Blocking access to a url by IP address - azure

I am trying to block all access to the admin url for Umbraco (v7.2.8) for security reasons. I have the below in my web.config file, but it does not work. It is blocking all access to that url, even from the specified IP. I am running this locally on my machine from Visual Studio, so I am not sure what IP the site thinks I am coming in on, but I have tried all of them. Does this web.config look ok?
<rewrite>
<rules>
<rule name="Restrict URL" enabled="true" stopProcessing="true" >
<match url="^umbraco($|/)"/>
<conditions logicalGrouping="MatchAll">
<add input="{REMOTE_ADDR}" pattern="^192\.168\.8\.100$" negate="true" />
</conditions>
<action type="Redirect" url="/no-access/" />
</rule>
</rules>
Any pointers would be greatly appreciated! I will be deploying this to Azure eventually but wanted to get this working first. Perhaps it's because i'm running it locally?
EDIT: I have tried the ipSecurity solution but receive the below error. I have installed the IP Security component for IIS. I am running the site from Visual Studio so I am not sure I can test it from here on the express service that VS uses? I have also changed to 'allow' in the following file;
%windir%\system32\inetsrv\config\applicationHost.config

This is easier to accomplish with system.webServer >> security >> ipSecurity settings in the web.config inside a location element:
<location path="umbraco">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="192.168.8.100" />
</ipSecurity>
</security>
</system.webServer>
</location>
See IIS IP Security more more details. IP Security is enabled by defualt on Azure WebApps.

Related

Could you please advise how to resolve the issue with URL rewrite rules for azure web app?

I have an MVC dot net application (multi-tenant platform) deployed on Azure Web App.
I have configured two tenants: tenant1 and tenant2, with their URLs:
primer-test.azurewebsites.net/tenant1 and
primer-test.azurewebsites.net/tenant2
Both of them are accessible from IE, Safari etc. I purchased two domains on GoDaddy:
domain1.com
domain2.com
and I would like to configure the rewrite rules for them so whenever someone types in his browser either www.domain1.com or domain1.com, the content of primer-test.azurewebsites.net/tenant1 should be presented. Similarly, for the domain2.
I have attached these two custom domains to my web app, with no problem. I wrote the rewrite rules, but they seem to don't work as expected.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<rewrite>
<rules>
<rule name="domain1.com" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www.)?domain1.com" />
<add input="{PATH_INFO}" pattern="^/tenant1/" negate="true" />
</conditions>
<action type="Rewrite" url="\tenant1\{R:0}" />
</rule>
<rule name="domain2.com" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www.)?domain2.com" />
<add input="{PATH_INFO}" pattern="^/tenant2/" negate="true" />
</conditions>
<action type="Rewrite" url="\tenant2\{R:0}" />
</rule>
</rules>
</rewrite>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\kobsq.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</location>
</configuration>
Any idea what might be wrong?
Thanks very much!
In this case, from the URL you provided, I can see that primer-test.azurewebsites.net is the webapp you created and used. tenant1 and tenant2 should be virtual applications in webapp.
Concept:
Virtual application
Related Posts:
1. How to deploy a Flask+React application to Azure Web Service
2. Hosting Two Website Under one Web App - Azure Services
Correct use process and test steps:
Step 1.
Preparation work, create a main application of the .net framework (use web.config in the project for the purpose of configuring rewrite.
Configure in portal.
Create folder under site path and deploy virtual app by zip.
Test it without rewrite settings.
Step 2. Modify web.config file in RewriteTest project.
Step 3. Create custom domain to test.
Step 4. Test result. Fulfill your needs.

How to setup Apache NiFi using IIS as proxy

I have Apache NiFi running on a Windows server. I've setup HTTPS access and connected it to my AD via LDAP for users authentication. The value of property nifi.web.https.host is localhost and nifi.web.https.port is 6444 and I'm able to access the web UI through https://localhost:6444/nifi with no issues.
I want now to setup NiFi to run behind IIS on the same server so IIS acts as a proxy. I've created a new site within IIS and configured the URL Rewrite rules in its web.config file as below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>
<rule name="NiFi Reverse Proxy" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="https://localhost:6444/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Both IIS and NiFi are using the same SSL certificate from my organization.
I've configured the nifi.web.proxy.host property in the nifi.properties file to nifi01.myorg.com:443.
I'm able to access https://nifi01.myorg.com/nifi from an external computer. I see the sign in page and am able to sign in successfully. However, after the authorization is completed, I'm redirected to https://localhost:6444/nifi. If in the same browser session I type in https://nifi01.myorg.com/nifi, then I can see the main Nifi workflow UI which tells me that the sign in process did work.
Can someone help me with the redirection that is happening to https://localhost:6444/nifi. Is there something that I'm missing in the web.config or nifi.properties files?
I found this article https://community.hortonworks.com/articles/113240/running-apache-nifi-behind-a-proxy-2.html that I've not been able to follow as don't know where in IIS the settings should go.

