I have deployed few .net APIs and applications as app service to Azure which is being used internally and also some of them can be called externally. Also have set up an Azure Alert for one of the major app services (let's call it Service A) which sends email notification in case of 404 error.
Looking into AppInsights, I can see some requests that result in 404 error when calling one the services without any endpoint included in the url (service B https://serviceB.mydomain.com/) and of course Service B returns 404 however AppInsights doesn't display the request caller (request referer). To investigate the 404 error I need to know about the caller url.
I'm aware that programmatically I can read request referer but how it can be done for 404 error which caused by a request to an endpoint which doesn't exist moreover some requests may not have referer. How can I log the caller url [preferably in Azure app services/appInsights]?
So far I was not able to find any facility in Azure portal to configure the AppInsights however it can be configured programmatically to track the referer and of course if the request doesn't have referer in the header for some reason, it can not be captured.
This link explains how AppInsight configuration can be done in codes to track the Referer.
UPDATE - And the root of issue:
Turned out "ALWAYS ON" feature in Azure Application Settings was ON for the Service B which means it sends request to the base url to keep it active and avoid recycling. For more info about Always On you can refer to here
One of the main reason for this would be that you might configure the availability test in App Insights
To be particularly this will be a URL ping test
This will hit the configured URL frequently at the location you configured
Related
I am trying to call the Azure-hosted API endpoint using a 3rd party application. Application sends the HTTP request with the header values ContentType = "*/*";
Azure Application Gateway WAF blocks the request showing the below diagnostics logs.
I am aware that, I can add an exclusion in the Web Application Firewall settings, however, I am not able to extract the Request Header Name since the logs do not show the value due to the wildcard(ContentType = "*/*";) content type sent by the 3rd party app.
I added the below rule, but it is still blocking the request.
How can I allow the request via the AGW?
Please find the logs below.
Thanks in advance.
Hello I am trying to deploy my Azure Machine Learning pipeline with a REST endpoint. My problem is that I was able to generate an endpoint but has some sensitive information in it (ex: subscription id, resource group, etc). How can I generate a URL that forwards the request body to my Azure ML REST endpoint?
also, here is an approach I've done:
Used Application Gateway Redirect (this approach didn't forward the request body. It instead turned my POST request into a GET request when it redirected to the correct URL.)
The issue is raised because of some of the default security headers dependent on REST API and web based. Need to set the REST API CSP HEADER. Check the request and response headers in config file of the web application.
I have a problem configuring my Open Auth ID .net Core 2 application as an App Service behind a Web Application Firewall using a Path based routing.
My application is myapp.azurewebsites.net with a network restriction making it inaccessible from the public internet. I have deployed a WAF in the same VNET and allowed traffic between the WAF and App Service using a Path based route "/Admin*".
The effect is that https://myapp.azurewebsites.net is not internet accessible but https://myWAF/Admin is accessible and maps to the app service.
This setup works fine, but when I introduce Open ID auth to my .net core application the outgoing Location header includes its myapp.azurewebsites.net/signin-oidc as the reply URI.
This doesn't work because the host is not accessible from the internet. I have attempted several approaches;
I have added the WAF URL (https://myWAF/Admin/signin-oidc) in the application registration URL in Azure App Registrations to allow AAD to accept the modified URL (as legitimate
I have coded app.UseForwardedHeaders (forcing reuse of all X-Forwarded headers) in my startup.cs. This doesn't seem to have any affect on the Location header being sent by my App Service.I presume the WAF is sending X-Forwarded headers, but if it is, the Open Auth ID stack isn't using them.
I have coded a header rewrite in the WAF to replace the myapp.azurewebsites.net with the WAF URL. This does replace the URL correctly and allows the callback, but then fails with a Correllation Error (which seems to be a generic Open ID stack error meaning "the nonce does not match". Its possible that the nonce is predicated on the URL being called back to - which in my case changes due to the WAF redirection, but that's a guess).
