I have a both a multi and single site Application Gateway with a Web App backend pool. Settings at the backend pool point to port 80 (http).
I am using a personal domain of example: www.mydomain.club and using either web host or DNS. When I enter www.mydomain.club into the browser, it resolves to https://mywebapp.azurewebsites.net:80 in the browser bar, with error message on page indicating that I cannot reach the site.
It seems like the DNS/host recognizes the domain resolving required, but tries push for port 443 (https), but indicates there is a port 80, while returning the web app address (even though I'm going through the application gate). If I restrict access the web app, I get a 401 error.
I have tried:
CNAME pointing to the DNS name for Application Gateway IP - mydns.eastus.cloudapp.azure.com
A recording using both # and WWW pointing to the Gateway IP.
Overriding the host name in the backend settings.
• As seen from the URL, i.e., ‘https://mywebapp.azurewebsites.net:80’, the Azure webapp website points to ‘HTTPS’ port 443 but you might have configured the webapp’s website incorrectly in the backend pool for ‘HTTP’ port 80. Due to which when you are trying to access the ‘www.mydomain.club’ domain name over the internet, it is redirecting you to the ‘https://mywebapp.azurewebsites.net:80’ URL as you have configured it so in the application gateway’s backend pool.
Thus, would suggest you to please reconfigure the ‘https://mywebapp.azurewebsites.net:80’ to only ‘https://mywebapp.azurewebsites.net’ in the application gateway’s backend pool. This will ensure that the website ‘www.mydomain.club’ is redirected correctly to the above said website only and the pages hosted in that webapp will be displayed correctly.
• Secondly, please do ensure that you have created an ‘A’ host record for ‘www’ in the public DNS zone for ‘mydomain.club’ domain which will ensure that the website is hosted on a publicly available IP address and domain name. Also, since you want the website domain name, i.e., ‘www.mydomain.club’ to be redirected to the application gateway URI/FQDN, i.e., ‘xyz.eastus.cloudapp.net’, then create a CNAME record for ‘www.mydomain.club’ address with the alias as ‘xyz.eastus.cloudapp.net’. This will ensure that when trying to access the domain name ‘www.mydomain.club’, it will be redirected to the application gateway’s URL and will be displaying the backend site web page accordingly as defined in the routing rules and the listener rules.
This will ensure that, you will not encounter 401 error when accessing the website DNS, i.e., ‘www.mydomain.club’ and it opens correctly.
Please find the below documentation link for more details: -
https://learn.microsoft.com/en-us/answers/questions/379193/application-gateway-with-a-custom-domain-name.html
Related
Requesting for some help here. Kind of stuck with a use case. We are trying to integrate OneLogin with our app via Spring security.
The entry point to our application is Azure App Gateway that routes the requests to load balancer further routing to the VMs where the service is deployed. Everything works fine if we DONOT override the hostname in Backend settings for any incoming request, leading to the App Gateway host only getting passed for every request. Here the App Gateway URL being set as the redirect URI in Spring security auth endpoint call.
The problem appears when the Apigee is used as the entry point to our application. Apigee routes the request to App Gateway routing it further to load balancer and VMs. Here, we DO have to override the host as Apigee host name in order to authenticate the client to the OneLogin server. The Apigee endpoint is set as the redirect URI in the Spring security auth endpoint call.
However, the server responds back with "possible CSRF detected - state parameter was required but no state could be found" error. Tried different possible solutions from other SO links to resolve this error like providing a session cookie name, but did not help. Our OneLogin server and client application are also in different domains.
The only thing that works here is when we DONOT override the hostname in Azure App Gateway Backend settings and pass the App Gateway URL as the redirect URI in auth endpoint call. But the problem is it shows the App Gateway URL in the user browser, which we do not want because in an ideal scenario, the user should see only the Apigee host in the browser url and not the App Gateway host. So, is there any way to re-route/redirect/override the URL to Apigee URL in Azure App Gateway settings without the call being made to Apigee endpoint. Just the user sees the Apigee url in the browser, but internally all calls are made to App Gateway endpoint only.
Or the other solution could be to prevent the CSRF issue when Apigee hostname is used as the redirect URL in the auth endpoint instead of App Gateway host. But not sure how to resolve that.
• In your scenario, when you are not overriding the hostname in the Azure application gateway backend settings and pass the ‘Application Gateway’ URL as redirect URL in the ‘Authorization endpoint call’, the application gateway URL is shown in the user’s browser which is not desired since the Apigee host redirects the authentication requests to the ‘App gateway’ endpoint.