Node.js Route not working on Microsoft Azure

Hello I build a very basic Node.js app (without any framework),
I set up a route.
index.html and login.html
on my local machine (windows 10) its working fine. both files index.html and login.html show up in browser when I call them from url. like
localhost/myapp => loads index.html
localhost/myapp/login => loads login.html
Now I deploy it on Microsoft Azure, and now only index file is loading, when i try to load myapp.azurewebsites.net/login it said this : The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
I have a web.config file with these settings
<?xml version="1.0"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".html" mimeType="text/html" />
</staticContent>
</system.webServer>
</configuration>
please guide me how to enable routing in node.js on azure. without any framework. there is no help on official docs.
thanks
well after a lot of search I figure out the solution.
you need to set web.config file from their demo project and upload into your own azure project.
https://github.com/Azure-Samples/nodejs-docs-hello-world/archive/master.zip
You could use the Azure Node JS Starter Site or Node JS Empty Web App.
In those projects you will find the right web.config file that you need to run Node applications in Azure.
Try to add below code in web.config file and see if it works.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Main Rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="/" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
For more details on this error follow this link.

Do I need anything besides code written in web.config to redirect website hosted on azure to https

I have a website that I host on azure. I recently bought an SSL and configured it. Now users can visit my site by typing in either http://example.com or https://example.com.
What I want is for users who type in the former to be automatically redirected to the latter while also keeping anything after the .com
So if a user types in http://example.com/about they will be redirected instead to https://example.com/about.
After some reading, I've come across this code that seems to do what I want
<system.webServer>
<rewrite>
<rules>
<rule name=”Redirect to https”>
<match url=”(.*)”/>
<conditions>
<add input=”{HTTPS}” pattern=”Off”/>
<add input=”{REQUEST_METHOD}” pattern=”^get$|^head$” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}”/>
</rule>
</rules>
</rewrite>
</system.webServer>
But before I add this to my web.config file I have a few questions.
What is the IIS url rewrite module? IIS Rewrite and is it required to be installed on my azure hosted websites before I upload my new web.config file.
How can I also include removing www from my URL when a user enters it. For example if a user types in www.example.com they should be redirected to https://example.com instead. The reason that I want this is because in my google search console I've told google to display URLs as example.com rather then www.example.com
and finally, will this code do what I'm looking for? Is there a more professional way to achieve this? What are the benefits. I should note that my sites are asp .net web forms. I know MVC has routing options but that is not an option for me.
Edit : I don't think How to force HTTPS using a web.config file solves my issue because I don't even know if I can install the URL Rewrite module since I am not hosting IIS myself. Does azure give you access to the IIS settings? I am unfamiliar with azure details.
The Microsoft URL Rewrite Module for IIS enables IIS administrators to create powerful customized rules to map request URLs to friendly URLs that are easier for users to remember and easier for search engines to find.
This module is pre-installed for Azure Web App, as shown when inspect the applicationHost.config of the Azure Web App in Kudu.
Hence, you do not need to worry about the availability of the module for Azure Web App.
The URL Rewrite configuration to enforce HTTPS redirection for Azure web app is the simplest way to achieve what you intend. Your above configuration will apply
only if the request method is either HTTP GET or HTTP HEAD. The below configuration will not have such limitation.
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS Redirection" enabled="true" stopProcessing="true">
<match url="^$" ignoreCase="false"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
</system.webServer>
I would add one last thing. Assuming you are running on Azure Web Apps, they have various probes to your site for warm up and initialization. You probably don't want these probes to also be redirected, otherwise, you may have some issues when you restart or use Azure's swaps feature for stuff like blue/green deployments. These probes would then be return with a 301/302 rather than actually hitting your site (and Azure doesn't actually follow the redirect)
More examples https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
<rule name="Redirect to non-WWW" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="www.example.com$" />
<add input="{HTTP_USER_AGENT}" pattern="Initialization" negate="true" /> <!-- IIS Application Initialization Warmup -->
<add input="{HTTP_USER_AGENT}" pattern="SiteWarmup" negate="true" /> <!-- Azure WebApps Warmup Request -->
<add input="{HTTP_USER_AGENT}" pattern="AlwaysOn" negate="true" /> <!-- Azure WebApps AlwaysOn Probes -->
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://example.com/{R:1}" />
</rule>
<!-- Redirect to HTTPS Version -->
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{HTTP_USER_AGENT}" pattern="Initialization" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="SiteWarmup" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="AlwaysOn" negate="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>

Kentico 9 Admin URL changes and locking it to http://localhost

I'm reading through the documentation, and don't see what i'm looking for.
This new build is going to run on a staging --> prod set up. On the prod side, I'm hoping to the have the admin login only available to local host. This way you have to be logged into the server to access the admin panel.
I'm assuming i need to make the web.config adjustments, but how do i ensure that only http://localhost/ works?
Try installing URL Rewrite on the web server and adding the following rewrite rule to your web.config system.webServer section. This should cause IIS to intercept any URLs under /admin and return a 403 if not on a URL local to the server. You might also need to adapt the URL match or add additional rules for other Kentico admin paths (e.g. CMSAdministraton.aspx etc.).
<rewrite>
<rules>
<rule name="Block Remote Access to Admin" stopProcessing="true" patternSyntax="ECMAScript" enabled="true">
<match url="admin(/|$)" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{REMOTE_ADDR}" pattern="localhost" ignoreCase="true" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
<add input="{REMOTE_ADDR}" pattern="::1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusDescription="Forbidden" statusReason="Access to this URL is restricted"/>
</rule>
<rules>
</rewrite>
Add custom code in Admin/CMSAdministration.aspx.cs to grant localhost only.

Resources