I have a website with restricted access. Only a number of IPs are allowed to access the site. I have configured the Access Restrictions for the web site so that only specified clients can access the app.
The problem is that all denied clients received a 403 http response status code with the following message:
Error 403 - This web app is stopped.
How could I change this behaviour, so that denid clients receive no response at all?
How about using "Dynamic IP Restrictions feature".
https://azure.microsoft.com/en-us/blog/confirming-dynamic-ip-address-restrictions-in-windows-azure-web-sites/
Example:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="1.2.3.4"subnetMask="255.255.0.0"/>
</ipSecurity>
</security>
</system.webServer>
The allowable values for denyAction are:
AbortRequest (returns an HTTP status code of 0)
Unauthorized (returns an HTTP status code of 401)
Forbidden (returns an HTTP status code of 403).
Note this is the default setting.
NotFound (returns an HTTP status code of 404)
Related
We have an Angular web application running on Azure. The backend is Dot Net Core 3.1. The Authentication is done through Azure AD. What is happening is the following steps
User logs into the web site and navigates to a page. Everything is working as expected
The user logs out, but does not close the tab. The Logout screen is shown as expected
The user opens a new tab and navigates to the web site
The user is NOT prompted for a login and when the user navigates to page they get error
Access to XMLHttpRequest at 'https://login.microsoftonline.com/2aa666ca-a53c-4274-bfcc-41b83867d22a/oauth2/authorize?client_id=794424bb-0ad2-41f8-b007-b71ed576b793&redirect_uri=https%3A%2F%2Fmydomain.azurewebsites.net%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=637782164067215548.NzQ4MWQxNjgtYjdlZS00OTlmLWIwYzctM2NhZWRkZjdhMTZiYzdmNjljOTEtNTk3OS00NDlhLWEzZjgtODZkN2YyZDZmYzlh&state=CfDJ8IE9b1M0cDdJqtQPg1_KxRR0vlYAN1zOfKzhpzhdzqvcX_XGygV8nincOzoVYDPPyZWnbh5SrGMDZhQfmUDlO4wQ41v_7Q_gJCUHftetejZZQZTS7Uhn-IVBRysh36hvldRY2pxcZBKCQHLYkKMnR2my9R0TqsaqEAI4gGNUUHwa8fJnv4xj0lkMJq_DORhJS4AwLMhtQWGvuIp0gzQ_cGR0gjGZvMRMTaBZunGBDexThOzzbAyQJTCJuNxUUB_tvAm0cFEVWb3lTPYRgk1ARnagmg7a6GDFrCnXT7vT_3VJjUyMzrazbt1xeRtrs1AdlUIX1fnnFsGZPGUBA3kYvzTyEgVkm97FGBTPgeGZAP3W&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0' (redirected from 'https://mydomain.azurewebsites.net/api/profileTypes?_=1642619606751') from origin 'https://mydomain.azurewebsites.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
If the user refreshes the page, then they are forced to login and everything begins working again
I have tried adding in CORS as directed on other questions and other websites as follows
In the ConfigureService function of the startup.cs The following code is present
services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
{
builder
.WithOrigins(new[] { "http://YOUR_FRONTEND_ORIGIN" })
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
}));
In the Configure function of the startup.cs is the following code
app.UseCors("CorsPolicy");
I am confused as to why CORs would even come into play as everything is on the same Azure subscription, but I added the above code and it does not change anything. Searching the internet give mainly the same or similar implementations as above.
I am not sure how to proceed or even what questions to ask, so any help would be appreciated
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism which basically allows server to indicate any origins other than its original url or scheme or domain or port .But cors settings may also vary from different browsers which may cause this error.
In case of Azure App Service it sets “AppServiceAuthSession” cookie for authenticated session with browser. The web application may use XMLHttpRequest / AJAX request inside the app and the request sent may contain the AppServiceAuthSession cookie. When this cookie is still present in the browser and the web page pointing to the page of app may not be the original url and which might be the possible cause of error.When this cookie is not present in the request, Azure App Service will redirect the request to Azure AD for login that is why when you referesh it, it works.
If the browser is enabled with cors ,it makes a pre-flight cors check to the specified url and gets the access-control-allow-origin headers, we can modify this headers accordingly,if origin restriction is not required.
Try to insert the http protocol present in the asp.net Web Api backend, in the Web.config between the <system.webServer> </ system.webServer> tags,
Example:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
</system.webServer>
and you can try enable access to all origins from browser settings .
