I have a web application that is hosted by azure as a web role. The application is installed on two sub domains, QA and Production, the QA environment has the X-Frame-Options set to deny, but the production environment does not.
Currently the same code is deployed to each environment, so it must be a configuration option. I can't find anywhere in the web app where the XFO headers are set. Where else might the configuration be set?
I know this is old but still no answer so...
You can set it in the web.config like this:
<customHeaders>
<clear/>
<add name="X-Frame-Options" value="ALLOW-FROM youruri" />
</customHeaders>
Related
How can I have different Web.config files for different Azure slots.
I have a staging and production slot with the same website I don't want the staging slot to be public (it's only for testing and such), so I've setup authentication for that slot through the web.config file.
The problem is that when I upload changes the production slot gets the same web.config file as the staging slot which is set for only allowing access by authenticating, and also the parameters are different so the production slot ends up getting inaccessible, I have to change the web.config file manually in the production slot to make it work.
I wanted to have some way to define a different web.config file for the production slot.
Update (adding more information to the question):
I'm using my local machine for testing (with a local server), that is the development environment.
The sites are in wordpress (wordpress uses php).
The staging slot is used only by a few people, not connected to my local Lan, when I selectively want them to test my site (different Operating Systems, different platforms, different mobile phones,..) before sending things to production. I can just stop the staging slot, when I'm not using it so production resources are not be affected.
I'm already using AppSettings for different connectionStrings, and parameters. I don't know how to use this to define different authentication settings..? I have the authentication settings in the web.config file (used by the staging slot).
My web.config file:
<configuration>
<system.web>
<authorization>
<allow users="foo#gmail.com, foo2#foo2.com, foo3#gmail.com"/>
<deny users="*"/>
</authorization>
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="WordPress: http://contoso.azurewebsites.net" patternSyntax="Wildcard">
<match url="*"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true"/>
</conditions>
<action type="Rewrite" url="index.php"/>
</rule>
</rules>
</rewrite>
</system.webServer>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
You are using slots incorrectly. Staging slots are not meant to be long-lived applications for testing. These are for deployment and short-automated testing of the application while you are deploying.
Also if your prod and staging slots are almost identical, what is the point of securing staging if it does the same thing as production?
And to conclude - there is no way to do what you want to do. So you might as well set up separate testing WebApp and get it secured via web.config.
There are a few ways to accomplish what you are trying to do. Although I agree with Trailmax - this seems to be a misuse of the intended purpose of slots. Remember that slots share resources (CPU, memory, etc) with your production slot. If you're using a slot for your integration and testing environments and something goes sideways, you are impacting your production resources. That's really not a good idea.
But if you want to go this route anyways, you can:
Use slots along with different build configurations and associated web.config transforms. For example, if your production site is foo.azurewebsites.net, you can define a staging slot called "staging". You can publish directly to that slot at foo-staging.azurewebsites.net. Define a separate build configuration called Staging, and create a web.staging.config transform that updates the underlying web.config to the values you want to deploy to your staging slot. Make sure that when you publish, you choose the foo-staging target, and that you choose "staging" as your build configuration.
If the environments differ by AppSettings and ConnectionStrings, define slot-specific values in the Web App's Application Settings section. These override whatever is in web.config. This is my personal favorite approach.
We are using Azure Web APP for for our FrontEnd site. Recently we have discovered DOS attack on our website. When I googled around I got to know solution for Azure Cloud Services. Is there any way, Azure Web APP can be protected with out of box support..
Azure Web Sites enabled the Dynamic IP Restrictions module for IIS8.You can protect your Azure Web App from DDOS Attacks by configuring Dynamic Ip Security under System.WebServer in your App's web.config file as follows.
<security>
<dynamicIpSecurity denyAction="NotFound">
<!--<denyByConcurrentRequests enabled="true" maxConcurrentRequests="20" />-->
<denyByRequestRate enabled="true" maxRequests="20" requestIntervalInMilliseconds="5000"/>
</dynamicIpSecurity>
</security>
Read Reference For More Information
https://azure.microsoft.com/fr-fr/blog/confirming-dynamic-ip-address-restrictions-in-windows-azure-web-sites/
We are hosting IIS ARR in a webapp running as a basic reverse proxy. This is working well and is really easy to configure (unlike the alternative we considered, Azure Application Gateway).
Our proxy takes an incoming url and simply forwards it to a different server so nothing too complicated.
What we need to do now though is to add a url rewrite rule for a tenanted endpoint, so with a url like this:
https://proxy/[customerid]/stuff?id=1
for customer A rewrite to
https://tenantservera/[customerid]/stuff?id=1
and for customer B rewrite to
https://tenantservera/[customerid]/stuff?id=1
Customers could be added at any time, and there are a number of these proxy servers deployed worldwide running behind Azure Traffic Manager, so I would prefer to avoid updating the web.config each time we add a new customer if at all possible.
This appears to be possible (though a bit archaic) with a "real" server running IIS as you can write a custom module in .NET 2.0, deploy to server's GAC and then hook it into the pipeline in IIS. This would update the web.config something like this:
<providers>
<provider name="DB" type="DbProvider, Microsoft.Web.Iis.Rewrite.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<settings>
<add key="StoredProcedure" value="GetRewrittenUrl" />
</settings>
</provider>
</providers>
Does anyone know if this, or anything like it, is possible in a web application? We can't install into the GAC AFAIK.
I have InProc SessionState enabled for my MVC appplication
<system.web>
...
<sessionState mode="InProc" cookieless="false" timeout="180" />
...
<system.web>
I have four independent VM's (Dev, Test, UAT & Prod) and unfortunately it does not work on one of them, e.g TempData is not passed between redirects.
I have checked...
IIS machine.config
IIS web.config
Applcation's web.config
Application pool settings
and they are all the same (alllowing for differences in connection strings etc)
Anything else I can check or any ideas as to what might be going on?
My dev and test environments are using the machine names whereas we have configured CNAMEs for the UAT environment as the end users are interacting with the server.
The problem was the hostname of the server... reporting_uat.xxx.com
As this contains an underscorre, IE will not store cookies, see Issue with Session and Cookie in Internet Explorer for websites containing underscore
This is the case:
Farm with one WFE and one APP-server. WFE hosts all sites, APP-server hosts all SharePoint web services. Names of servers: SPWFE01 and SPAPP01
WFE can connect to internet through proxy.
Web services should be bypassed, thus not called through proxy
Thus, I configured web.config as following:
<system.net>
<defaultProxy>
<proxy usesystemdefaults="false" proxyaddress="http://proxy" bypassonlocal="false" />
<bypasslist>
<add address="spwfe01"/>
<add address="spapp01"/>
<add address="139\.156\..*"/> <!-- IP-address range of Farm -->
<add address="10\.246\..*"/> <!-- backup IP-address range of Farm -->
</bypasslist>
</defaultProxy>
</system.net>
However, I get null reference exceptions when I call the UPA from code behind. When I remove above configuration, everything works as expected. Thus, web service calls are made through proxy, despite of bypasslist.
What am I doing wrong here?
Alright, fixed it by removing usesystemdefaults-attribute...
According to MSDN:
usesystemdefault
Specifies whether to use Internet Explorer proxy settings. If set to true, subsequent attributes will override Internet Explorer proxy settings. The default value is unspecified.
Thus, now it is "unspecified". I have no idea what unspecified is for a boolean value, but it works...