Azure WAF infront of Web App changes HostName... Still having problem - azure

I have setup an Azure WAF, via the Azure Portal, to point to an App Service which has a custom domain. The App Service has 2 domain names:
mysite.azurewebsites.com
subdomain.mysite.com
When I select "Pick Hostname from backend address" for the Probe and the Backend HTTP Settings, the Custom domain is picked up. I am also using SSL and this is working. However weirdly when I get past my login page on the app, the Application Gatewoy/WAF seems to resort to using the mysite.azurewebsites.net url. I tried following the recommendation in the following link, but it does not work for me.
Azure WAF infront of Web App changes HostName
Ie I deselected "Pick Hostname from backend address" and put "subdomain.mysite.com" as the hostname. This works for the probe, but when I specifiy this for the hostname in HTTP Settings, I get "Update Failed" without any explanation.
Any thoughts please?
Thanks.
EDIT: If I change the CNAME to bypass the WAF and go direct to the App Service, it works fine.
EDIT2: This may be relevant. The URL gets rewritten post authentication. There are a few links on the login page and these have the correct custom domain in them. However once the user logs in, the app links gets rewritten to use *.azurewebsites.net as the suffix.
EDIT3: Another thought... Is the "Probe" path wrong? I am currently using "/"
From MS docs....
Path / or another path
The remainder of the full url for the custom probe. A valid path starts with
'/'. For the default path of http://contoso.com just use '/'

Just spoke with MS. You need to use the "FQDN" in the backendpool and not the "AppService" option.

Related

Hide WVD url using Azure services. FrontDoor? AppGW?

we are doing POC for one client of Windows Virtual Desktop service(2020 spring version)
and client requested to hide url that is being used by default: https://rdweb.wvd.microsoft.com/arm/webclient/index.html, there is no customization of this in WVD service., client want to see like: https://customdomainmain.com/arm/webclient/index.html
So trying to do this with FrontDoor or AppGW (ready to hear other solutions as well)
In both cases I get: 'Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:' searching info for this: suggests to register app in AAD, not sure how but what I tried nothing works.
You can benefit of Azure Functions, which allows you to execute your code in a serverless compute platform and setting your own Custom URL using the corporate domain name. the same idea as myapps.3tallah.com or mail.3tallah.com, for sure it would be up to you to set your preferred subdomain name.
Please refer to this blogpost Configure Custom URL redirection for Windows Virtual Desktop – WVD

Azure frontdoor: The request URI is invalid

I am trying to use azure frontdoor to access a nginx running in a kubernetes cluster.
I can reach the nginx instance on the public IP, but when trying trough azure front door i get a "The request URI is invalid" error.
The health probes also seem to be failing, even though i did not change any settings and can access nginx via the public IP.
Looking at the time where the backend is availible, i don't see any request to the backend:
I have setup my forwarding rules like this:
EDIT:
It seems that i get a different error message when visiting www.1234h.azurefd.net as opposed to 1234h.azurefd.net (no www).
no www gives a "The request URI is invalid" while the one with www gives "Our services aren't available right now".
I guess this was an issue in azure.
A partial fix was:
wait for a couple of hours
Add a web app to the backend, and change routing rules
After about 10 minutes the http domain started working (still no https)
Changing the forward rule back to kubernetes (with no changes to the backend) gave http access.
I guess the steps are not needed, but the issue was resolved around the same time i did the steps.
If i get https access without changing any settings i will report back to confirm if this were a problem in azure and not with my settings.
Other symptoms that lead me to believe this was an azure issue:
There were a few hours were my connection attemps were not registered in the metrics
After the http magically worked, i see my request at the backend graph mathing the frontend requests
Logging does not work properly (i see "Failed to resolve table or column expression named 'AzureActivity'" even though the column are shown in the tables overview)
EDIT:
Https started working while i wrote this answer.
Again, i did not change anything.
I was getting "The request URI is invalid" only when hitting FD via HTTPS. It worked fine for HTTP.
My FD routing rule was configured as such:
But given that I don't care about HTTP, I just configured my app service to be "HTTPS only" and things started working:

Azure Application Gateway, Azure App Service and Form Based Authentication

I'm migrating a complete infrastructure over to Azure; it's been slow going as there's so much to learn and for every two steps forward, there seems to be one step back.
After what seems like an eternity, I think I've got it all sorted with one exception.
The architecture is as follows:
Azure Traffic Manager ==> 2 Azure Application Gateways (geo separated) ==> Azure App Service
A custom domain is used for the traffic manager and the gateways are listening for the same domain and, when the route matches, passing on the requests down to the app service.
The actual app itself is a ASP.NET MVC application and it uses forms authentication; and this is where the challenge happens.
When navigating to the public address: client.domain.com and hitting the website, it determines that the user is not authenticated and sends the browser to the login page... so far so good but, rather than using client.domain.com/login it uses the web-server dns name, so client.azurewebsites.com/login
How do I go about changing the behaviour so that it uses the external DNS name rather than the website name?
I can't setup custom domains on the app service as the only route into the site is via the gateway as this is also the firewall.
Is there some Web Config setting I can make? I'm looking at the outbound rewrite rules but these seem to only work on tags rather than 302 redirects.
Any thoughts would be most welcome.
You need to setup custom dns names on your webapp (you can use TXT record to verify dns name, so i dont see a reason why you can add it to the webapp). or you can alter the code.
In order to solve this problem, I had to make a code change to the web app itself. Not ideal but it worked.
What I had to do was to extend the code that redirects an unauthenticated request to the login page by sniffing for the X-Original-Host HTTP Header that the App Gateway forwards on. This contains the public facing DNS name. If the header is present and it is on a pre-approved white-list (so as to prevent any hijacking), then redirect the user to the login page for this domain, rather than the one the server is listening on directly (so use client.domain.com rather than client.azurewebsites.com)

how to skip validation when adding custom domain in Azure app service

when adding a custom domain to Azure app service, the system always trying to validate your custom domain, but this is very annoying for my case.
i have a CDN service which i have put my www. sub domain on it, and the now i am going to move my website to azure app service
actually i have the website up running already on app service, and the only thing i need to do is point the origin server address to app service in CDN setting
but, i need to set up a custom domain on app service for www. otherwise it won't load.
so the worst thing is, when i try to add the www record as custom domain, it validates if the record is really pointed to app service, which is definitely not possible because if i switch the domain really to app service,
first, i can not guarantee all user will get the dns change in same
time
second, then i need to switch www back to CDN after the
validation, then during this period, my app will work without cdn,
which will be a problem also
so is there anyway to add a custom domain without validation.
this is really stupid, i have to say
maybe i am stupid
found the way in office MS documents
here is the link
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-custom-domain-name-migrate
you can set up a txt verification recond to pass the verification

Azure domain configuration

I have an APP that was awarded the gorunning.pt domain. It happens that when I call the gorunning.pt domain without the www everything works, when I add the www http://www.gorunning.pt/ I receive the page 404 application not found.
I've already set the DNS CNAME for the application of IP , also tried the url gorunning.azurewebsites.net defined by Azure , created a type A registration.
This is expected. Your DNS configuration is correct. However the Azure Web App's front-end doesn't recognize the www sub-domain as it is not mapped in the portal.
You will also have to map the www.gorunning.pt to your web app gorunning.azurewebsites.net in the Azure Portal. :)
From the dig web interface, it seems the domain has mapped to the Azure web app. However it shows 404 not found. As I know your custom domain maps to an empty web site, so the easiest way is deleting your existed web site then custom domain to the new web site again. If you still encounter the same issue, please submit a ticket via the following screenshot.

Resources