Overview

You may want to restrict what verbs you allow to your web apps in Azure App Services.  The way you do this is really no different than how you would do this for these web servers on premise or in a VM!

Windows based Web Apps

This is super simple!  Just add to the web config what rules you wish to apply.  For example to restrict everything but allow GET and POST you can add this entry (or update it if it already exists):

<configuration>
      <system.webServer>
       <security>
          <requestFiltering>
             <verbs allowUnlisted=”false”>
                <add verb=”GET” allowed=”true” />
                <add verb=”POST” allowed=”true” />
                <add verb=”HEAD” allowed=”true” />
             </verbs>
          </requestFiltering>
       </security>
    </system.webServer>

Refence for these settings: IIS Request Filtering – Verbs <verbs>

You can do this temporarily by editing this file in Kudu but this should be part of your project so when you deploy new versions you do not overwrite your changes!

Linux based Web Apps

Again, very easy once you realize we are simply hosting a Web Server for you.  For Linux based Web Apps we are hosting your code in a Docker Container.  You simply need to configure that container just like you would anywhere else.

For example when running PHP the image uses Apache so you simply add the commands to Apache just like you would anywhere else.

PHP

You can run a custom startup script like I detail here: http://jsandersblog.azurewebsites.net/2019/08/06/custom-startup-script-for-php-azure-app-service-linux/  Specifically to set the allowed headers you can use the Rewrite engine.

Follow the instructions for the script file but use this for the contents:

echo “RewriteEngine On” >> /etc/apache2/apache2.conf
echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf
echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf

/usr/sbin/apache2ctl -D FOREGROUND

Step by Step

Go to the SSH console of your Azure App Service.

image

Change to the /home directory and create a startup.sh file

Put this in the file (using VIM for example) and save it

root@96a1004e60a7:/home# cat startup.sh
echo “RewriteEngine On” >> /etc/apache2/apache2.conf
echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf
echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf

/usr/sbin/apache2ctl -D FOREGROUND

This is what the startup file should look like:

root@6a6fb0697cf0:/home# cat startup.sh
echo “RewriteEngine On” >> /etc/apache2/apache2.conf
echo “RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)” >> /etc/apache2/apache2.conf
echo “RewriteRule .* – [R=405,L]” >> /etc/apache2/apache2.conf

/usr/sbin/apache2ctl -D FOREGROUND
root@6a6fb0697cf0:/home#

Then set this as the startup script in the general settings and save:

image

Node

For Node, the easiest way to accomplish this without having to create your own custom container is to simply do this in your code:

const allowedMethods = ['GET','HEAD','POST'];

function onrequest(req, res) {
  if (!allowedMethods.includes(req.method))
    return res.end(405, 'Method Not Allowed');
  // ...
}

WordPress/Drupal

For wordpress/drupal, we allow you to add a custom nginx configuration in the /home/ folder. Add this line to server -> location directive:

limit_except GET POST HEAD {

    deny  all;

}

Java

Modify your application web.xml and add this

<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

Other environments

Similarly you would modify any of the other stacks, but substituting the appropriate commands based on the images web server used.

The current images are stored here: https://github.com/Azure-App-Service?q=template

You need to find your image and them based on that image type, simply add the commands in your code to deny the headers you wish.

For example:  Ruby  https://github.com/Azure-App-Service/ruby-template

You can find in master.json the versions supported:

https://github.com/Azure-App-Service/ruby-template/blob/master/blessedImageConfig-master.json

Let’s say you want to use the 2.3.8 version as you see it is there.  This is running ruby on rails so lookup that environment and implement the filtering in your code.  In this example you can use the request object:

https://edgeguides.rubyonrails.org/action_controller_overview.html#the-request-and-response-objects

and look at the Method.

You would probably want to do this in your application controller to catch all the requests:

https://guides.rubyonrails.org/action_controller_overview.html

Custom image option

Finally you can also use any of the blessed images we use for these stacks and fork the container and configure it appropriately:

https://docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images

Let me know if you used this successfully!

Leave a comment

Your email address will not be published. Required fields are marked *