I have an WAF application gateway in Azure with a backend pool that points to my application. If I visit the gateway address it works and I get the application homepage.
However, if I go to that application and enable PaaS AAD Authentication, which should prompt me with an org login page before getting to my application home page, the gateway stops working and returns message:
502 - Web server received an invalid response while acting as a gateway or proxy server.
There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.
When checking backend health I can now see that it is unhealthy, and gives me message:
Probe status code mismatch. Received status code is different from
expected 100-999.
Note that I even changed the range to 100-999, just for testing this out. No idea what could be causing this or how to fix it.
I guess you can try disabling WAF as specified in the comments. Also, I would suggest you to go through this article. https://serverfault.com/questions/882931/azure-ssl-application-gateway-with-web-apps?rq=1
Related
I have a React app Static Web App, and it is linked to my backend API (App Service running NodeJS Express)
All requests from the SWA return as Unauthorized (401) despite it being linked to the backend. Is there anything that could be causing this?
Where can I debug this / find the logs for this?
Nothing gets logged in the Log Stream. Nothing gets logged in NodeJS (requests get blocked before). I have enabled App Service Logs and tried finding logs through FTPS to the server, but cannot find anything.
Any help appreciated. I can give more info. I respond quickly.
I had in my fetch calls from the SWA used the App Service endpoint 'https://_____.azurewebsites.net/api/' instead of just fetching from 'api/'.
Im getting below error(Img:1) in Web Chat channel after deploying the code, upto lastweek it is working fine but suddenly im getting the untrusted Origin error in browser console of Web App bot service and couldn't able to connect to the bot using "Test in Web Chat" feature. I have attached the Untrusted Origin error screen shot(Img:2) below. I am using .bot file as managing resource with Development and Production( Micorsoft AppId , App paswword, endpoint). I tried migrating .bot file to Appsettings(( Micorsoft AppId , App paswword, endpoint) as the managing resource but still getting the same error. Please help with the resolution for the error.
Img:1
Img:2
Here are the some of the resources need to check.
Kindly check the below points:
Check whether the messaging endpoint specified in settings in portal is correct or not. Please check with the path at the URL end (../api/messages)
Verify the bot configuration settings to check with whether using any incorrect APP ID and Password
The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal does not begin with https or is not trusted by the Bot Framework. Your bot must have a valid, chain-trusted certificate.
Alternate Options:
Under 'TLS/SSL settings' --> set 'HTTPS Only' to 'On'.
For reference on similar issue kindly go through the below link:
There was an error sending this message to your bot - Test in Web Chat
I believe you have Enhanced Authentication enabled in the Directline channel and don't have the domain setup as a trusted origin.
https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-direct-line-3-0-authentication?view=azure-bot-service-4.0#security-considerations
I have set up an Azure Frontdoor Load Balancer with 2 backends, hosting an Angular app. When looking at the network traffic in the browser's developer tools, I see that only the first few requests for *.html and *.js files go to the loadbalancer. Beginning with the GET options request, all subsequent requests seem to go directly to the backend #2 (in red in the picture below):
This means, if the backend #2 goes down, the client gets 404 errors, and won't be automatically redirected to backend #1, unless the user reloads the browser window with F5.
I'm not sure how the Angular app gets the actual backend host's URL. I cannot see any header or cookie which would provide this information. The headers of the first request for login.html look like this - no sign of the backend URL anywhere:
My questions are
how does the client get the backend host's URL?
is there a way to define that ALL requests go through the loadbalancer?
Would that even be a good idea? Or is this the "intended behaviour", meaning that the user WILL see 404 errors and have to reload the page manually?
It the application that is doing it, not the azure front door. The app must be constructing the url based on where it is hosted and them making a request. The front door will set the host header same as the app service's hostname. In that case, the application would see it's request to come as if the user typed that in the browser. You would typically want to use custom hostname e.g. neonapp-dev.yourcompanyname.com. When you do that both app services and the front door would have the custom host configured. While configuring the front door, you would use this as a host header rather than the default which is app services host name. Then everything would work fine as the app would never see the app services name as host header.
More details https://learn.microsoft.com/en-us/azure/frontdoor/front-door-backend-pool#backend-host-header
I have an application in azure cloud with active and passive mode that automatically switches when one is down, another becomes active. Now I am trying to implement azure application gateway, in front of the application for High Availability and failover check that does the health check probe and upon returning 200 response code it is able to identify the active node and routes the request to healthy node as expected , However when the application is using Basic Auth, then it throws 401 error, I want to find a way to fix this within application gateway.I don't want to use any proxy services like Nginx or Haproxy to achieve this. Any help or suggestions is appreciated ?
I assume it throws 401 until you authenticate again.
What it probably happens is that the browser is getting a token to authenticate to App1, and then you are trying to use that token to authenticate to App2.
Even when both App Services has the same code, for AAD those might be different applications.
To fix that, you need to make sure you are using the same Service Principal. When you setup easy auth, go to the Advanced tab and make sure that both app services has the exact same values everywhere:
I have deployed few .net APIs and applications as app service to Azure which is being used internally and also some of them can be called externally. Also have set up an Azure Alert for one of the major app services (let's call it Service A) which sends email notification in case of 404 error.
Looking into AppInsights, I can see some requests that result in 404 error when calling one the services without any endpoint included in the url (service B https://serviceB.mydomain.com/) and of course Service B returns 404 however AppInsights doesn't display the request caller (request referer). To investigate the 404 error I need to know about the caller url.
I'm aware that programmatically I can read request referer but how it can be done for 404 error which caused by a request to an endpoint which doesn't exist moreover some requests may not have referer. How can I log the caller url [preferably in Azure app services/appInsights]?
So far I was not able to find any facility in Azure portal to configure the AppInsights however it can be configured programmatically to track the referer and of course if the request doesn't have referer in the header for some reason, it can not be captured.
This link explains how AppInsight configuration can be done in codes to track the Referer.
UPDATE - And the root of issue:
Turned out "ALWAYS ON" feature in Azure Application Settings was ON for the Service B which means it sends request to the base url to keep it active and avoid recycling. For more info about Always On you can refer to here
One of the main reason for this would be that you might configure the availability test in App Insights
To be particularly this will be a URL ping test
This will hit the configured URL frequently at the location you configured