Is it possible to add Content Security Policy (CSP) headers on static websites hosted in Azure blob storage?
I can see you can add metadata by using the Azure CLI with the following command:
az storage blob metadata update --container-name --name "blobname" --metadata key=value
However, these never end up being propagated to the HTTP Headers.
Is there a way to add custom headers to blobs?
Cause for now this function is not available(you could go to feedback site upvote the feature), so you could achieve it with Azure Function Functions.
Here is the blog you could refer to :Static web hosting with security headers on Azure.
And there is a way(it's an answer in msdnenter link description here) to add X-XSS Protection to web. Create web.config file in the apps wwwroot folder, then paste the following:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- START x-xss protection -->
<httpProtocol>
<customHeaders>
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="Content-Security-Policy" value="default-src 'self';" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<!-- END x-xss protection -->
<rewrite>
<rules>
<!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- END rule TAG FOR HTTPS REDIRECT -->
</rules>
</rewrite>
</system.webServer>
</configuration>
You can append CSP headers to an Azure CDN in the Rules Engine section, after mapping the CDN to your static website hosted in Azure Blob Storage. Please find the step by step reference here
Related
I have an MVC dot net application (multi-tenant platform) deployed on Azure Web App.
I have configured two tenants: tenant1 and tenant2, with their URLs:
primer-test.azurewebsites.net/tenant1 and
primer-test.azurewebsites.net/tenant2
Both of them are accessible from IE, Safari etc. I purchased two domains on GoDaddy:
domain1.com
domain2.com
and I would like to configure the rewrite rules for them so whenever someone types in his browser either www.domain1.com or domain1.com, the content of primer-test.azurewebsites.net/tenant1 should be presented. Similarly, for the domain2.
I have attached these two custom domains to my web app, with no problem. I wrote the rewrite rules, but they seem to don't work as expected.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<rewrite>
<rules>
<rule name="domain1.com" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www.)?domain1.com" />
<add input="{PATH_INFO}" pattern="^/tenant1/" negate="true" />
</conditions>
<action type="Rewrite" url="\tenant1\{R:0}" />
</rule>
<rule name="domain2.com" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www.)?domain2.com" />
<add input="{PATH_INFO}" pattern="^/tenant2/" negate="true" />
</conditions>
<action type="Rewrite" url="\tenant2\{R:0}" />
</rule>
</rules>
</rewrite>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\kobsq.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</location>
</configuration>
Any idea what might be wrong?
Thanks very much!
In this case, from the URL you provided, I can see that primer-test.azurewebsites.net is the webapp you created and used. tenant1 and tenant2 should be virtual applications in webapp.
Concept:
Virtual application
Related Posts:
1. How to deploy a Flask+React application to Azure Web Service
2. Hosting Two Website Under one Web App - Azure Services
Correct use process and test steps:
Step 1.
Preparation work, create a main application of the .net framework (use web.config in the project for the purpose of configuring rewrite.
Configure in portal.
Create folder under site path and deploy virtual app by zip.
Test it without rewrite settings.
Step 2. Modify web.config file in RewriteTest project.
Step 3. Create custom domain to test.
Step 4. Test result. Fulfill your needs.
I have an app in the azure app service which has "index.html" setup as a default document in portal and also url rewrites in web-config (see below). If I go to the site with cleared history or chrome incognito mode it gives me a 404. I can hit the url directly on "mysite.com/index.html" and after that "mysite.com" will work too, but brand new browser session always 404.
I also have below in www_root in attempt to force "index.html" to load but no luck, any ideas?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<!-- IIS URL Rewrite for react routes -->
<rewrite>
<rules>
<rule name="Angular Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" pattern="^/(api)" negate="true" />
</conditions>
<action type="Rewrite" url="/index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Try by removing '/' in url=/index.html and add appendQueryString="true"
The default document is the web page that's displayed at the root URL for a website. The first matching file in the list is used. To add a new default document, click New document.
So, you could remove the above and then try adding> In the Azure portal, search for and select App Services, and then select your app. In the app's left menu, select Configuration > Default documents.
If the app uses modules that route based on URL instead of serving static content, there is no need for default documents.
To isolate, try to configure web.config similar to this:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="SPA">
<match url=".*" />
<action type="Rewrite" url="index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Or If you wish to actually rewrite but not redirects, try enabling ARR with applicationHost.xdt file with in the site root folder. If you connect to your site using Kudu console, you will see the deployed files under your site\wwwroot folder - Kudu console (https://yoursite.scm.azurewebsites.net) > From the Kudu Console> Debug Console >> (CMD/PowerShell> Site > wwwroot. >> Shows-up all your deployment files.
In azure app services you are able to redirect HTTP traffic to HTTPS either via the web.config file or through the custom domains blade in azure portal. Is it possible to disable HTTP completely without doing a redirect?
Here is a way to achieve this:
Go to Kudu console for the Web App
Go into the D:\home\site folder
Create a file called applicationhost.xdt in that folder, with the following content (you can drag/drop it from your local machine):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Transform="InsertIfMissing" xdt:Locator="Match(path)">
<system.webServer xdt:Transform="InsertIfMissing">
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing">
<rule name="Disable HTTP" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" />
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
This will make http requests fail with 401 (you can customize the response in the <action> tag).
I am using Azure web apps and need to block access to my pre-live environments.
I've attempted using the suggestion made here but it doesn't seem to work: https://learnwithshahriar.wordpress.com/2015/08/06/azure-website-101-restrict-access-on-your-staging-site/
My example:
<rewrite>
<rules>
<rule name="Block unauthorized IP to dev site" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^dev-slot.example.com" />
<add input="{REMOTE_ADDR}" pattern="111.222.333.444" negate="true"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
It basically does nothing and I've tried various minor alterations to no effect.
Are you looking to simply block the IP address within the web.config? I tested the below out in an Azure Web App and was able to block access.
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="83.116.19.53"/> <!-- block one IP -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> <!--block network 83.116.119.0 to 83.116.119.255-->
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Reference Site: https://www.stokia.com/support/misc/web-config-ip-address-restriction.aspx
How can add HTTPS and WWW Rules in web config.
Regarding Azure cloud Website.
Please describes how to write rules for HTTPS and WWW Everywhere, a browser extension that switches sites over from HTTP to HTTPS and www automatically.
You can force redirection of HTTP to HTTPS foe your ASP.NET Azure Web App by following this example Web.Config (copied from this Azure documentation page):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Regarding your question on WWW Rules, if you mean setting up a custom domain name and configuring DNS records for your app, these can be achieved by using Azure Traffic Manager. More details can be found here:
https://azure.microsoft.com/en-us/documentation/articles/web-sites-traffic-manager-custom-domain-name/