Skip to content
This repository has been archived by the owner on Dec 23, 2018. It is now read-only.

Add Kudu for Microsoft Azure to default whitelist #115

Open
kevinoid opened this issue Oct 10, 2018 · 1 comment
Open

Add Kudu for Microsoft Azure to default whitelist #115

kevinoid opened this issue Oct 10, 2018 · 1 comment
Labels
Whitelist

Comments

@kevinoid
Copy link

Attempting to access Advanced tools (Kudu) for an App Service (or Function running in an App Service) from the Azure Portal fails and lands on a page with "Error 403 - This web app is stopped." when Smart Referer is enabled with default settings.

The request chain is as follows:

302 GET https://appname.scm.azurewebsites.net/
200 GET https://login.microsoftonline.com/common/oauth2/authorize?...
403 POST https://waws-prod-bay-111.sso.azurewebsites.net/

Adding login.microsoftonline.com>*.sso.azurewebsites.net changes the request chain to:

302 GET https://appname.scm.azurewebsites.net/
200 GET https://login.microsoftonline.com/common/oauth2/authorize?...
200 POST https://waws-prod-bay-111.sso.azurewebsites.net/
403 POST https://appname.scm.azurewebsites.net/

Additionally adding *.sso.azurewebsites.net>*.scm.azurewebsites.net permits Kudu to open correctly.

As far as I know, *.sso.azurewebsites.net is only used as part of the sign-in process (Single Sign On) and *.scm.azurewebsites.net for hosting Kudu, so it should be reasonably safe for a default whitelist. However, I'm not an Azure expert or insider so there may be other uses I am unaware of.

Let me know if there is any additional information I can provide.

Thanks,
Kevin
ntninja added a commit that referenced this issue Oct 11, 2018
@ntninja
Fix AzureWebsites.net advanced tools / Kudu (thanks @kevinoid!) [issue
4ceb83f 
…#115]
@ntninja
Copy link
Collaborator

ntninja commented Oct 11, 2018

Thank you for your feedback! I've pushed a whitelist update with the rules you suggested – please test to make sure it works as expected:

  1. Open the Add-ons page from the menu button on the toolbar
  2. Select the entry named Extensions from the left-hand side of the add-on page
  3. Click on the Settings button beneath Smart Referer in the extension list
  4. Make sure the Use default whitelist option is checked under Whitelist Sources
  5. Remove any custom Exception rules that may be related to this issue
  6. Click on the Disable button towards to bottom of Smart Referer's extension page
  7. Wait for Smart Referer to be disabled then click the Enable to re-enable button (this will force a whitelist update)
  8. Check if your page is working now 🙂

Also, as an extra, could you also test whether these rules are required when using “Send nothing as a referer” instead of “Send the URL you're going to”. To do so please open the extension preferences again, change the value of Rewrite Mode to “Send nothing as a referer” and uncheck the “Use default whitelist” option, then test again. (You probably want to change these values back after testing.) You'd help me gather data on whether we want to change the default for this option to that value in the future (issue #113). Thanks for your help!

Feel free to close this issue if it works now!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Whitelist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ntninja @kevinoid