azure applcation gateway to secure protocol - azure-application-gateway

I have configured azure load balancer which points my public Ip http, and I reach my website and working fine.
Now, I want to achieve a routing rule is used to redirect the application traffic from HTTP protocol to HTTPS secure protocol with the help of azure application gateway.
Can we simply add our HTTPS services to the health probe after installing an SSL certificate on the load balancer? I don't have much knowledge in networking any help highly appreciate.

I tried to reproduce the same in my environment it works fine successfully.
you are able to configure your public Ip address to https using Azure application gateway. Try to create a self-signed certificate like below:
New-SelfSignedCertificate `
-certstorelocation cert:\localmachine\my `
-dnsname www.contoso.com
#To create pfx file
$pwd = ConvertTo-SecureString -String "Azure"-Force -AsPlainText
Export-PfxCertificate `
-cert cert:\localMachine\my\<YOURTHUMBPRINT> `
-FilePath c:\appgwcert.pfx `
-Password $pwd
Try to create an application gateway. you can use your exciting public Ip address like below.
In routing rule add your frontend Ip as public and protocol _ HTTPS _ as_ 443 ports _ and upload a pfx certificate like below:
Then, try to create listener with port 8080 with http and add routing rule as same and verify the backend status is healthy like below:
When I test the http protocol with Ip address redirect successfully like below:

Related

Using WSO2 to call a local API

I ran a WSO2 service using docker and I followed all instructions according to the WSO2's document and everything worked fine including it's own Hello-world API. Next I have created my own Hello World API on my local machine on port :8082. I have set both Production Endpoint and Sanbox Endpoint to http://localhost:8082 but everytime I try to test the api it gives the following error:
Failed to fetch.
Possible Reasons:
CORS
Network Failure
URL scheme must be "http" or "https" for CORS request.
Update:
I replaced localhost with my machine IP and used netcat on my local and telnet on the container to check it and it was okay. I don't know what is my next step.Is there anything specific that I should consider for developing my Hello World that I'm missing?
I assume both your API GW and Backend API run with the same hostname, which creates SSL failure, so I recommend you create a new key store for your backend and export the key store as a certificate and import it into the trust store of API GW.
keytool -keystore backend.jks -genkey -alias backend
keytool -export -keystore backend.jks -alias backend -file backend.crt
keytool -import -file backend.crt -alias backend -keystore <APIM_HOME>/repository/resources/security/client-truststore.jks
This enables the Gateway to trust the backend server (host) and enables you to communicate seamlessly.
Thanks.

Incorrect redirect URI in Azure authenticated Flask app when deployed using nginx and docker

I have a flask app that was built based on the following instructions that allows me to authenticate users based Azure AD.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-python-webapp
The app works great when tested on localhost:5000. Now I want to deploy it to a production server using docker and nginx reverse proxy. I have created a docker container so that the docker port is mapped to port 6000 on localhost. Then I have added a proxy_pass in nginx config to pass the traffic to the docker container.
nginx.conf
location /app/authenticated-app/ {
proxy_pass http://localhost:6000/;
proxy_redirect default;
}
With this config, I can go to the login page via https://server/app/authenticated-app however, when I click on login, the request that goes to azure has a query parameter redirect_uri that's set to http://localhost:6000/getToken. Therefore, once I complete the login, the app gets redirected to that url. Does anyone know how to fix this and get it redirected to the proper url. I have already added https://server/app/authenticated-app/getToken under the redirect_uri on azure portal.
I had a similar issue, with nginx and my flask app both running in docker containers in the same stack and using a self-signed SSL certificate.
My nginx redirects requests as follow:
proxy_pass http://$CONTAINER_NAME:$PORT;
and the msal app uses that URL when building its redirect_uri
def _build_auth_code_flow(authority=None, scopes=None):
return _build_msal_app(authority=authority).initiate_auth_code_flow(
scopes or [],
redirect_uri=url_for("auth.authorized", _external=True))
I cheated a little bit by hardcoding the return URL I wanted (which is identical to the one I configured in my azure app registration) in my config.py file and using that for the redirect_uri:
def _build_auth_code_flow(authority=None, scopes=None):
return _build_msal_app(authority=authority).initiate_auth_code_flow(
scopes or [],
redirect_uri=current_app.config['HARDCODED_REDIRECT_URL_MICROSOFT'])
In my case, that url would be https://localhost/auth/redirect/. I also needed to configure my nginx to redirect all requests from http to https:
events {}
http {
server {
listen 80;
server_name localhost;
return 301 https://localhost$request_uri;
}
...
I had the same issue, what I did is :
Use Cherrypy to enable ssl on custom port.
cherrypy.config.update({'server.socket_host': '0.0.0.0',
'server.socket_port': 8443,
'engine.autoreload.on': False,
'server.ssl_module':'builtin',
'server.ssl_certificate':'crt',
'server.ssl_private_key':'key'
})
Then install Nginx and proxy to https://127.0.0.1:8443
Not sure if that will help but this what I did to get my flask app working with MSAL.

