Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,079 questions
Allow-Access-Control-Origin Error on Web App
Joseph Dutton
135
Reputation points
Hey everyone. I may be missing something simple, but here's one for you guys!
Turning on App Gateway WAF Policy with a custom rule for geo location match. Essentially just to deny any traffic outside of select countries.
Without this WAF Policy turned on, everything works as expected. As soon as we turn this on, our web application gets a slew of errors that pop up in the developer console.
We've been trying to track down the "Access-Control-Allow-Origin" error first, as we're hoping that will at least alleviate the major error.(it gives us the most detail)
I will also mention, that this application is running .Net 3.1/C#/Angular. We understand that this is a way outdated version of .Net, but we're not sure if that could be the issue or what.
Just unsure of why simply turning on this WAF policy for geolocation match would ding all of these errors, and an explanation on this would be SUPER helpful.
I will mention there is one rewrite rule set configured that looks like so:
Any help on this would be greatly appreciated. We've been working on this for a number of weeks, and with Microsoft's new support request degradation, we've been unable to receive any support on this product there.
-Joseph
{count} votes
-
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee2024-09-25T10:06:05.01+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing CORS error.
It is highly unlikely that App Gateway WAF can lead to CORS error.
- Can you confirm if the issue is not happening without WAF (not App Gateway)
- Please keep the WAF in Detection Mode and see if this is happening still
- May I ask if the same domain is used to access your WebApp as well as the Application Gateway
- i.e., what is the FQDN of the service via Application gateway?
- what is the FQDN of the service while directly accessing it?
- Are you actually using resources from other sites?
- If so, does the other site has the header? Access-Control-Allow-Origin: *
Cheers,
Kapil
- Can you confirm if the issue is not happening without WAF (not App Gateway)
-
Joseph Dutton 135 Reputation points
2024-09-25T15:13:54.51+00:00 Kapil,
Thank you for your response.
When the WAF is turned off, there is no longer a CORS error popping up. Part of me was wondering if the geolocation match rule is what is causing that Origin Header discrepancy. But I'm unsure if those two have anything to do with the other. I wouldn't think that WAF Policy being turned on would cause all of those errors to just magically pull up. Unfortunately, I'm not too familiar with these specific blades, and I wasn't present when they were configured initially.
From my awareness, the only thing that is changing is that policy being turned on. The primary URL we are using is set up as an Associated listener on the App Gateway.
Nothing has that specific header added into the code. Would adding that Access-Control-Allow-Origin header make a difference here? Why is the WAF policy causing that to trigger? Wouldn't it trigger even if the WAF policy was turned off?
Let me know if I failed to answer any of your questions. Thank you again for all of the help here!
If it would help to jump on a call, I can show you what I can see.
-
Joseph Dutton 135 Reputation points
2024-09-25T18:55:01.23+00:00 -
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee
2024-09-26T06:12:21.1366667+00:00 Thanks for the information, indeed, this is strange.
As next steps,
- We have to isolate if this is related to WAF as a whole or this specific Geo Match Rule.
- Can you please remove the Geo Match Rule and check with WAF Enabled?
- This way, we will know if this is caused by Geo Match Rule OR by WAF (Managed rules or just the WAF's configuration results in this)
In addition,
- Can you please confirm if there are any logs in Firewall log that indicate "Warning"
- Specifically for details.message
Cheers,
Kapil
-
Joseph Dutton 135 Reputation points
2024-09-26T20:19:52.3266667+00:00 Thank you for the notes.
I am currently checking if it's been tested without the custom rule, and should have an answer for you by early next week.
In terms of Firewall logs, I do know logs are enabled, but do you have a KQL query to identify the Firewall logs? It is also disabled at the moment, but when I do something like
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"I cannot see any results. Even with my time range set back 30+ days.
I have ensured that Diagnostic Logs are enabled, as I can see Category == "ApplicationGatewayAccessLogs", but am not seeing anything pertaining to the Firewall. Let me know if there is a better query I should be using here!
Thank you.
-
Joseph Dutton 135 Reputation points
2024-09-26T21:04:52.01+00:00 I will be able to test the WAF early next week and double check. I will test the WAF with and without the custom rule enabled.
Could you please provide a KQL query that would show the logs that you are looking for? That would be very helpful!
Thank you.
-
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee
2024-09-27T05:33:25.71+00:00 Sure. The category should be "ApplicationGatewayFirewallLog".
See :
The query becomes,
AzureDiagnostics | where Category == "AzureFirewallNetworkRule"Cheers,
Kapil
-
-
Joseph Dutton 135 Reputation points
2024-10-09T18:11:35.6266667+00:00 Sorry for the delay on this. The WAF policy has been tested without the geo-fence custom rule, and seems to be working successfully.
Is there something in the custom rule that would cause this error to trigger? If desired, I can provide screenshots of the custom rule configuration, but not sure why this would cause that error.
Thank you!
Joseph
-
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee
2024-10-10T11:57:36.17+00:00 To troubleshoot further, we will need a specialized 1:1 session, where a support engineer can check the backend logs to pinpoint the issue.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
P.S : We will be able to provide you one-time support if and only if your subscription is not managed by a CSP
Cheers,
Kapil
-
Joseph Dutton 135 Reputation points
2024-10-10T15:15:42.74+00:00 That would be incredibly useful!
We do not currently have a support plan after the July change.
If there is a way we can do a free 1:1 session, that would be amazing. Please let me know what we need to do to schedule this.
Thank you,
Joseph
-
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee
2024-10-10T16:19:52.7+00:00 -
Joseph Dutton 135 Reputation points
2024-10-11T13:12:38.24+00:00 For some reason, the private message is not popping up anymore. Not sure how to access other than my e-mail. But it's not auto-opening when I try to open it from my email.
Is there another way to open these private messages?
-
KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee
2024-10-14T13:06:19.9433333+00:00 In that case, could you please send an email to AzCommunity[At]Microsoft[Dot]Com with the below details.
- Subject : Attn Kaananth
- Thread URL: Link to this thread.
- Subscription ID : Subscription ID of the App gateway
Cheers,
Kapil
Sign in to comment
Sign in to answer