I have an Azure website which I only use for development and testing, therefore I want to restrict access to it for everyone but myself.
According to this blog article this is now offically supported, so I tried adding this to my web.config file:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="1.2.3.4" />
</ipSecurity>
</security>
</system.webServer>
For the ipAddress attribute I have to use the IP address of my internet connection right? So I went to http://www.whatismyip.com/ and copied the address, but now my website is simply blocking all requests, the allow rule has no effect.
Did I miss something?
UPDATE: The log files revealed that the IPs seen by the web server are not those of the actual clients, but of a proxy in between (Cloudflare). So I tried to solve this by adding enableProxyMode="true", unfortunately this does not fix my issue. Any ideas of how to get IP restrictions to work with Cloudflare?
Just in case someone is trying to setup IP restrictions with Cloudflare: the solution is to not only add your IP to the whitelist, but also all the Cloudflare IPs (taken from here).
<system.webServer>
<security>
<ipSecurity enableProxyMode="true" allowUnlisted="false" denyAction="NotFound">
<!-- YOUR IP -->
<add allowed="true" ipAddress="1.2.3.4" />
<!-- CLOUDFLARE -->
<add allowed="true" ipAddress="199.27.128.0" subnetMask="255.255.248.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.240.0.0" />
</ipSecurity>
</security>
</system.webServer>
Not intended as a full answer, just posting a slightly updated list of CloudFlare IPs in useful copy/paste format. See the accepted answer for usage.
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.240.0.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="131.0.72.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="172.64.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
<add allowed="true" ipAddress="199.27.128.0" subnetMask="255.255.248.0" />
This is the current list of Cloudflare IPs:
<security>
<ipSecurity allowUnlisted="false">
<!-- CLOUDFLARE -->
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="104.24.0.0" subnetMask="255.252.0.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="131.0.72.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="172.64.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
</ipSecurity>
</security>
Since Azure SDK 2.3 it's possible to use Access Control List (ACL) to apply IP restrictions for your cloud services.
Just add the ACL to your ServiceConfiguration.Cloud.cscfg:
<NetworkConfiguration>
<AccessControls>
<AccessControl name="test">
<Rule action="permit" description="test" order="100" remoteSubnet="xxx.xxx.xxx.xxx/32" />
<Rule action="deny" description="test" order="200" remoteSubnet="0.0.0.0/0" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="WebRoleName" endPoint="Endpoint1" accessControl="test" />
</EndpointAcls>
</NetworkConfiguration>
Related
None of the static files are being logged in Application
Insights, but I want them to be.
All routes through my application are being logged by Application
Insights.
The Static File requests are visible in the AppServiceLogs.
The App Server Http Host activity is being logged when viewed on the
Incoming Requests in Live metrics
How to change the AI config to include static files like images, ico, files?
<?xml version="1.0" encoding="utf-8"?>
<ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings">
<TelemetrySinks>
<Add Name="default">
<TelemetryProcessors>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryProcessor, Microsoft.AI.PerfCounterCollector" />
<Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">
<IsEnabled>true</IsEnabled>
<IsEnabledInDeveloperMode>false</IsEnabledInDeveloperMode>
<ThresholdForSnapshotting>1</ThresholdForSnapshotting>
<MaximumSnapshotsRequired>3</MaximumSnapshotsRequired>
<MaximumCollectionPlanSize>50</MaximumCollectionPlanSize>
<ProblemCounterResetInterval>24:00:00</ProblemCounterResetInterval>
<SnapshotsPerDayLimit>30</SnapshotsPerDayLimit>
<SnapshotInLowPriorityThread>true</SnapshotInLowPriorityThread>
</Add>
<Add Type="Microsoft.ApplicationInsights.Extensibility.AutocollectedMetricsExtractor, Microsoft.ApplicationInsights" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.AdaptiveSamplingTelemetryProcessor, Microsoft.AI.ServerTelemetryChannel">
<MaxTelemetryItemsPerSecond>5</MaxTelemetryItemsPerSecond>
<ExcludedTypes>Event</ExcludedTypes>
</Add>
<Add Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.AdaptiveSamplingTelemetryProcessor, Microsoft.AI.ServerTelemetryChannel">
<MaxTelemetryItemsPerSecond>5</MaxTelemetryItemsPerSecond>
<IncludedTypes>Event</IncludedTypes>
</Add>
</TelemetryProcessors>
<TelemetryChannel Type="Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel.ServerTelemetryChannel, Microsoft.AI.ServerTelemetryChannel" />
</Add>
</TelemetrySinks>
