Question: How can I communicate between two web sites using HTTPS within one Azure Cloud Service deployment?
Details:
I have architected an Azure Cloud Service deployment (one “subdomain.cloudapp.net”) in such a way as to run two separate web sites inside the deployment by using different ports.
Site 1 is what I’m calling a Service Site that is a standard ASP.NET site that hosts a bunch of WCF Services with no HTML or ASPX pages (except for a default.aspx page that redirects to site 2). Site 1 is running on port 80.
Site 2 is my main site and hosts a Silverlight application that uses the services from Site 1 to access the database and process results. It is only accessible by way of HTTPS and uses port 443.
Both of these sites are defined in a Visual Studio Azure solution with two endpoints, one for each port. Further, each endpoint is associated with the two web site project insides of the VS Solution by way of the ServiceDefinition.csdef configuration file in the Azure project.
I have purchased my security certificate and associated it with a domain name that I am using with Site 2 by way of domain name redirecting and CName mapping at my DNS.
Accessing site 2 using the mapped domain name and an encrypted connection works well via HTTPS. However, when I try to make a service call internally from Site 2 to Site 1, I am going from an HTTPS connection to an HTTP connection because I don’t have a SSL Certificate at Site 1. As a result, when site 2 makes a service call to Site 1, it tries to serve clientaccesspolicy.xml. This causes Internet Explorer to display the ‘Mixed Content’ message (Because of the HTTPS/HTTP mix). Bottom line is I need to get rid of this pop-up prompt. I know it can be disabled on the client end but with over a thousand users, I can’t depend on them being able to turn the message off. I need to make the message go away on the server side.
Back to the question, so is there a way to access site 1 using SSL from site 2 all within the one Azure Cloud Service? What it sounds like I need to do is assign an SSL Certificate to site 1. However, I’m hitting two roadblocks. First, I can’t assign an SSL Certificate to a wildcard.clouapp.net domain name. Second, I can’t assign a second domain name to the Azure Cloud Service since I can’t do domain name forwarding to a specific port (remember that Site 2 is already using domain forwarding anyway).
I could accomplish a solution by breaking out the two sites into their own cloud services but I would rather not because it would double my cost. Are there any suggestions on how to accomplish getting this “Mixed Content” message to go away, either by way of securing site 1 or some other method?
Related
SSIA.
I've tried set CNAME record refers to my '...-dot-devshell.appspot.com' (that seems unique) but I can see only 404 error on Google.
Is there any way?
This is neither possible nor practical.
It's not possible because when you are activating Web Preview you are connecting to an App Engine proxy (hence the appspot.com domain) that authenticates you as the owner of a Cloud Shell VM and proxies the connection to a port on that VM. The connection is secured by an SSL certificate tied to the appspot.com domain; you cannot substitute a different domain name in its place.
It's not practical because the Cloud Shell VM is only active while you are actively connected to it through the web terminal (or from the command line). Once the connection is terminated, the VM goes away as well. And if you are actively using the VM, the Web Preview button is just a short click away and having a well-known domain name seems... unnecessary.
Finally, if you are thinking of giving someone else access to your VM, that won't work either, because they would have to be logged in to their Google Account as you in order for the proxy to let them in.
The Web Preview feature is exactly what it sounds like - a way for you to connect to a web application that you might be developing in Cloud Shell.
I have a standalone web application (not an add-in) and I would like to access Project Server PWA oData from this web application without using the PWA username/password combination.
I can do this for SharePoint oData by registering my web app in Azure AD and configuring the application to require "Read" permissions from "Office 365 SharePoint Online"
If you are interested to do this for SharePoint data, see this article for details: https://www.itunity.com/article/integrating-angularjs-aad-office-365sharepoint-part-1-622
My problem is that I want to do the same for a Project Server, but can't see any relevant Project Online permission in Azure AD.
Has any one ever accessed Project Online using Azure AD tokens?
