I am using Azure web apps and need to block access to my pre-live environments.
I've attempted using the suggestion made here but it doesn't seem to work: https://learnwithshahriar.wordpress.com/2015/08/06/azure-website-101-restrict-access-on-your-staging-site/
My example:
<rewrite>
<rules>
<rule name="Block unauthorized IP to dev site" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^dev-slot.example.com" />
<add input="{REMOTE_ADDR}" pattern="111.222.333.444" negate="true"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
It basically does nothing and I've tried various minor alterations to no effect.
Are you looking to simply block the IP address within the web.config? I tested the below out in an Azure Web App and was able to block access.
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="83.116.19.53"/> <!-- block one IP -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> <!--block network 83.116.119.0 to 83.116.119.255-->
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Reference Site: https://www.stokia.com/support/misc/web-config-ip-address-restriction.aspx
Related
I have a website built on Angular7 with server side rendering deployed on an Azure App Service. I had to add a web.config file in order to make the server.js run.
Here's the web.config file
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<webSocket enabled="false" />
<handlers>
<add name="iisnode" path="server.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin"/>
</hiddenSegments>
</requestFiltering>
</security>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>
This site is deployeed to mysite.com and everything works fine.
I now need to create a virtual directory mysite.com/app to hold a different application (on the old AngularJS). Without the server side rendering I just create the virtual directory on Azure Portal and everything works fine. Because of the server side and the "redirection" to server.js the virtual directory is no longer working.
Is there any Rule to put on the web.config file to ignore the requests of /app, not to run the nodejs server?
I got my response on another question (credit to dana) so I've just added the rule
<rule name="ignore app application" stopProcessing="true">
<match url="^app" />
<action type="None" />
</rule>
before the other rules. This way if the url typed is mysite.com/app the node server won't be "activated" and the virtual directory works as expected.
I have published a react app which works locally to an azure website, I checked the files on the KUDU dashboard, and I can see the files there and the index.html
However, I cant browse to the site, not even directly to the .html file.
I created this web.config, but I guess I am missing some configuration
https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config
-->
<configuration>
<system.webServer>
<!-- Visit http://blogs.msdn.com/b/windowsazure/archive/2013/11/14/introduction-to-websockets-on-windows-azure-web-sites.aspx for more information on WebSocket support -->
<webSocket enabled="false" />
<handlers>
<!-- Indicates that the server.js file is a node.js site to be handled by the iisnode module -->
<add name="iisnode" path="server.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
</rule>
</rules>
</rewrite>
<!-- 'bin' directory has no special meaning in node.js and apps can be placed in it -->
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin"/>
</hiddenSegments>
</requestFiltering>
</security>
<!-- Make sure error responses are left untouched -->
<httpErrors existingResponse="PassThrough" />
<!--
You can control how Node is hosted within IIS using the following options:
* watchedFiles: semi-colon separated list of files that will be watched for changes to restart the server
* node_env: will be propagated to node as NODE_ENV environment variable
* debuggingEnabled - controls whether the built-in debugger is enabled
See https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config for a full list of options
-->
<!--<iisnode watchedFiles="web.config;*.js"/>-->
</system.webServer>
</configuration>
Basically the answer is to change the web.config to handle routing correctly like this:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="React Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" pattern="^/(api)" negate="true" />
</conditions>
<action type="Rewrite" url="/" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I have a simple wildcard routing rule I want to apply for my Azure web app.
<rule name="MyRule">
<match url="*" />
<action type="Rewrite" url="/index.html" />
</rule>
Do I have any option here given I can't RDP into the machine and fiddle with IIS? This is not an ASP.Net website, it's a simple SPA application.
You need to create a web.config file in your wwwroot folder and put the relevant config entries there.
Here's an example of an web.config rule, to give you an idea of what it should look like.
The below example redirect the default *.azurewebsites.net domain to a custom domain (via http://zainrizvi.io/blog/block-default-azure-websites-domain/)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect rquests to default azure websites domain" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^yoursite\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.yoursite.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If simply want all URL's that resolve to this server & site to redirect to index.html you could use this rewrite section:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="SPA">
<match url=".*" />
<action type="Rewrite" url="index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This is very similar to what you have except some minor syntax fixes e.g. the pattern should be ".*" and the rewrite URL target simply "index.html".