It seems to me like I should be able to use the X-Forwarded headers in my app to get around the need to code up header re-writes in the WAF, but I can't find an example where this is used successfully to alter the Reply URI being sent out by Open ID.
My question it; is using the X-Forwarded header the correct approach to handling proxies in an OAuth context, or is header-rewriting in the WAF the correct approach ?
I have set
After much investigation I found the following;
WAF does not send the standard X-Forwarded-Host to App Services but sends X-Original-Host instead. Documented here https://feedback.azure.com/forums/217313-networking/suggestions/33657763-add-the-x-forwarded-host-header-to-application-gat
The ForwardedHeaderOptions that ASP.net Core 2 uses in its ForwardedHeaders middleware have an option to replace the expected and supported "X-Forwarded-Host" with an arbitrary other host header name. This behaviour can be triggered as follows to replace the use of the x-Forwarded-Host with the WAF specific X-Original-Host.
options.ForwardedHostHeaderName = "X-ORIGINAL-HOST";
WAF does not pass the Path of the Path Based Route down the Http Header stack as expected in the PathBase header. This must be added to the Request Headers either in the WAF via a Header Rewrite, or inside the app as follows (in this case the apps Path Route is /Admin);
app.Use((context, next) =>
{
context.Request.PathBase = new PathString("/Admin");
return next();
});
We have an app service which is an ASP.NET app in Azure. We have defined 200 OK response for / route. When we try to hit / endpoint from browser or Postman we get desired results.
But in Azure App Insights we notice GET / request every 5 min that is failing.
DNS Configuration
From the picture provided, you can see that default Azure route (qualitykitchen.azurewebsites.net) is still there as we haven't figure out a way to delete it.
404 Errors screenshot from Azure It is important to note that request that generates 404 is the default route for (qualitykitchen.azurewebsites.net) instead of the custom route that we setup via custom DNS which is (api-staging.qualitykitchen.co).
Because we’re have ‘Always On’ enabled we’re pretty sure the requests are simply Azure pinging the service to keep it alive. Unforunately it seems like it’s confused on which route to call.
Are we correct in assuming that the requests are coming from Azure? How can we direct Azure to make a call to our custom route?
Yes, that's correct, that's the AlwaysOn agent (check User-Agent in your telemetry).
Unforunately it seems like it’s confused on which route to call.
It's not, AlwaysOn agent always calls http://{sitename}.azurewebsites.net/, disregarding custom domains. It always calls / and you can't specify a custom URL.
Simply handle that domain as well and respond 200 OK back. You can not remove the default .azurewebsites.net binding.
I have a WCF Data service hosted in Azure as a Azure Web Role. Have added a Http Module for authentication. The custom Http Module looks at the Authorization header in the request headers and authenticates the user.
When I make a Http request to the WCF Data Service, I run into two issues. There is a Http redirect happening.
I make the request to http:\northwindsample.cloudapp.net\SampleService.svc. The message I get is that "There is no operation listening for http://rd00155d341b52/SampleService.svc, but there is an operation listening for http://northwindsample.cloudapp.net/SampleService.svc/, so you are being redirected there.
Though I am making the request to http:\northwindsample.cloudapp.net\SampleService.svc, it is somehow going to http://rd00155d341b52/SampleService.svc and then gets redirected to the actual service. I get an Http 307 and in the redirect the authorization header is missing.
Later I found that when I add the trailing slash, then there is no redirect happening.
How can I prevent this redirection because of missing trailing slash ? Also the issue is that the authorization header is not sent to the redirected Uri.
Thanks
Take a look at this:
http://gavinmckay.wordpress.com/2009/03/24/howto-fix-wcf-host-name-on-iis/
For updating this in Azure, you will want to either create a startup task or use the IIS management APIs like is used here:
http://blogs.msdn.com/b/tom/archive/2011/02/18/installing-and-using-an-httpmodule-in-windows-azure.aspx