I've a Azure Linux VM created with the domain something.cloudapp.net which I'm using to host a REST API for a app. Now for some reason I've to host the API on some other server, which will change the endpoint to which the app is sending requests.
My question is, can we redirect any request to something.cloudapp.net to my new domain. So that I don't need to update the url in the app. Because if I change it in the app, a new update has to be released and the users who don't update the app will not be able to use it.
Thank you in advance,
Assuming you've hardcoded the .cloudapp.net URL in the app and not your own domain (with a CNAME to .cloudapp.net), then you still need to keep a service running at the original URL that will send a HTTP 301 redirect (Moved Permanently)** back to the clients.
Hopefully your client application understands and follows HTTP redirects. Test that first!
There is no way to CNAME the .cloudapp.net domain to point to something arbitrary since that domain is owned by Microsoft. Only the other way around is possible.
Sample redirect with web.config
(source: https://www.iis.net/configreference/system.webserver/httpredirect):
<system.webServer>
<httpRedirect enabled="true" destination="http://your.new.url/" />
</system.webServer>
Which results in:
$ curl -Li http://{something}.cloudapp.net/api/hey_jim_did_we_push_that_fix_to_prod
HTTP/1.1 302 Redirect
Content-Length: 154
Content-Type: text/html; charset=UTF-8
Location: http://your.new.url/api/hey_jim_did_we_push_that_fix_to_prod
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Jan 2017 20:06:16 GMT
False
Related
I'm making a curl request to my blob storage.
$ curl -kv 'https://myazstorage.blob.core.windows.net/myazcontainer/image.png?se=2021-11-17T09%3A23%3A23Z&sp=r&sv=2019-02-02&sr=b&sig=%fake/fake%3D' \
--compressed \
--output image.png
Available response headers for this request on that blob are.
Content-Length: 224250
Content-Type: image/png
Last-Modified: Tue, 16 Nov 2021 14:12:51 GMT
Accept-Ranges: bytes
ETag: "0x8D9A90B2CD4ED6B"
Vary: Origin
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 39bf369d-b01e-00ca-3b94-db83fe000000
x-ms-version: 2019-02-02
x-ms-creation-time: Tue, 16 Nov 2021 14:12:51 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Date: Wed, 17 Nov 2021 09:20:04 GMT
I'd like to add these two headers.
Origin: mywebsite.com
Cross-Origin-Resource-Policy: cross-origin
How can I add custom response headers that apply to every blob in my container? Can I do it via portal.azure.com interface?
AFAIK, it is not possible to add custom headers to response if you are accessing a blob directly from Azure Storage.
One possibility would be to have your users request the blob through a web application and then when the web application sends the response back, you should be able to add additional headers.
Other option would be to make use of blob metadata. If the values of these custom response headers will not change, you can set them as metadata on the blob and then when you access the blobs directly, you will get the metadata headers in response back.
Observations
#Gaurav Mantri answer is right. At the time this post is written you cannot add custom headers to a response generated from Azure Blob Storage.
"One possibility would be to have your users request the blob through a web application and then when the web application sends the response back, you should be able to add additional headers."
This is not possible for my application since a request to the azure blob originates from <img src="https://path.to/container/blob"> tag.
"Other option would be to make use of blob metadata. If the values of these custom response headers will not change, you can set them as metadata on the blob and then when you access the blobs directly, you will get the metadata headers in response back."
This is true however, extending headers by modifying container metadata (right clicking on container > and selecting Edit metadata), will generate custom response headers in the form of x-ms-metadata_key: metadata_value - that is not what I want. Furthermore, these headers have to be exposed in the Resource sharing (CORS) section.
Context
Let me start with the problem that brought me to this question in the first place by explaining the context. I'm trying to load images from a private Azure Blob Storage. Every URI for a blob storage contains a unique to a blob, a SAS Token generated with READ permission that for a limited amount of time allows reading the blob (image in my case). That works perfectly!
Problem
I load the blob/image directly with the img tag.
<img src="https://myStorage.blob.core.windows.net/myContainer/image.png?SAS_TOKEN">
Unfortunately, the resource is blocked by a browser due to CORS expresed by this error blocked:NotSameOriginAfterDefaultedTOSameOriginByCoep
Fix
The fix is simple, I just have to add some of these headers to the response generated by Azure Blob.
Origin: mywebsite.com
Cross-Origin-Resource-Policy: cross-origin
Access-Control-Allow-Origin: https://mywebsite.com
Unfortunately, this fix is not possible because of the reasons specified in the Observations section.
Solution
The solution consist of two steps:
Add crossorigin="anonymous" attribute to the img tag.