<TelemetryInitializers>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.HttpDependenciesParsingTelemetryInitializer, Microsoft.AI.DependencyCollector" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.AzureRoleEnvironmentTelemetryInitializer, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.BuildInfoConfigComponentVersionTelemetryInitializer, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.Web.WebTestTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.SyntheticUserAgentTelemetryInitializer, Microsoft.AI.Web">
<Filters>search|spider|crawl|Bot|Monitor|AlwaysOn</Filters>
</Add>
<Add Type="Microsoft.ApplicationInsights.Web.ClientIpHeaderTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AzureAppServiceRoleNameFromHostNameHeaderInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.OperationNameTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.OperationCorrelationTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.UserTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AuthenticatedUserIdTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AccountIdTelemetryInitializer, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.SessionTelemetryInitializer, Microsoft.AI.Web" />
</TelemetryInitializers>
<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
<Add>core.chinacloudapi.cn</Add>
<Add>core.cloudapi.de</Add>
<Add>core.usgovcloudapi.net</Add>
</ExcludeComponentCorrelationHttpHeadersOnDomains>
<IncludeDiagnosticSourceActivities>
<Add>Microsoft.Azure.EventHubs</Add>
<Add>Microsoft.Azure.ServiceBus</Add>
</IncludeDiagnosticSourceActivities>
</Add>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.PerformanceCollectorModule, Microsoft.AI.PerfCounterCollector">
</Add>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.AppServicesHeartbeatTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.AzureInstanceMetadataTelemetryModule, Microsoft.AI.WindowsServer"></Add>
<Add Type="Microsoft.ApplicationInsights.WindowsServer.DeveloperModeWithDebuggerAttachedTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.UnhandledExceptionTelemetryModule, Microsoft.AI.WindowsServer" />
<Add Type="Microsoft.ApplicationInsights.WindowsServer.UnobservedExceptionTelemetryModule, Microsoft.AI.WindowsServer"></Add>
<Add Type="Microsoft.ApplicationInsights.Web.RequestTrackingTelemetryModule, Microsoft.AI.Web">
<Handlers>
<Add>Microsoft.VisualStudio.Web.PageInspector.Runtime.Tracing.RequestDataHttpHandler</Add>
<Add>System.Web.StaticFileHandler</Add>
<Add>System.Web.Handlers.AssemblyResourceLoader</Add>
<Add>System.Web.Optimization.BundleHandler</Add>
<Add>System.Web.Script.Services.ScriptHandlerFactory</Add>
<Add>System.Web.Handlers.TraceHandler</Add>
<Add>System.Web.Services.Discovery.DiscoveryRequestHandler</Add>
<Add>System.Web.HttpDebugHandler</Add>
</Handlers>
</Add>
<Add Type="Microsoft.ApplicationInsights.Web.ExceptionTrackingTelemetryModule, Microsoft.AI.Web" />
<Add Type="Microsoft.ApplicationInsights.Web.AspNetDiagnosticTelemetryModule, Microsoft.AI.Web" />
</TelemetryModules>
<ApplicationIdProvider Type="Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId.ApplicationInsightsApplicationIdProvider, Microsoft.ApplicationInsights" />
</ApplicationInsights>
To include static files and 'all requests' in the Application Insights telemetry, add the following to web.config
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
To see the requests in AppInsights Telemetry logs run this query:
requests
| where client_Type != "Browser"
| where operation_Name == "GET {INSERT STATIC FILE PATH HERE}"
I'd like to make my website accessible only by a few IP addresses. I've added the <ipSecurity> tag but it seems to get ignored.
This is my current config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="PHP" />
<add name="PHP" path="*.php" verb="*" modules="CgiModule" scriptProcessor="C:\PHP\5.4.0\php-cgi.exe" resourceType="File" requireAccess="Script" />
</handlers>
<defaultDocument>
<files>
<remove value="index.htm" />
<remove value="index.html" />
<remove value="index.asp" />
<add value="index.html" />
<add value="index.php" />
<add value="index.asp" />
</files>
</defaultDocument>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="Default Web Site">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="79.1.2.3" />
</ipSecurity>
</security>
</system.webServer>
</location>
</configuration>
But the site is accessible by everywhere.
If I add the <security> block inside <system.webServer> then no IP can see the site, not even the one listed, by getting 403.
What's wrong?
Try to add below code in your site web.config file:
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<add ipAddress="ip" allowed="true" /> <!--allow-->
<add ipAddress="ip" allowed="false" /> <!--deny-->
</ipSecurity>
</security>
deny:
allow:
Regards,
Jalpa
We have a running website which makes XHR to another Domains php-service. Currently we are moving this service to a new server. While we did allow CORS and used quite the same settings the request works on the old Server but does not on the new one.