Haproxy public jenkin webhook only

I want to allow Bitbucket access to my Jenkins callback [Private IP]:[PORT]/bitbucket-hook without public it entire port (/login, /jobs..) via haproxy.
Found it, can use path_end to forward the request or use reqirep to modify when backend path is different with frontend path.
frontend http-in
bind :444
acl is-jenkin-callback path_end -i /bitbucket-hook
use_backend jenkin-bitbucket-webhook if is-jenkin-callback

Logging in to private docker registry v2 behind haproxy

I am trying to set up a new Docker Registry (v2) with HAProxy. For the Docker Registry I am using the image from the docker hub and running it with docker run -d -p 5000:5000 -v /path/to/registry:/tmp/registry registry:2.0.1. And this is a subset of my HAProxy configuration:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
userlist auth_list
group docker_registry users root
user root password ***PASSWORD***
backend docker-registry
server 127.0.0.1:5000_localhost 127.0.0.1:5000 cookie 127.0.0.1:5000_localhost
frontend shared-frontend
mode http
bind *:80
bind *:443 ssl crt *** CERT FILES ***
option accept-invalid-http-request
acl domain_d.mydomain.com hdr(host) -i d.mydomain.com
acl auth_docker_registry_root http_auth(auth_list) root
redirect scheme https if !{ ssl_fc } domain_d.mydomain.com
http-request auth realm Registry if !auth_docker_registry_root { ssl_fc } domain_d.mydomain.com
use_backend docker-registry if domain_d.mydomain.com
The important things to note are that I am using HAProxy to do SSL termination and HTTP auth rather than the registry.
My issue occurs when I try to login to the new registry. If I run docker login https://d.mydomain.com/v2/ then enter the user root and password I get the following error messages:
Docker Client:
FATA[0009] Error response from daemon: invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
Docker Daemon:
ERRO[0057] Handler for POST /auth returned error: invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
ERRO[0057] HTTP Error: statusCode=500 invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
So I try adding --insecure-registry d.mydomain.com to:
/etc/default/docker with DOCKER_OPTS= -H unix:///var/run/docker.sock --insecure-registry d.mydomain.com
the arguments of starting docker manually with docker -d --insecure-registry d.mydomain.com
neither of these, or any other I have found online, work. Each time, after restarting docker and attempting to log in again gives me the same error message.
A few other things I have tried:
In a browser going to d.mydomain.com results in a 404
In a browser going to d.mydomain.com/v2/ results in: {}
Replacing https://d.mydomain.com/v2/ in the login command with all of these with no success
http://d.mydomain.com/v2/
d.mydomain.com/v2/
http://d.mydomain.com/
d.mydomain.com/
This setup with HAProxy doing the SSL termination and HTTP auth has worked in the past using the first version of the registry and older versions of docker. So has anything in Docker registry v2 changed? Does this still work? If it hasn't changed, why won't the --insecure-registry flag do anything anymore?
Also, I have been working on getting this working for a while so I may have forgotten all the things I have tried. If there is something that may work, let me know and I will give it a try.
Thanks,
JamesStewy
Edit
This edit has been moved to the answer below
I have got it working. So here is my new config:
haproxy.cfg
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
userlist auth_list
group docker_registry users root
user root password ***PASSWORD***
backend docker-registry
server 127.0.0.1:5000_localhost 127.0.0.1:5000 cookie 127.0.0.1:5000_localhost
backend docker-registry-auth
errorfile 503 /path/to/registry_auth.http
frontend shared-frontend
mode http
bind *:80
bind *:443 ssl crt *** CERT FILES ***
option accept-invalid-http-request
acl domain_d.mydomain.com hdr(host) -i d.mydomain.com
redirect scheme https if !{ ssl_fc } domain_d.mydomain.com
acl auth_docker_registry_root http_auth(auth_list) root
use_backend docker-registry-auth if !auth_docker_registry_root { ssl_fc } domain_d.mydomain.com
rsprep ^Location:\ http://(.*) Location:\ https://\1
use_backend docker-registry if domain_d.mydomain.com
registry_auth.http
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Docker-Distribution-Api-Version: registry/2.0
WWW-Authenticate: Basic realm="Registry"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
The differences being the http-request auth line has been replaced with use_backend docker-registry-auth. The backend docker-registry-auth has no servers to it will always give a 503 error. But the 503 error file has been changed to registry_auth.http. In registry_auth.http the error code is overridden to 401, the header WWW-Authenticate is set to Basic realm="Registry", the basic HAProxy 401 error page is supplied and, most importantly, the header Docker-Distribution-Api-Version is set to registry/2.0.
As a result this hacky work-around setup works exactly the same as the old http-request auth line except the custom header Docker-Distribution-Api-Version is now set. This allows this set up to pass the test which starts on line 236 of https://github.com/docker/docker/blob/v1.7.0/registry/endpoint.go.
So now when I run docker login d.mydomain.com, login is successful and my credentials are added to .docker/config.json.
The second issue was that I couldn't push to the new repository even through it logged in. This was fixed by adding the rsprep line in the frontend. What this line does is modify the Location header (if it exists) to turn all http:// to https://.
I also found this bit of documentation for future reference.
As a small clarification to the previous answer: I had to change this line:
WWW-Authenticate: Basic realm="Registry"
To this:
WWW-Authenticate: Basic realm="Registry realm"
and then everything worked...
BTW, hashing the pass can be done using mkpasswd (part of whois deb package)

Make HAProxy forward requests to a hostname instead of IP address.

I have 3 virtual hosts on a single IP address.Host_a, Host_b and Host_c all mapping to 192.168.1.10.
My HAProxy configuration is as follows:
frontend http
.
.
.
acl host_one path_end -i /ABC/application
acl host_two path_end -i /XYZ/application
acl host_three path_end -i /PQR/application
use_backend be_host1 if host_one
use_backend be_host2 if host_two
use_backend be_host3 if host_three
backend be_host1
server channel Host_a
backend be_host2
server channel Host_b
backend be_host3
server channel Host_c
Now for example, HAproxy forwards request to 192.168.1.10/ABC/application in case it matches an incoming URL ending with /ABC/application. Is there a way I could forward it to http://Host_a/ABC/application instead ? It is important for me that they use the hostname instead of its corresponding IP address.
The hostname is a part of the HTTP request, and that means you can use the HAProxy option reqirep to set it to whatever you want.
reqirep ^Host: Host:\ Host_a
You can use this type of option in all three of your backends.

Resources