I've seen this article:
How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation)
With Azure web apps I didn't know if the IIS sites were already set up to deny earlier versions of TLS/SSL. Or should i implement a code fix like the article recommends.
I suggest that you test your app with https://www.ssllabs.com/ssltest/ or similar. There are a number of other tools (including commandline clients, although I've only used them on Linux) but the SSLLabs test is solid and useful IMO.
That should give you insight into what you may need to tweak to make it as secure as possible.
Note: I'm a Linux guy and know next to nothing about Azure, but unless I'm missing something this seems like a pretty generic question.
Each Azure Web app having default certificate you can see this certificate and it uses TLS 1.2 security certificate.'
In firfox left side of URL on browser you can click on Lock symbol to see certificate. path(Click Lock icon-->click More Information ---Click Certificate) you will see Algo and Certificate details.
Default certificate is secure for internal use in company
As I know, Azure WebApp doesn’t support it at currently. From my experience, since we don’t have enough access to configure anything in the registry in the WebApp. We can use startup task to change registry settings, if it is CloudService.
I also find some materials in the SO, more details please refer to thread.
Related
I am developing a small demo API for my organization. I use Azure AD for authentication for the API (and the OpenAPI docs). Everything works perfectly in my local development environment and I don't have the hassle of SSL since the oauth2-redirect is localhost. I am now ready to make my demo accesible inside my organization's network. However, Azure App Registration mandates that a oauth2-redirect link has to be https (or localhost which is why it works perfectly for me). I can understand why, but I am eager to demo my API and so, if at all possible, I would like to avoid the hassle of setting up a reverse-proxy, configuring TLS etc. So my question is - if I use https://10.x.x.x.nip.io/oauth2-redirect what are the security implications of this? I fear they are major unfortunately. I guess nip.io could sniff my authorization if they wanted to?
This is not strictly an answer, since it doesn't discuss the security implications of nip.io. However, if TLS is an issue for a demo it is automatically configured for an Azure App Service. For small demos it is therefore very convenient to deploy as an Azure App Service especially if you protect it behind a private link.
I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.
I have a mobile application that communicates with a REST based web-service. The web-service lives behind the firewall and talks to other systems. Currently this web-service requires a firewall port to be opened and a SSL cert generated for each installation. Mobile apps sends login credentials so web-services can login to custom back-end systems.
Recently a customer approached us asking how could we deploy this to 50 offices. As we don't want to say modify every firewall in every office, we're looking for options.. This is a list of possible solutions and my thoughts on each one:
Open firewall port and expose https webservice - This is our current
solution but we dont want to have to contact 50 network admins and explain why we need to do this.
VPN - Too heavy weight, complex and expensive, we only need access
to one server. Does not solve problem as firewall needs to be
modified.
Microsoft Azure Hybrid Connection Manager - This provides a managed
service where the Azure cloud will expose an end point. Azure will
also expect connections from a easy to install application that
lives behind the firewall. When a REST call is made to the cloud
end-point, the request is forward down socket that was initiated by
the software behind the firewall. This does what we want but as its
a Microsoft Solution there might impose other requirements that our
customers might not want. Currently the simple Hybrid Connection Manager is free. But for how long?
Jscape MFT Gateway - Similar to Azure but you can host their server anywhere. Not that expensive but is not opensource.
Netty - A async java library/toolkit where this type of application could easily be build. Client and server apps would need to be build and deployed. Dont know what we dont know about Netty.
MDM, AirWatch, BlackBerry BES - A MDM based solution would work expect that MDM's are centrally managed and are not often in every office where the backend services are located. Airwatch has an AppTunnle but im not sure about the specifics.
At this point the Microsoft and Jscape systems are possible solutions.
But most likely these solutions will require us to modify the mobile software to work around issues such as:
How does the user know which server to login to? A locator service
needs to be built such that, an email address is used to lookup their
office, or they need to select their office location from a list.
While the connection is SSL many company might want some additional protection since network login information will be send down the pipe.
How is load balancing and fail-over managed?
So, at this point i'm looking for more options. The best option would be a commercial product that offers some level of customization. Second, would like a well used open-source product that could be installed in Aws and customized.
Thanks
The best approach we found was to use the PUTTY API and setup a reverse proxy.
Apologies for what is probably a question about a simple task but I'm brand new to Azure and a little worried I get this wrong. Actually, I have a new client and don't even have the access yet to their Azure yet have a proper look. The question is:
My new client has an existing MVC application running on IIS within Azure. This application must communicate with a third party SOAP (.asmx) web service that requires parts of the SOAP message to be signed using an SSL digital certificate.
So, I need to install the certificate on Azure. My problem is that the articles I have found deal with securing the website using the certificate and Https - which I don't want.
Can someone please point me to a good article (or show here if simple enough) that shows how to install it for the purpose of communicating with this third party service?
Any help is really appreciated here so that I can hit the ground running.
The approach for installing any certificate is the same. So you would use the same approach as you would for installing SSL certificate. So the steps would be:
Upload the certificate first in the cloud services certificate section. Note down the certificate thumbprint.
In Visual Studio, open up your role's properties and go to "Certificates" tab and specify that certificate thumbprint along with the certificate store location where you want this certificate to be installed.
I have a single .NET website that is currently running under a traditional hosting account.
I am using a multi-domain (5 domain) SSL certificate to handle domains for different regions i.e.
https://www.mywebsite.com
https://www.mywebsite.net
https://www.mywebsite.de
https://www.mywebsite.at
https://www.mywebsite.co.uk
At a code level I detect the address and localize the site depending on the URL extension.
This has all worked perfectly for the past few years with no problem. Now I want to migrate this site to Windows Azure to allow for better performance and redundancy.
I have successful experience of setting up a site using a Wildcard SSL certficate under Azure (i.e. *.mywebsite.com) but I am keen to sound out whether the multi-domain SSL is also possible.
So my question is does Azure support this kind of certificate and setup, has anyone successfully achieved this and were there any pitfalls?
Just to follow up on my question, it was very simple to implement in the end. I uploaded multiple certificates against my cloud service and the code then worked as before.