My 10 Minutes of Internet Research™ leads me to believe this isn't available but that it was a planned feature at one point. [see here]
Without knowing much (anything) about Project Server, this seems like a situation I've dealt with on AWS at work. We have a bunch of endpoints that are secured using IAM (AWS) credentials and we can't leave those creds lying around in our app (because that would be silly). Our solution is to generate access URLs server-side and hand them out, these typically will have a time limit and be restricted to a very specific action.
A quick search for Azure's equivalent to IAM tells me that you might be able to do something similar though I'm unsure it exists for Project Server.
That failing, you could always set up an intermediary micro-service that acts as proxy and has the username/password combo. We do stuff like this all the time with Lambda (AWS's serverless functions).
Is it possible to create a google app engine program that would route http requests to a server on a local network?
What would be the best way to build a program like this?
I am trying to get away from buying a server from a hosting provider and simply use a local network server instead, and use google apps as a sort of proxy. The firewall would be configured to allow access to the server from the google app engine servers only.
If this has been done before in an open source project that would be excellent, but I have not been able to find one.
If all you want is a domain name that points to your dynamic IP address, you could give Dynamic DNS a try. It's designed for your use case, and you won't need to write any code; you just need either a router that supports it or a server with cron. There are lots of providers, but I've had good experiences with Dyn DNS, specifically their Remote Access plan.
Right now I'm using shared hosting for my websites and I'm not very satisfied with it. Someone recommended a VPS instead but I have no idea which one to pick.
I'm developing ASP.NET MVC 3 sites and I have about 4 sites I need to host. I guess I should use IIS to host the sites but I'm a little bit confused.
Is it possible to point 1 domain name to each website I'm making? And what do I do if I want to send mail?
Example.
www.site1.com has some emails eg. info#site1.com
www.site2.com has some emails eg. info#site2.com
I guess I need a mail server? To be able to read and view my emails. like WorldClient
You can any number of domains on one single server. When you create the site on IIS Manager, give the different domain names in the host name field and point the relevant domains to the directory.
For mail server I generally go for Apache James, but this is console based app so configuring this is a bit tedious. Smarter Mail is also another option on windows with full windows GUIs for configuring the mail servers.
The mail servers can be configured in your DNS settings. So your mail.domain.com will become your mail server.
Btw, both mail servers I mentioned give you options for POP access for reading from outlook express etc.,
I am trying to return the Client UserName back into Silverlight by using HttpContext.Current.User.Identity.Name in the .aspx page that starts the application.
I have this hooked up to InitParams working fine passing it into silverlight with the ASP.Net Development Server but when I change to an IIS Web site it returns an empty string.
All of our users will be on the same IP subnet with different domains. This is a intranet app. I need to know who they are, preferably without authenticating, in order to load the proper interface. I do not have any Windows or Forms authentication established in the app yet.
....is it possible?
Without authentication on the server-side, I believe this is not possible. You'll have to have the ASP.NET page authenticate in order for it to write the client's username into that init param.
The test web server's process is running as the local developer, it probably appears to be working since both the client and server are running as the same user.
Suggestion:
Enable Windows authentication in IIS for that application folder that hoses the ASP.Net page. Disable anonymous. This should (in theory) be fine for the intranet. At this point I think you should be able to get Authenticated user from HTTP context. We use Thread.CurrentPrincipal.Identity.Name since we're doing this in a WCF web service.
Not all browsers support Windows authentication. IE and Chrome seem to work the best. Firefox requires you to enable this per-site (look up the "trusted-uris" settings, note that Negotiate and NTLM are separate settings). Safari and Opera as well as non-windows clients, I'm not sure any more.
To get more consistent support across browsers look into the "alternative" client HTTP in Silverlight. However, I guess this wouldn't work with setting init params in the asp page. If you could make an additional request to another ASP page (or a web service) to get the user after loading you could choose to use this other http stack. I found it supports authentication itself, regardless of the browser.