I have started work on a Windows Azure solution that hosts multiple Web Role projects which talk to each other over HTTP.
When I Debug (F5) my project in Visual Studio two web roles are started on the following IP addresses:
127.0.0.1
127.0.0.2
When I run Fiddler I listen to traffic being sent to 127.0.0.1 by using the built in ipv4.fiddler hook.
How do I listen to the traffic being sent to on 127.0.0.2?
What I would suggest is not to use the ipv4.fiddler at all. Instead, configure you 2 webroles appropriately.
I assume that your web roles communicate over standard HTTP, and I guess you're using standard .NET approaches to communicate. Why not configure these mechanisms to use a proxy, in this case the fiddler proxy. By default this would be 127.0.0.1:8888 This means you will capture the traffic between the 2 roles.
Related
I have developed 2 applications in spring boot with embedded tomcat. I have one cloud server (Azure) and i have run both the applications in that server. First app running in port 80 and other one in 81. I have domain name registration in GoDaddy For example First app is www.abc.com and the second one is www.xyz.com. How do i configure in azure console that when request comes from www.abc.com then port 80 should serve the request else request would be served by 81. Please help me out configuring deployment.
You should be able to accomplish this by implementing User Defined Routes
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Additionally, Azure offers Load Balancers and Traffic Mangers that you could implement as well to manage the traffic.
https://azure.microsoft.com/en-us/services/load-balancer/
https://azure.microsoft.com/en-us/services/traffic-manager/
I'm developing a security system. It has a proxy server acting like a ssl termination using Nginx which will forwards all tcp/ip connections from clients to other third-party systems.
The client-proxy connections must be authenticated and securely encrypted by ssl.
And my problems is:
Each client is a computer which installed Windows 7 OS or higher. It has been installed with some third-party applications which cannot be interfered. For the better user experience, all clients' tcp/ip outbound requests from any applications must be transparently "converted" into (or "wrapped" in) ssl requests before coming to proxy server. And my first idea is to develop a network driver to access these requests using windows api, namely WFP(Windows Filtering Platform). I have read its online documentation but it's not easy to understand. Can you have to find some projects like this or tell me which sections in the documentation need to be focused? Thank you in advance!
Your issue is a bit unclear but here are my thoughts:
You want to have full encryption between the End User Client to the App Service.
Current:
Client --(443: TLS)--> NGINX --(Clear; Port 80)--> App Service
(Terminate TLS)
Change:
Client --(443: TLS)--> NGINX --(TLS; Port 443)--> App Proxy -(Plain; 80)-> App Service
(Terminate TLS) (Nginx with self-signed Cert)
The change is to add an additional Nginx server on the app server to provide the last layer of TLS between the load balancer and the App Service.
If your App service has the capability to serve SSL connections directly that's even better as you can just configure that in place of running an additional Nginx server on the app host. (If you wanted you could run apache or any other web server that supports proxy/load balancing capabilities)
If you are worried about the App Service port, it won't make a difference, the idea is that the App Proxy (being Nginx or the likes) will handle the encryption on a different port to then pass via localhost to the App Service (in plain text).
Additional Resources:
Can Nginx do TCP load balance with SSL termination?
https://serverfault.com/questions/978922/nginx-proxy-pass-to-https
https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html
https://nginx.org/en/docs/http/ngx_http_ssl_module.html
Here´s what we try to do:
We try to run several App Servers with Meteor and Mongo DB Servers on Azure VMs. We have them bundled in one cloud service with Endpoint sets that balance the load.
We setting them up via the Management Console (Ubuntu VMs) and then deploy Meteor and the content via Meteor Up.
Now we want to do HTTPS. Initially we thought that is handled by the LoadBalancer by mapping an external port 443 to the internal port 80 as there are options to upload Certificates.
It seems there is no option to configure that this way except for deployments using Visual Studio (and those seem to have to use at least some Web roles).
Here is where we struggle:
Using HTTPS seems to be tied to deploying an App developed in visual studio and/or on Windows VMs?
That´s the question:
Is it possible to use load balanced HTTPS on szure with Linux VMs?
PS: This is the Article that made me think the Load Balancer might does SSL encryption by itself: https://msdn.microsoft.com/en-us/library/azure/ff795779.aspx
AFAIK, the load balancer of Azure would only spread the traffic to the instances internal endpoint, and do not encrypt the traffic in SSL. (see: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-overview/)
Even for the deployment using Visual Studio, I believe the mechanism behind is also the IIS on each web role encrypting the traffic, but not the load balancer job.
So, you should add SSL on the web server of each VMs such as using nginx.
Is it possible to use Web Deploy (wmsvc) across domains? That is, can I deploy from my dev box/build server in one domain onto a web server in another? I am able to do this inside the same domain so I know that I do have the web deployment service configured properly. However from another domain I can't even get the https://severname.domain.com:8172/msdeploy.axd to challenge for credentials.
The short answer is yes.
WMSVC exposes itself on port 8172, but it uses the https protocol. So long as you have a direct way to get from one network to the other, over that port, it will work.
We run all of our webservers on a DMZ, which is an isolated network with separate DNS, active directory servers, etc. I can directly deploy from my build server (on the *.hq network) to the *.dmz.com server over port 8172.
However, I did have to communicate this requirement to the networking group so that they could allow port 8172 to pass through our firewall. Also, I wasn't able to set up web deploy with automatic Windows Auth because the two networks had different domains and different sets of users.
I am trying lock down a virtual machine that acts as an app server for a web application. I have a two VM's: One for the app server and another one running the web server. I have to open a ton of ports to allow the web server talk to some wcf services, but I only want to allow those connections from the web server and no one outside of that network. I have to add endpoints in order for the web server to access the wcf services, but this also makes them accesible to the public IP. How can I only allow this traffic on the
For Virtual Machines, the only way of accessing ports from outside the hosted service is by defining input endpoints (with or without load-balancing across a set of machines). In your case, you'd just open, say, 80 and 443, specifically for your web server (e.g. not load-balanced). This is considered a port-forwarded endpoint since traffic on these two ports get forwarded directly to your web server. For more clarity around port-forwarded endpoints, I suggest Michael Washam's blog post, here.
At this point, you'd open various other ports on your app server (through its firewall config), and now your web server can talk to the app server, yet the outside world won't be able to reach the app server. Note: I'm assuming you placed your web server and app server in the same hosted service. Otherwise, you'd need to find a different way to connect between web and app servers, such as configuring a Virtual Network.
EDIT 6/5/2013 You can now enable ACLs on input endpoints, allowing (or blocking) IP ranges. Today ACLs may only be managed through PowerShell, with the June 2013 update. See this post to learn more.
Machines that exist on the same virtual network will be able to talk to each other as long as the local firewall has been opened to those ports. This problem was with my configuration in my application and not because of this. I also didn't have the correct ports open. Now it works like a charm.