Please check this reference access to xmlhttprequest has been blocked by cors policy Code Example (codegrepper.com) if you can enable credentails to true and by using cors variable to use in app.use(cors).
References:
Cross-origin XMLHttpRequest - Chrome Developers
express - Angular CORS request blocked - Stack Overflow
I am building a new common Authentication module for my application. For this, I need to intercept requests coming to API layer, route to the common Authentication service and continue with regular flow only if Authentication service returned success. When invoking Authentication service, parameters are passed to it, via query string, based on which it returns true/false as response.
Flow of events:
Browser invokes http://localhost/SampleService/api/Home?param=data i.e Site1
Reverse proxy rule on Site1 makes the call go to Site2 which is http://localhost/ValidateAuthN
Site2 checks the value of param and returns a JSON response - true or false
Browser gets the response back.
I am using IIS as reverse proxy with url rewrite module and ARR configured. "Enable proxy setting" has been checked for ARR on root node in IIS. On API site in IIS, I have configured rewrite rule as below:
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost/ValidateAuthN" />
</rule>
</rules>
</rewrite>
I see that the request is redirected to Authentication service with query strings values and the true/false response returned by Authentication service is received directly in calling application. However, request is not reaching the actual API layer for further processing. What I want is that at step 4 above, the request should go back to site1 with JSON response of true/false.
Please suggest what could I be missing in this configuration.
Maybe you need an exception rule for the reply? Your match rule (.*) catches everything, so the true/false reply might be getting re-routed itself?
I have a webPI running in localhost fine but when I publish it in IIS this request fails: http://planificador.fyseg.com/#/proyectos/X0000088/empleado/112/plan/horas
This same request in localhost works fine: http://localhost:5000/#/proyectos/X0000088/empleado/112/plan/horas
The error is this:
'http://planificadorwebapi.fyseg.com/api/proyectos/X0000088/fechainicio/2018-05-22T22:00:00.000Z/fechafin/2020-01-30T23:00:00.000Z/horas' from origin 'http://planificador.fyseg.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I have the webAPI configured like this
But at same time other requests to the same API from the same domain works, for exmaple
http://planificadorwebapi.fyseg.com/api/contratos/X0000088/mes/5/anio/2018/acumular/false
Any idea Please?
regards
According to your description, I suggest you could check the plan horas method to make sure there is no special cros setting for this method.
If not, I suggest you could try to add below setting in your IIS application's web.config file.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
I'm trying to stop MS Azure responding with the header/value of Server: HTTPAPI/2.0 on receipt of an invalid request, for example an invalid hostname.
I've seen this SO entry...
Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview
..and one answer suggests that the only way to get around this is to host the website on an Azure VM, something I'd much rather avoid.
It's 3.5 years on from that question/answer - does anyone know if it can now be suppressed in a WebApp solution
According the description at Remove standard server headers in Azure Web Sites:
HTTP headers are part of the communication process between web servers and browsers, and are included in the request and response. One example is the server header, which lists the product name and version of the web server (e.g., Microsoft-IIS/8.0). All web servers generate these headers, but now you can disable them on Azure Web Sites.
You can try to modify or create a new web.config in the root directory of your application on Azure Web Apps, with following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
Please refer to https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/ for more info.
To remove the MVC header, add this in Global.asax - Application Start event:
MvcHandler.DisableMvcResponseHeader = true;
Using this will remove the version headers,
<httpRuntime enableVersionHeader="false" />
Say, If I restrict access to a site's subfolder using "IP address and domain restrictions", what would be the IIS error message I would be getting? I need to use a custom error message like "Your IP is not allowed to access this site", but would that be possible? I am asking if the same same error code (like a generic access denied that is returned for Certificate error) is returned for this, then I won't be able to use it.
Is it possible to get a unique error when a request fail at the "IP address and domain restrictions" rule?
IIS will raise a HTTP 403.6 - Forbidden: IP address rejected.
If you want to display a custom error page then go to your website within the IIS Manager and look for "Error Pages" under the IIS section, on the right hand side under "Actions" click "Add...", fill out the window using status code 403.6 and choose your action.
This can also be achieved by modifying your websites web.config file, just add an <error> entry to the <httpErrors> section as shown below:
<system.webServer>
<httpErrors>
<error statusCode="403" subStatusCode="6" path="/errors/iprestricted.html" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>