inspecting the host of headers of request to allow or deny the accessing from different domain.
Here is my sample code in Node.js with express.
const express = require('express')
const app = express()
const port = 3000
const allowedHosts = [`localhost:${port}`]
var domainFilter = function(req, res, next) {
if(allowedHosts.includes(req.headers.host)) {
next()
} else {
res.status(403).end()
}
}
app.use(domainFilter)
app.get('/', (req, res) => res.send('Hello World!'))
app.listen(port, () => console.log(`Example app listening on port ${port}!`))
It will allow the request from localhost:3000 and deny the request from 127.0.0.1:3000 or others, as the figures below.
Fig 1. Allow the request from localhost:3000
Fig 2. Deny from 127.0.0.1:3000 or others
Hope it helps.

Related

Managing HTTPS Signed Cert on IIS in Express for Prod

How do I manage API (HTTPS) certs in DEV vs PROD in express on a node/ angular environment deployed to Windows IIS? I've seen proxy rewrites mentioned on this but I'm not sure how it is managed on express side.
I know in PROD, IIS and rewrites in web.config help manage cert for front end, but most of the tutorials I see for https on express require hard coding a self signed cert and including it in build. In PROD I have an official signed cert on server that I will use on port 8443 and not sure how that changes code, see below:
const express = require('express')
const app = express()
const https = require('https')
const fs = require('fs')
const port = process.env.PORT || 8443;
app.get('/', (req, res) => {
res.send("IT'S WORKING!")
})
const httpsOptions = {
key: fs.readFileSync('./security/cert.key'),
cert: fs.readFileSync('./security/cert.pem')
}
const server = https.createServer(httpsOptions, app)
.listen(port, () => {
console.log('server running at ' + port)
})
On a separate, but related note, how does my API service in Angular change to call the backend API for Dev vs PROD. I'm guessing something like this which IIS would re-route to PROD domain?
private API_URL: string = 'https://localhost:8443/api/';
I've seen proxy rewrites mentioned on this but I'm not sure how it is
managed on express side.
It does not need managed on express side. Express does not need to know about the certs that IIS injects.
In PROD I have an official signed cert on server that I will use on
port 8443 and not sure how that changes code
Express does not need cert in prod, IIS bindings handle that. So in server.js code only include httpsOptions if on dev and inserting self signed cert.
On a separate, but related note, how does my API service in Angular
change to call the backend API for Dev vs PROD. I'm guessing something
like this which IIS would re-route to PROD domain?
Angular CLI should provide you an environments folder with environment.prod.ts and environment.ts files which will swap the variable values they hold based on build type. Simply add a variable in both for different urls for express to call when sending requests. Your prod url will not be localhost and instead should be the actual url the user will access in production.

node-sspi keep on asking for authentication after deploying on Azure

I'm working on an application, building front end using angular and back end using node JS. For authentication, since we have to go with windows authentication, i chose Node-sspi as it is simple to implement and found it effective. Below i'm posting a simple code similar to the code i'm working with.
var http = require('http');
var port = process.env.PORT || 8080;
var express = require('express');
var app = express();
app.use(function (req, res, next) {
var nodeSSPI = require('node-sspi')
var nodeSSPIObj = new nodeSSPI({
retrieveGroups: true
})
nodeSSPIObj.authenticate(req, res, function(err){
res.finished || next()
})
})
app.use(function(req, res, next) {
var out =
'Hello ' +
req.connection.user +
'! Your sid is ' +
req.connection.userSid +
' and you belong to following groups:<br/><ul>'
if (req.connection.userGroups) {
for (var i in req.connection.userGroups) {
out += '<li>' + req.connection.userGroups[i] + '</li><br/>\n'
}
}
out += '</ul>'
res.send(out)
})
app.listen(port, function(){
console.log('server is listening on port '+port);
})
console.log('Your application is listening on port '+port);
When i browse this on local, i'm able to do the authentication part and can see the landing page.
the problem is when i deploy it on azure or on IIS it is keep on asking me for the authentication.
Please let me know how to achieve windows authentication using node-sspi on IIS and Azure.
As far as I know, it's not possible to use windows authentication in Azure web apps. App Service PaaS VM instance(s) can't be domain joined. This is the reason why you always ask you login in.
Azure Active Directory is the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To do this, both VMs must be in the same network.
Please add the site to Trusted sites:

