Showing posts with label azure-web-sites. Show all posts
Showing posts with label azure-web-sites. Show all posts

Sunday, January 21, 2018

Azure App Service accept all domain names

By Hường Hana 2:00 PM , , Leave a Comment

Is it possible to have an App Service respond to all domain names that it receives? I would really like to be able to deploy to an App Service plan, rather than a VM. Note I am not trying to do wildcard subdomains - these require adding them through the Azure console. I am trying to accept any domain name that the app service receives. Adding and verifying each domain is not practical.

I have a multitenant app, so this is really important to me so that customers can use their own domain names.

I've tried adding the domain * and ., but it fails validation.

3 Answers

Answers 1

Yes, this is possible since 2014, at least. See the official doc page and this blog post for more.

You have to point your *.example.com domain (CNAME) to <app_name>.azurewebsites.net, then add *.example.com to the custom domains list for your Web App.

Answers 2

I don't think you can do this because Azure requires validation of domain ownership by adding specific records to DNS. Here is a discussion as to why they do that.

The best you might be able to do is to automate or script the binding, but even then you would need assistance from your third party partners/customers to verify their DNS ownership.

An alternative would be to transfer your DNS to Azure and use subdomains. I know you've said you're not looking at that solution, but using the Azure DNS offering would allow you to fully script out the onboarding process for a new customer.

Answers 3

Could you ensure that the changes to your DNS settings have been confirmed and validated from your DNS provider’s end. For certain providers, such as GoDaddy, changes to DNS records don't become effective until you select a separate Save Changes link.

For more details, refer "Map an existing custom DNS name to Azure Web Apps".

You may refer MSDN thread, which addresses similar issue.

Read More

Friday, July 1, 2016

For Azure Web Applications, how do you monitor Security Threat traffic?

By Hường Hana 7:00 AM , , Leave a Comment

I want to monitor any suspicious traffic into our Azure web application. I want to know the IP addresses and what they are probing with a view to blocking those IP addresses. I am mindful of trying to protect the application via secure coding practices, but also I feel a little blind to what is hitting our site at present.

I have looked at what Azure provides, but cannot see anything obvious in terms of some form of dashboard. I may be looking in the wrong place.

It may be that I need a proper Web Application Firewall to do this, and Azure does not provide this ?? The only one I am sort of familiar with is Cloudflare, but for other reasons, we cannot use it at present, although these could be surmontable.

So how are folks monitoring their "attack interfaces"?

Thanks.

2 Answers

Answers 1

If you're referring to Azure Web Apps there is a log that displays very detailed information about the requests made to your website. The logs are the Web Server logs which are in the W3C extended log file format and may contain the information you're looking for. You have to enable these logs under diagnostics for the web app.

You can view these logs by downloading them or streaming them via PowerShell or azure CLI. You may also find the Kudu site that comes with web apps helpful. It can be found at https://your-web-app.scm.azurewebsites.net

Answers 2

You are correct, Azure web apps by itself does not offer extensive security monitoring. While ApplicationInsights and ApplicationInsights Analytics can give you a lot of data for monitoring, it does not target security specifically. It will tell you which IP address is probing what and with which result, so I would start there and see if it fits your requirements.

If you want to do security monitoring, packet inspection, etc., your best bet is to use a virtual appliance in Azure. The Azure marketplace offers security/WAF appliances from Checkpoint, Barracuda, Cisco, F5, etc. that might fit your needs. These virtual devices run on virtual machines in Azure and have a public IP address on the outside for incoming traffic which they can route to internal (vnet) or external (webapp) resources. While these are generally very powerful solutions, they come at a cost.

A possible set up might be to use an appliance like this to offload SSL, inspect traffic on the appliance and then forward traffic to the web app (over http, within the same datacenter). If the appliance of your choosing does not allow SSL offloading, you might place an Azure Application Gateway in front.

Again, start with Application Insights and see if it works for you. If not, do a price/feature comparison on the various virtual firewalls/security devices.

Read More

Saturday, June 11, 2016

Loading Azure certificate when NOT using custom domain names

By Hường Hana 2:00 PM , , , , 1 comment

As I understand if someone doesn't want to use a custom domain name and instead plans on using *.azurewebsite.net domain assigned to the website by Azure, then HTTPS is already enabled with a certificate from Microsoft(I know this is not as secure as using a custom domain name). How would be I able to load this certificate programmatically. Currently I use the following method to load a certificate from local machine or Azure :

public static X509Certificate2 LoadFromStore(string certificateThumbprint,bool hostedOnAzure) {     var s = certificateThumbprint;      var thumbprint = Regex.Replace(s, @"[^\da-zA-z]", string.Empty).ToUpper();      var store = hostedOnAzure ? new X509Store(StoreName.My, StoreLocation.CurrentUser) : new X509Store(StoreName.Root, StoreLocation.LocalMachine);       try     {         store.Open(OpenFlags.ReadOnly);          var certCollection = store.Certificates;          var signingCert = certCollection.Find(X509FindType.FindByThumbprint, thumbprint, false);          if (signingCert.Count == 0)         {             throw new FileNotFoundException(string.Format("Cert with thumbprint: '{0}' not found in certificate store. Also number of certificates in the sotre was {1}", thumbprint, store.Certificates.Count));         }          return signingCert[0];     }     finally     {         store.Close();     } }

I assume the culprit is the following line of code :

new X509Store(StoreName.My, StoreLocation.CurrentUser)

because when I get an exception it tells me there is no certificate in the store although I pass the correct certificate Thumbprint(I grab the thumbprint from Chrome manually).

1 Answers

Answers 1

You will not be able to access this certificate programmatically in your WebApp as this certificate is not really installed on the Azure WebApp. Azure WebApps have a front-end server which does a "kind of" SSL Offloading so the WebApp actually never has access to this particular certificate. Why exactly you want to read this certificate though ?

Typically if there is a need for certificates in WebApps, you would install client certificates and pass them to services for Authentication as mentioned in https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/ and those certificates you can access programmatically (code snippet mentioned in the same article)

But I am not sure what exactly you want to achieve by reading the server certificate

Read More