Talking about "quite the same" cause obviously something is wrong, but we couldn't find a difference. IpSecurity allows all Ips, Auth. accepts anomymous, etc.
Old Server: Windows Server 2012; IIS 6.2
New Server: Windows Server 2008R2; IIS 6.1
Web.config:
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<clear />
<add value="index.aspx" />
<add value="index.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="home.aspx" />
<add value="home.asp" />
<add value="home.htm" />
<add value="home.html" />
<add value="default.aspx" />
<add value="default.asp" />
<add value="default.htm" />
<add value="default.html" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Headers" value="origin, content-type, accept" />
<add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<urlCompression doDynamicCompression="true" />
</system.webServer>
</configuration>
Error: SCRIPT7002: XMLHttpRequest: Networkerror 0x80070005, Access denied.
Has anyone an idea why Edge won't get access to the new server?
Thanks for any ideas.
EDIT: To further clarify: It does work on Chrome, Firefox and IE 11
I'm working on an IIS 7.5 server and enabled the failed request tracing feature however when I attempt to setup the rules I only have an option to select ASPNET as a provider rather than the normal four providers (ASP, ASPNET, ISAPI Extension, WWW Server).
Does anyone know how to get the other providers to display?
FRT - Provider - image
For some reason it seems your traceProviderDefinitions got cleared or something. to fix that you can:
Make a backup of c:\Windows\System32\Inetsrv\Config\ApplicationHost.config just in case anything goes wrong with your XML editing.
Open c:\Windows\System32\Inetsrv\Config\ApplicationHost.config in notepad.
Look for: , in my machine I have the following:
<traceProviderDefinitions>
<add name="WWW Server" guid="{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}">
<areas>
<clear />
<add name="Authentication" value="2" />
<add name="Security" value="4" />
<add name="Filter" value="8" />
<add name="StaticFile" value="16" />
<add name="CGI" value="32" />
<add name="Compression" value="64" />
<add name="Cache" value="128" />
<add name="RequestNotifications" value="256" />
<add name="Module" value="512" />
<add name="Rewrite" value="1024" />
<add name="FastCGI" value="4096" />
<add name="WebSocket" value="16384" />
</areas>
</add>
<add name="ASP" guid="{06b94d9a-b15e-456e-a4ef-37c984a2cb4b}">
<areas>
<clear />
</areas>
</add>
<add name="ISAPI Extension" guid="{a1c2040e-8840-4c31-ba11-9871031a19ea}">
<areas>
<clear />
</areas>
</add>
<add name="ASPNET" guid="{AFF081FE-0247-4275-9C4E-021F3DC1DA35}">
<areas>
<add name="Infrastructure" value="1" />
<add name="Module" value="2" />
<add name="Page" value="4" />
<add name="AppServices" value="8" />
</areas>
</add>
</traceProviderDefinitions>
I used Vega scanner to test my web application and it found some Shell Injection vulnerabilities that can be found by entering commands like these:
GET /http:/mywebsite.com/?s="%20%3B%20/bin/sleep%2031%20%3B
GET /http:/mywebsite.com/http:/http:/mywebsite.com/?s="%20%3B%20/bin/sleep%2031%20%3B
I'm running Windows Server with IIS and PHP. A portion of my web.config file is here:
<requestFiltering>
<denyUrlSequences>
<add sequence="module" />
<add sequence="engine" />
<add sequence="tpl(\.php" />
<add sequence="profile" />
<add sequence="Root" />
<add sequence="Tag" />
<add sequence="Template" />
<add sequence="Repository" />
<add sequence="code-style" />
<add sequence="GET /?p=/./" />
<add sequence="/?p=/./" />
<add sequence="/?" />
<add sequence="/?p=/./ HTTP/1.1" />
<add sequence="/bin/sleep" />
<add sequence="sleep" />
<add sequence="bin" />
<add sequence="{" />
<add sequence="}" />
<add sequence=";" />
<add sequence="|" />
<add sequence="~" />
</denyUrlSequences>
</requestFiltering>
What I'm trying to do is block these types of queries from being used by using the web.config file. What I have above should be blocking the malicious queries, but it appears to not be working even after updating the web.config and rescanning. Could anyone give me advice on how to proceed please? Thank you very much!
try using denyQueryStringSequences since in this case the payload based on your example is coming on the Query not on the segments, for example (and adding the segment as well just incase)
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
<add segment="bin" />
</hiddenSegments>
<denyQueryStringSequences>
<add sequence="/bin" />
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>