Deploying a Nodejs app to Windows without IIS and without a private key

I've read a tonne of articles on the web and looked at a tonne of questions on stack overflow related to the following, and they all provide basically the same solution which I am unable to implement due to security issues with my company.
I am trying to deploy a NodeJS app to a secure windows server without IIS. I'm not even sure if this is possible - there is very little support about deploying node apps to windows, and what support there is says to use IIS and iisnode together. To add to the complication, my company will not give me the key to the main SSL certificate of the server.
I have access to the server/cert store/certificate, but I can't export its key. Just wondering if there is a way to have server.js point to just the certificate instead of both the certificate AND the key?
I've tried to access the certificate and extract the key via https://www.npmjs.com/package/win-ca but haven't had any luck with this.
I was able to use a self-signed certificate and get everything working, but you need to accept the self-signed certificate in your browser which isn't a viable solution for production.
I've also looked into using nginx, let's encrypt, etc., but windows support for those isn't that great either.
Here is my code which works, but like I said, I need to accept the self-signed cert client side which isn't ideal:
const express = require('express');
const app = express();
const https = require('https');
const http = require('http');
const fs = require('fs');
const options = {
//self-signed cert, I'd rather point this to the main cert for the server
//but I don't have access to the key
key: fs.readFileSync('cert.key'),
cert: fs.readFileSync('cert.pem'),
};
// Create an HTTP service.
http.createServer(app).listen(80);
// Create an HTTPS service identical to the HTTP service.
https.createServer(options, app).listen(443);
app.get('/', function (req, res) {
res.send('Hello World!');
});
In the end I removed all the certificate and security related stuff from my server.js file and just put the website behind a load balancing proxy server.

Forbit CORS request in node.js

I have a nodejs Express app which serves a static front-end app. I have an endpoint that I'd like to prevent the access from all the others domains.
One solution could be using CRSF but I'd prefer avoiding this. Is there a simple way?
My app is very simple:
app.use(express.static(path.join(__dirname, '/dist')));
app.use(bodyParser.json());
app.post('/endpoint', (req, res) => {
res.send();
});
app.listen(process.env.PORT || 8080);
Does the domain have a static IP? You could add your domains IP to a whitelist blocking access to your endpoint from all IP's bar your own:
express-ipfilter
If you don't have a static IP so that you can block requests you could start by configuring CORS with the Access-Control-Allow-Origin header set to your domain. This will block cross origin access from the browser but isn't a complete fix for what you want.
Configuring CORS

SSL certificate propagation issue with custom domain on Bluemix app

I uploaded my SSL certificate in the section of my custom domain in the space of my organization. I linked the domain with my application and I have created the CNAME record in my DNS to my broken app xxxxx-gb.bluemix.net .eu.
When I try to reach my application through my domain custom, I served me the Bluemix certificate and not mine.
I tried to add a proxy on my server (NodeJS) but the situation does not change.
app.enable('trust proxy');
app.use(function (req, res, next) {
if (req.secure) {
// request was via https, so do no special handling
next();
} else {
// request was via http, so redirect to https
res.redirect('https://' + req.headers.host + req.url);
}
});
How can I fix the problem ? I need my certificate, to call my API, from my mobile application, it is the certificate must necessarily be mine and then TRUSTED
You need to map the CNAME to the secure endpoint for the Bluemix region you are using, in your case it should be secure.eu-gb.bluemix.net.
When receiving the request from your custom domain Bluemix will map it internally to your app.
More details in the documentation link below:
https://new-console.ng.bluemix.net/docs/manageapps/updapps.html#domain

Resources