Therefore, without the call to be made to the ‘Apigee’ endpoint, you can surely redirect it to the Apigee redirect URL in the Azure application gateway settings by configuring the ‘Rewrite URI rules’ in the gateway. These rewrite rules will check for any presence of configured URLs or specific paths and will therefore, change the original URI path to the new path configured. As a result, please follow the below given snapshots as steps for configuring the same as stated above: -
Thus, as shown above, you can configure the ‘Rewrite rules’ in a ‘Standard V2’ SKU application gateway for redirecting response requests of ‘authorization endpoint call’ from application gateway URL to the Apigee endpoint hostname configured. In this way, when the application gateway URL is shown in the browser, it will be rewrited to the apigee endpoint hostname’s URL in the browser and accordingly the user at the receiving end will be able to see the Apigee endpoint hostname as a result fulfilling your requirement.
For more details regarding the above, kindly refer the below link: -
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#modify-a-redirection-url
I'm building an application in a device (Point of Sale) and for this I need to use OAuth servers to authenticate a webservice request, the guys on the side of the webservice are now asking me for a redirect URI, I do not have any experience on this so I started googling around 'redirect URI's, so now I wonder, given that this app works on a device (not on cloud), is there a way I can use my own device as the redirect URI and catch the webservice response there (such as the JSON)?
Extra info it might work (or not): In my office we all use DHCP but we have a configurable server.
Thank you.
It is possible to redirect to your own device if it is running its own web server.
This is because the redirect URI is passed back to the requesting client's browser which performs the redirect as shown in the diagram below from this tutorial. From there the browser can redirect to a local device's web server using the following approaches:
Use localhost or the 127.0.0.1 loopback IP for the redirect URI. This will work in the client's browser but not all services may allow registering a redirect URL to localhost or 127.0.0.1.
Use an external host which is mapped to the local system. On a Linux system, this can be configured by placing the hostname the /etc/hosts file and pointing it to the local system loopback IP address, e.g. 127.0.0.1. This can point to a real server on the Internet which is just redirected on the local system so this approach can be used with any service.
An example /etc/hosts file can contain a hostname like example.com which is then used in the redirect URI.
127.0.0.1 localhost example.com
Read more about localhost and the loopback IP address on Wikipedia:
https://en.wikipedia.org/wiki/Localhost
Diagram courtesy of TutorialsPoint.com.
We're looking to use Application Gateway as a frontend\proxy for a website we host onsite. The website has a public IP but we'd like to restrict access to the site to only traffic coming from the Application Gateway. Is there a way to determine what IP the traffic would be coming from as it exits Azure? Is it like other Azure traffic where it could come from any IP subnet they have assigned to that specific region? I haven't seen this question asked and it's not directly referenced in any of MS documentation that I can find.
Thanks!
Not sure why you want to restrict access to the site to only traffic coming from the Application Gateway because if you configure it and add the website in the backend of Application Gateway. The traffic from a client will always reach the website through the Application gateway as the Application Gateway works as an application proxy by accepting traffic and based on rules that are defined with it, routes the traffic to the appropriate back-end instances.
You may want to know to restrict access on the application gateway subnet via NSG. Then the inbound or outbound traffic in the Application Gateway subnet will be filtered via NSG.
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this will help, let me know if you have any other concerns.
Update
If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.
I've created a Asp.Net Core 2.1 Web App with a MySql db running on Ubuntu 16.04.
I've followed the basic tutorial from Microsoft docs to setup Google OAuth and it works perfectly when I run it locally in debug. However it does not seem to work when I try to access it from a ddns url, I don't get the Google signin page. My environment looks like this:
Web app locally on a laptop at home behind my router. Nginx setup to forward traffic on port 80 to the web app: All port 80 traffic routed to http://localhost:5000
Router setup with no-ip ddns and port forwarding to for all traffic from http://a.ddns.net:8081 to the local laptop on port 80
I have to note here that without Google OAuth everyting works and I get to my web app.
When I try to access the app from a.ddns.net:8081 it opens the Login page but when I click on "Sign in with Google", I got a few errors, one was that the Authorized Redirect URI was not the same as the one saved on my account. I played around with a few variations and got to a point where I get a 500 Internal server error, I don't know where this is happening?
Can anybody help with my setup? Is it just my Authorized Redirect URI that is wrong or is it something else?
Thanks
Update:
This is what my OAuth settings look like. I did not orignally have an Authorized Javascript origin, just added that now:
If I have a link in an MVC application hosted on Azure:
Call web service
At the moment we are having difficulty connecting to the URL, which is a SOAP web service. We get an error 'site cannot be reached'.
Just to rule something out - what IP address would the service see this request coming from - my local (browser) or the server?
The request would come from your IP.