Reputation: 319
How do you restrict access to Azure Web App by incoming header value?
I'm trying to lock down access to my Azure Web App by following the instructions here - https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door.
The first step I did through the Azure Portal but I'm unsure as to where to do the second step (filter on the values for the incoming header 'X-Forwarded-Host'). Is it through the portal? or through Host Filtering in the app itself? or through a WAF?
Upvotes: 4
Views: 5517
Answers (4)
Reputation: 3041
Since March 2020, Azure Frontdoor sends a X-Azure-FDID header with a unique value of your Frontdoor instance.
I wrote a detailed blog post about how to utilize that in restricting access to your web app: https://henrihietala.fi/limit-access-to-your-azure-web-app-from-your-azure-front-door-only/
Upvotes: 3
Reputation: 319
I ended up just adding some middleware to do this:
public class XForwardedHostMiddleware
{
private readonly RequestDelegate _next;
public XForwardedHostMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context, IHostingEnvironment environment, IConfiguration configuration)
{
var forwardedHost = context.Request.Headers["X-Forwarded-Host"].ToString();
if (forwardedHost != "ex.ample.com")
{
await context.Response.WriteAsync("Blocked");
}
else
{
await _next(context);
}
}
}
}
Upvotes: 2
Reputation: 28244
As the providing link, the incoming header X-Forwarded-Host was sent by Front Door. Front Door Service includes headers from an incoming request unless removed because of restrictions. Front Door also adds the following headers:
Read more details here.
Upvotes: 0
Reputation: 59
Well App service it self does not provide any service on restricting access on bases of header values. App service can only filter traffic on IP address.
Upvotes: 1
Related Questions
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Setup headers for web app's IP security restriction with Bicep
- Handle Authorization Header in IIS
- Limiting access to Azure Static Web App to single tenant
- restrict access to azure web app without ip filtering
- Lock down the access of AppServices to only Azure Front Door
- How to authorized only traffic from my Frontdoor to my Web App private endpoint?
- How to restrict access to ASP NET MVC Controller (On Azure App service) to allow only requests within Azure?
- Azure restrict access to web app by ip range
- Azure Web App only through Application Gateway and disable direct access