Jeff Sanders Technical Blog

I am a Microsoft employee that has worked on all aspects of the Web Stack for a long time. I hope these blogs are useful to you! Use this information at your own risk.


<< Go Back

Azure App Service Deny Or Allow Http Verbs

- 07 Aug 2019

You may want to restrict what verbs you allow to your web apps in Azure App Services.  The way you do this is really no different than how you would do this for these web servers on premise or in a VM!

Windows based Web Apps

This is super simple!  Just add to the web config what rules you wish to apply.  For example to restrict everything but allow GET and POST you can add this entry (or update it if it already exists):

                                    <verbs allowUnlisted=”false”>                 <add verb=”GET” allowed=”true” />                 <add verb=”POST” allowed=”true” />                 <add verb=”HEAD” allowed=”true” />              </verbs>                      Refence for these settings: IIS Request Filtering – Verbs </a> You can do this temporarily by editing this file in Kudu but this should be part of your project so when you deploy new versions you do not overwrite your changes! ## Linux based Web Apps Again, very easy once you realize we are simply hosting a Web Server for you.  For Linux based Web Apps we are hosting your code in a Docker Container.  You simply need to configure that container just like you would anywhere else. For example when running PHP the image uses Apache so you simply add the commands to Apache just like you would anywhere else. ## PHP You can run a custom startup script like I detail here: <http://jsandersblog.azurewebsites.net/2019/08/06/custom-startup-script-for-php-azure-app-service-linux/>  Specifically to set the allowed headers you can use the Rewrite engine. Follow the instructions for the script file but use this for the contents: echo “RewriteEngine On” >> /etc/apache2/apache2.conf echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf /usr/sbin/apache2ctl -D FOREGROUND #### Step by Step Go to the SSH console of your Azure App Service. [image](/assets/images/2019/08/image.png) Change to the /home directory and create a startup.sh file Put this in the file (using VIM for example) and save it root@96a1004e60a7:/home# cat startup.sh echo “RewriteEngine On” >> /etc/apache2/apache2.conf echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf /usr/sbin/apache2ctl -D FOREGROUND This is what the startup file should look like: root@6a6fb0697cf0:/home# cat startup.sh echo “RewriteEngine On” >> /etc/apache2/apache2.conf echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf /usr/sbin/apache2ctl -D FOREGROUND root@6a6fb0697cf0:/home# Then set this as the startup script in the general settings and save: [image](/assets/images/2019/08/image-1.png) ## Node For Node, the easiest way to accomplish this without having to create your own custom container is to simply do this in your code: 
const allowedMethods = ['GET','HEAD','POST'];

function onrequest(req, res) {
  if (!allowedMethods.includes(req.method))
    return res.end(405, 'Method Not Allowed');
  // ...
}
## ## WordPress/Drupal For wordpress/drupal, we allow you to add a custom nginx configuration in the /home/ folder. Add this line to server -> location directive: limit_except GET POST HEAD {     deny  all; } ## Java Modify your application web.xml and add this /* GET POST admin ## ## Other environments Similarly you would modify any of the other stacks, but substituting the appropriate commands based on the images web server used. The current images are stored here: <https://github.com/Azure-App-Service?q=template> You need to find your image and them based on that image type, simply add the commands in your code to deny the headers you wish. For example:  Ruby  <https://github.com/Azure-App-Service/ruby-template> You can find in master.json the versions supported: <https://github.com/Azure-App-Service/ruby-template/blob/master/blessedImageConfig-master.json> Let’s say you want to use the 2.3.8 version as you see it is there.  This is running ruby on rails so lookup that environment and implement the filtering in your code.  In this example you can use the request object: [https://edgeguides.rubyonrails.org/action\_controller\_overview.html#the-request-and-response-objects](https://edgeguides.rubyonrails.org/action_controller_overview.html#the-request-and-response-objects) and look at the Method. You would probably want to do this in your application controller to catch all the requests: [https://guides.rubyonrails.org/action\_controller\_overview.html](https://guides.rubyonrails.org/action_controller_overview.html) ## Custom image option Finally you can also use any of the blessed images we use for these stacks and fork the container and configure it appropriately: <https://docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images> Let me know if you used this successfully! << Go Back