<img crossorigin="anonymous" src="https://myStorage.blob.core.windows.net/myContainer/image.png?SAS_TOKEN">
Add https://mywebsite.com to Blob service on GET method for * allowed and exposed headers in Azure Storage Account Resource Sharing (CORS) section.
Now every response from blob will have Access-Control-Allow-Origin: mywebsite.com header present.
I'm trying to set up an API Management Gateway using a custom domain. However, when I go to test it out, I get an SSL error. I am not sure if I've missed any steps or I've misconfigured my custom domain. The API returns a 200 response when I use the default Gateway URL but returns a 400 when I use my custom domain.
Any help in this domain is appreciated. Thanks
I've described the steps I've followed below:
Steps followed to create a custom domain:
Setup a CNAME for my custom domain api.something.com in Route 53 with Value as .azure-api.net
When creating a custom domain, I added my PFX certificate to the custom domain. When creating my certificate, I set CN="*.something.com. Additional settings such as Negotiate Client Certificate: false and Default SSL binding: true
Created an API with the suffix app1 so that my API is reachable at api.something.com/app1
Now, when I try to test it out through the portal, I get the error
HTTP/1.1 400 Bad Request
content-length: 123
content-type: application/json
vary: Origin
{
"error": "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
}
This is the request header. ALs I've turned off Require Subscription Key but I'm not sure why the subscription key is still included in the header
GET https://api.something.com/app1/api/heartbeat HTTP/1.1
Host: api.something.com
Ocp-Apim-Subscription-Key: xxxxxxxxx
Ocp-Apim-Trace: true
I'm using Azure Active Directory tenant along with Graph API to fetch groupclaims objectIDs.
However, it's failing with Forbidden error at runtime.
I used the same code with another Azure Active Directory tenant (which created almost 4 months back), it's working perfectly.
I have followed ditto to create new Azure Active Direct tenant and double checked configuration details in Azure management portal.
Even, I have created many times new Azure Active Directory tenant with the same steps but still getting a Forbidden error.
{
StatusCode: 403,
ReasonPhrase: 'Forbidden',
Version: 1.1,
Content: System.Net.Http.StreamContent,
Headers: {
ocp-aad-diagnostics-server-name: a***********Bc=
request-id: 9*******1
client-request-id: 4b**************b9
x-ms-dirapi-data-contract-version: 1.5
x-ms-gateway-rewrite: false
ocp-aad-session-key: GXB**********************5bi0
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
Duration: 1168232
Cache-Control: private
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 08 Jan 2016 23:29:43 GMT
Content-Length: 139
Content-Type: application/json; odata=minimalmetadata; streaming=true; charset=utf-8
}
}
In general, Forbidden error is due to lack of permissions on the server, but another active directory tenant is working perfectly (which is also created by me 4 months back). There isn’t any configuration change between the working AAD Tenant and newly created one.
Is there any recent changes in AAD creation?
I’m using Microsoft Active Directory, do we need any configuration update from MSIT team on server side?
followed the steps: https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Could someone help me to fix this issue.
Thanks,
Pradeep
Make sure groupclaims that you try to access is in azure subscription you have access, also try creating new groupclaim and try to fetch using GraphAPi
MSIT team owns server side configuration setting.
Contacting them has been fixed the issue.
We are using IIS Aplication Request routing and URL Rewrite rules to reverse proxy access to an internal webserver.
This works when IIS is configured with Anonymous authentication, but adding Basic Authentication causes problems. Without getting into too much detail about the internal webserver's authentication mechanisms, what I would like to do is not pass the Authorization Header from the IIS Proxy to the target webserver.
clientIP proxyIP HTTP GET /resource HTTP/1.1
Cache-Control: max-age=0\r\n
...
Authorization: Basic Base64EncodedCredentials
....
proxyIP serverIP HTTP GET /resource HTTP/1.1
Cache-Control: max-age=0\r\n
...
Authorization: Basic Base64EncodedCredentials <--need to remove this
....
Any tips would be greatly appreciated!
We published an application update to the same Azure web app service and started getting errors:
Exception: System.Web.Mvc.HttpAntiForgeryException (0x80004005): The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
This happens to clients using a login page within the app. These are the response headers:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5585
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 30 Jan 2019 14:23:33 GMT
The client has to either close the browser and reopen or clear the browser's cookies to fix the problem.
The web app was running 3 app service instances before and after the upgrade. ARR Affinity is on.
Why is this happening and how do I fix it?
Have a look at this answer. Since this issue has just started happening, verify that you don't have a inadvertant calls to #Html.AntiForgeryToken() between veiws.