I'm running a ASP.NET MVC website hosted on Azure and using Traffic Manager as load balancer, thus the users can not only visit the website by custom domain like foobar.yourcompany.com, but also endpoint provided by Azure Traffic Manager like foobar.trafficmanager.net. So do Search Engine crawlers.
Is there any feasible solution to hide the Traffic Manager endpoint from crawlers and expose the custom domain endpoint?
P.S. I know robots.txt.
If you setup your app to return an HTTP 301 permanent redirect to your custom domain when accessed over the Traffic Manager domain, it should stop it from showing up in search results. As far as I know, you can't fully disable the TM domain. Similarly like you can't fully disable the App Service domains.
So e.g. if your app gets a request for:
http://foobar.trafficmanager.net/foo/bar
Redirect it with an HTTP 301 to:
http://foobar.yourcompany.com/foo/bar
Related
Google's CloudRun is capable of redirecting http to https without any configuration. I was not able to find any solution that would instruct CloudRun to respond 301 Permanent Redirect to all non-www requests.
I was able to instruct CloudRun to handle both www and non-www but without redirection.
I am familiar with how to set up the required logic with nginx and a traditional server. I could also do this in the application itself but since CloudRun is a serverless product, it would be better to handle this state before the app is even invoked.
Thank you.
When you reach Cloud Run, you first lands on GFE (Google Front End). This layer ensure the security (if you set your Cloud Run service in no-allow-authenticated mode, perform DDoS mitigation at Google grade, expose and manage the SSL certificates, route the request to the correct services,...). So, a lot of job for this layer but you can't customize it.
If you want to add customization, you have to add a new layer, a HTTPS Global Load Balancer. Now you can define serverless NEG backends to reach serverless product (Cloud Run, Cloud Functions, App Engine).
It doesn't offer as much as customization as a NGINX managed by yourselves, but you can perform more things.
I currently have a website (single domain) hosted on several servers.
We use a load balancer to redirect traffic to the servers accordingly.
Currently we have a simple tech stack based on ASP.net and C#.
We would like to migrate our website progressively (feature by feature) to another tech stack based on React.
Knowing that we would like to keep our single domain, users should be redirected to a server or another depending on the path in the URL. For example homepage will be built on ASP.net, Feature 1 on React and Feature 2 on ASP.net.
I was wondering if we could use a Azure load balancers (Or Elastic Load Balancer if Azure cannot do it) to redirect traffic to one or the other tech stack depending on the incoming request.
For example:
- www.mywebsite.com will redirect to tech stack 1 based on .net
- www.mywebsite.com/feature1 will redirect to tech stack 2 based on React
- www.mywebsite.com/feature2 will redirect to tech stack 1
To go further, I was also wondering if on top of that I could use a central load balancer and 2 internal loadbalancers.
The public loadbalancer will capture all the requests. One internal loadbalncer will be for the tech stack 1 and the other one for the tech stack 2. The central loadbalancer will redirect the traffic to the internal loadbalancers with the same principles as the one mentioned above.
For example:
- www.mywebsite.com will redirect to Load Balancer 1
- www.mywebsite.com/feature1 will redirect to Load Balancer 2
- www.mywebsite.com/feature2 will redirect to Load Balancer 1
This looks like a nice fit for an Azure Application Gateway. Basically have application gateway accept all the calls and route to different backends based on the path in the request
https://learn.microsoft.com/en-us/azure/application-gateway/url-route-overview
I have an ASP.NET Core MVC API hosted in an Azure App Service. The API has several endpoints. Is it possible to expose only one of the endpoints to the internet, but keep the rest of the endpoints locked down and only consumable by clients from restricted IP ranges?
You could write a custom middleware that blocks requests that are not part of a set of whitelistet IPs (using HttpContext.Connection.RemoteIpAddress). To allow certain endpoints you could tag your controller / methods with a custom attribute and skip the IP check for them.
Here is an example how you can implement the middleware.
or must it be on the same server as the app calling it? I am new to web api so i am going through some tutorials, but they all assume the web api is part of the mvc app. Also, they show the calls to the api being done with javascript, but I want to make the calls in my MVC app controller. Is this possible?
You can host a Web API anywhere.
The only special thing to have into account when the Web API isn't in the same server that a web site that uses it, is that, by default, the Web API doesn't accept requests from a different domain. For example, if the web site is in "server1.com" and the Web API in "server2.com", then the calls to the Web API from the web server will be rejected.
If this is the case, you need to configure the Web API server to enable CORS (cross origin resource sharing), so that it accepts requests from a different domain. If you want more info about this, please look at this document:
Enabling Cross-Origin Requests in ASP.NET Web API 2
The Web Api can live wherever you want it to. Is typical to see a limited API used mostly to handle AJAX for the MVC application live with the MVC application, mostly because it makes it simpler to construct URLs to the endpoints. If you host the Web Api externally, then you'll have to hardcode the API endpoint URLs, as there's no way to use something like Url.Action to generate them automatically, any more. Regardless, it's a perfectly acceptable way to handle things.
You will probably at least want to add the base URL for the Web Api as an app setting in your Web.config, though. That way, you don't end up with hardcoded references to a particular domain strewn all about your app. That makes moving your Web Api to a different domain much easier, especially when talking about going from development to production.
It is also entirely possible to use a Web Api within your actual controller actions. You'll just need to use something like HttpClient to connect to it and issue requests.
I want to build my web services serving JSON data utilizing RESTful architecture.
But I want my own client apps only that can request from my web services.
Basically, my web services contain sensitive data that is not for public consumption, but I wanted to build it that way so I can build many different client apps that connects to my web service.
Would appreciate any ideas for this, thanks.
The fact that it's RESTful or uses JSON isn't a relevant factor when it comes to securing a web service. Any web service would need to be secured in the same manner. There are a few things you should do:
If possible, don't host your web service on the Internet. If the web service is hosted within your company's LAN, for example, it won't be exposed to public consumption unless you specifically exposed it through your router.
Set up authentication and authorization rules. If you're hosting your web service inside of a Windows domain, you could simply use Windows authentication and set up rules based on Active Directory users and groups. Other options are to use HTTP authentication, client certificate authentication, or if you're developing in .NET, forms authentication.
Use encryption (HTTPS), especially if your web site is hosted on the Internet.
You just need a couple things in place to do this. First, the service client will need to authenticate against your service (over HTTPS) to make a request. Once the client is authenticated, you can return a private token which the client has to include with this token. As long as the token expires after a reasonable amount of time, and a secure algorithm is used to generate it, this should do what you want.
If you have more strict security requirements, you can follow Jakob's suggestion, or have the client start a VPN session prior to making requests.