Note this means that ALL URL's to your site will be rewritten, even for other resources like CSS and JS files, images etc. So you'd better be fetching your resources from other domains.
If you want to do actual rewrites (not redirects), dont forget enabling ARR with applicationHost.xdt file put to the site folder with the following content:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="Insert" />
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
I'm looking to slowly convert a Node.js application over to ASP.NET WebAPI 2.0. I'm currently using IIS and will stick with IIS. So, I would like to host them on the same server but direct some URIs over to the new platform.
How would I do this in the web.config? The current web.config for node.js looks like so:
<configuration>
<system.webServer>
<handlers>
<!-- indicates that the app.js file is a node.js application
to be handled by the iisnode module -->
<add name="iisnode" path="beta/app.js" verb="*" modules="iisnode" />
</handlers>
<rewrite>
<rules>
<!-- Don't interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^beta/app.js\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="beta/public{REQUEST_URI}" />
</rule>
<!-- All other URLs are mapped to the Node.js application entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True" />
</conditions>
<action type="Rewrite" url="beta/app.js" />
</rule>
</rules>
</rewrite>
<httpErrors errorMode="Detailed"/>
</system.webServer>
</configuration>
The file structure is:
- web.config (the one shown above)
-> node
- app.js
- ...
-> webapi
- web.config
- global.asax
- ...
I was thinking that I should be writing a new rule which lists the URIs to go to the WebAPI. But, I'm not quite sure how to do that. My guess is that I would add a condition for each URI with the input attribute. I was also thinking I should point to the ASP.NET WebAPI project but I am even more clueless how I should go about doing that since Node.js I'm just pointing at the app.js file.
OK, this is what I ended up doing. It was actually pretty straight forward. But when you are not familiar with IIS it can be daunting.
I put the original web.config in with the node directory. I think the iisnode handler interferes with WebAPI config if you don't. So, the new node.js web.config in the node directory would look like this:
<configuration>
<system.webServer>
<handlers>
<!-- indicates that the app.js file is a node.js application
to be handled by the iisnode module -->
<add name="iisnode" path="app.js" verb="*" modules="iisnode" />
</handlers>
<rewrite>
<rules>
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^app.js\/debug[\/]?" />
</rule>
</rules>
</rewrite>
<httpErrors errorMode="Detailed"/>
</system.webServer>
</configuration>
For root web.config I made it point to static files directly, bypassing node.js. Which means I'm going to have to write some custom code to handle rewrites for gzipped files - I'll figure that out later. I also added the attribute stopProcessing to each rewrite rule. This was also messing up the code, as it wouldn't actually rewrite where I wanted it too, since the rewrite would be overwritten. Note that the accept versioning header hasn't actually been tested yet - I don't have any reason to believe it wouldn't work though. The last rewrite points all uris to the webapi app by default.
In the WebAPI project I had to route all my routes to webapi/api since it isn't in the root folder. After I migrate everything from node.js I will probably make the webapi directory the root folder for the project so it won't need the webapi in my routing anymore. But this is all hidden from the client.
So here's the actual code:
<configuration>
<system.webServer>
<rewrite>
<rules>
<!-- test item for webapi folder -->
<rule name="StaticContent2" stopProcessing="true" >
<conditions>
<add input="{REQUEST_URI}" pattern="^/def" />
</conditions>
<action type="Rewrite" url="webapi{REQUEST_URI}" />
</rule>
<!-- rewrite static items which exist on node -->
<rule name="Node Static" stopProcessing="true" >
<conditions>
<add input="{REQUEST_URI}" pattern=".*\.[A-Za-z2]{2,5}$" />
</conditions>
<action type="Rewrite" url="node/public{REQUEST_URI}" />
</rule>
<rule name="WebAPI Version 2" stopProcessing="true">
<conditions>
<add
input="{HEADER_ACCEPT}"
pattern="vnd.fieldops.v2"
ignoreCase="true"
/>
</conditions>
<action type="Rewrite" url="webapi{REQUEST_URI}" />
</rule>
<!-- rewrite to node for dynamic items -->
<rule name="Node Dynamic" stopProcessing="true" >
<conditions>
<add
input="{REQUEST_URI}"
pattern="^/api/(dealerservicereports|chat|dealers|dealerequipment|dealercloseout|publications|tokens|users|\?)"
