Can someone explain to me how to setup a external end point for a fail over model in Windows Azure Traffic manager. I can add the end point to azure through powershell, for example www.mysite.com, but then the tutorials say I would need to change my DNS to point www.mysite.com to my.trafficmanager.net. But wouldnt this create a loop of sorts and never get to my actual server that is hosting the site?
In the scenario you describe you would first need to define a new hostname for your external endpoint in DNS (i.e. www-1.mysite.com) and configure your webserver to accept requests for that hostname. Once that is working you add the www-1.mysite.com to Traffic Manager as an external endpoint and the finally update DNS for www.mysite.com to point to Traffic Manager.
Related
I understand that the question was asked and discussed in different formats before. However, I still miss clear guidelines on how to handle the situation.
Our keycloak setup has multiple keycloak replicas and is behind a load balancer without a fixed ip in a separate infrastructure. So that our DNS records look like:
CNAME keycloak.acme.com public-lb.acme.com
And public-lb.acme.com forwards the request to specific instances of keycloak.
One of our end-user applications is located in a completely different infrastructure with strict access. The end-user application is built using java and is using Keycloak integration org.keycloak:keycloak-servlet-filter-adapter. We do not have any custom adapters and simply follow "standard" configuration:
{
"auth-server-url" : "https://keycloak.acme.com",
..
However, this does not work since keycloak.acme.com ip address have to be whitelisted in that "special" infrastructure. So that validation requests from the application inside the "special" infrastructure do not hit the keycloak. And we cannot whitelist the ip, since the ip of our load balancer public-lb.acme.com is not fixed and changes with time.
We have a "tunnel" between the keycloak infrastructure and that "special" infrastructure with a dedicated ip cidr range which is whitelisted.
Hence we have create a special internal load balancer that is in the tunnels cidr range and forwards requests to the keycloak replicas. Unfortunately that internal load balancer does not have a fixed ip address, and can change within time.
Since we do not have fixed ip address, is the only correct method is to use add DNS record inside the "special" infrastructure pointing to the internal load balancer? Something like:
CNAME keycloak.acme.com internal-lb.acme.com
Or are there any alternative solutions? I understand the historical reasons behind this.
I'm currently working on a script that will test the health of an ADFS service. The ADFS service uses the same domain name (split brain DNS) for both intranet access, as well as for public DNS (for internet connections through the proxy servers). If I'm logged into an intranet device and I attempt to perform an SSL connection to the ADFS service, my device will use the intranet IP of the service. If I do the same from a device that is not in the intranet, I will connect to the public facing IP.
I want my script to test the health of both the internal and external service, but I haven't found a way to perform an SSL connection to a certain hostname/fqdn, and use an specific IP depending on the test I'm trying to perform (intranet vs extranet). Connecting directly to the internal/external IP address is not an option, since the ip addresses are not part of the SSL cert subject alternative names.
One option I found Is to create a PS Session to a remote host that has public DNS servers configured, and execute my Extranet test through that PS Session, but Ideally, I would like to run both tests from one single server.
I'm trying to find an option that works in the context of my PowerShell session only, I don't want to change the DNS settings of the server or the global DNS cache since that will result in problems on the server, because it depends on that ADFS service for other services to work.
Any help will be appreciated
I could not find a way to achieve exactly what I asked, so instead, what I did was to deploy a small Rest API in Azure which calls my ADFS service. When I call that Rest API, ADFS receives the query from the Internet, allowing me to achieve test the health of my ADFS service from the internet.
Is it possible to use Azure Application Gateway to route incoming traffic to a URL/Port and append a path? I want to do this so can use Service Fabric reverse proxy lookup.
i.e. I have a listener on ms-company.domain.com and I want it to redirect to http://servicefabric.domain.com:19081/Company/Microservice/api/healthcheck
That way even if I change the port that the micro-service lives in the Reverse Proxy lookup will work.
This is possible with the recent URL path override feature. Please refer to sample template at https://azure.microsoft.com/en-us/resources/templates/201-application-gateway-path-override/
My requirement is to configure a service which will only need to be executed for a particular firewall, say customer.
Hence, Can it be possible for a service to be only available for a firewall OR get the current firewall information in service as an argument so that the relevant code can be segregated?
EDIT :
The project supports dynamic domain. So user can customize their url or buy actual domain.
The service actually defines a Request listener which is supposed to decide resource of the data of the page, based on the current domain
The system also supports other sub-domains with some different firewall configuration, where Request listener shouldn't invoked. So, I need to restrict part of my service execution based on firewall.
Is it possible?
I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.