ignoreCase="true"
/>
</conditions>
<action type="Rewrite" url="node/app.js" />
</rule>
<!-- rewrite everything else to webapi -->
<rule name="WebAPI Dynamic" stopProcessing="true" >
<action type="Rewrite" url="webapi{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
<httpErrors errorMode="Detailed"/>
</system.webServer>
</configuration>
ISSUE #1
When I use http://127.0.0.1/mysite/node/server.js URL it shows me my test page, which is OK. But I expect it to show me the node-inspector based debug page when I use http://127.0.0.1/mysite/node/server.js/debug/ URL. However, this does not work and instead continues to show me the same sample page content.
What should I be doing for the debugger to work?
ISSUE #2
Also, I've noticed that when I go to this URL, it automatically gets redirected to
http: //127.0.0.1/mysite/ public/mysite/ node/server.js/debug/
Why is this happening? Can I avoid this redirection? If yes, how?
Web.config content
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<!-- Web.Debug.config adds attributes to this to enable remote debugging when publishing in Debug configuration. -->
<!--<iisnode watchedFiles="web.config;*.js"/>-->
<!-- Remote debugging (Azure Website with git deploy): Comment out iisnode above, and uncomment iisnode below. -->
<iisnode watchedFiles="web.config;*.js"
loggingEnabled="true"
devErrorsEnabled="true"
nodeProcessCommandLine="node.exe --debug"/>
<!-- indicates that the server.js file is a Node.js application
to be handled by the iisnode module -->
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
<add name="iisnode" path="node/server.js" verb="*" modules="iisnode" />
<!-- Remote debugging (Azure Website with git deploy): Uncomment NtvsDebugProxy handler below.
Additionally copy Microsoft.NodejsTools.WebRole to 'bin' from the Remote Debug Proxy folder.-->
<add name="NtvsDebugProxy" path="ntvs-debug-proxy/95a6beca-6da8-493c-b380-2822603aa5dc" verb="*" resourceType="Unspecified"
type="Microsoft.NodejsTools.Debugger.WebSocketProxy, Microsoft.NodejsTools.WebRole"/>
</handlers>
<rewrite>
<rules>
<clear />
<rule name="LogFile" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^[a-zA-Z0-9_\-]+\.js\.logs\/\d+\.txt$"/>
</rule>
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="node/server.js"/>
</rule>
</rules>
</rewrite>
<!-- <rewrite>
<rules>
<clear />
<!- Remote debugging (Azure Website with git deploy): Uncomment the NtvsDebugProxy rule below. ->
<!-<rule name="NtvsDebugProxy" enabled="true" stopProcessing="true">
<match url="^ntvs-debug-proxy/.*"/>
</rule>->
<rule name="app" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="iisnode.+" negate="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="server.js" />
</rule>
</rules>
</rewrite> -->
</system.webServer>
ISSUE #1
According to your description, it seems that you debug and test your project on your local host or Azure VM. In this situation, we should make sure IIS have installed the IISNode module firstly. So I recommend you can refer to this document to make sure you have installed IISNode successfully.
Secondly,we should check whether project included the your node-inspector configuration. Also you can use Node.js Sample to check whether your node-inspector is installed successfully.
Thirdly, If you can not use this debugger, you can press "F12" to trace the debugger error in your Webkit enabled web browser. If you encountered the error, please share the error on forum and for further support.
ISSUE #2
For second issue, it seems that the URL rewrite Rule to lead to this wrong URL.
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
For example, if a request was made for this URL: "http://127.0.0.1/content/default.aspx?tabid=2&subtabid=3", so the REQUEST_URI server variable contains content/default.aspx?tabid=2&subtabid=3.
You can get the "http://127.0.0.1/public/content/default.aspx?tabid=2&subtabid=3" as the result.
I suggest you can refer to this URL rewrite module for more details.