Azure App Service NodeJS Proxy 403

Ivar Hagen 96 Reputation points
2020-12-19T14:09:17.307+00:00

Hi!

I've created an Angular application that uses 'http-proxy-middleware' for connecting to backend services, one of my services uses https and one is http.
I'm using a Node server for deployment. This works fine locally when I use the backend services.
When I deploy on Azure App Service (Linux/Node) I get a 403 Forbidden when calling the proxy (see below).

So my Node server in the App Service uses http on port 8080. The App Service uses https with url https://[myappname].azurewebsites.net/
This is a bit confusing to me. Is it just port forwarding from 443 to 8080? Do we have a valid certificate for my URL (is it needed)?
I also tried to start my Node server with https on port 8080 but that didn't work.

What do work is a POST to the the /docebo proxy (used for authenticating the user), but a GET on the REST API returns a 403.
When doing a curl GET directly to Docebo endpoint (not through proxy) while logged on to my App Service server the call works fine.
The call to the other proxy which has a http target all calls works fine (GET/POST/PUT/DELETE).
The owner of the Docebo API says that the problem is not on their end. So what am I doing wrong?

When comparing request-response debug info with POST and GET I find these differences:

Getting data (403) : 

  useChunkedEncodingByDefault: false,
  method: 'GET',
  path: '/manage/v1/user?search_text=Test01',
  authorization: [
    'authorization',
    'Bearer [theTokenIGotFromLoginIsHere]'
  ],      
  accept: [ 'accept', 'application/json' ],

Login posting (ok) : 

 useChunkedEncodingByDefault: true,
  method: 'POST',
  path: '/oauth2/token',
   accept: [ 'accept', 'application/json, text/plain, */*' ],
   'content-type': [
    'content-type',
    'multipart/form-data; boundary=----WebKitFormBoundaryyLgRE2snV888KOzE'
   ],

Node Express server with proxy. 

var createProxyMiddleware = require('http-proxy-middleware')
app.use('/docebo', createProxyMiddleware({
  target: 'https://[mysandbox].docebosaas.com/',
  secure: true,
  timeout: 8000,
  changeOrigin: true,
  logLevel: "debug",
  "pathRewrite": {
    "^/docebo": ""
  }
}));

Response from above GET when running in Azure App Service (Node). 

{
    "name": "Forbidden",
    "message": [
        ""
    ],
    "code": 0,
    "status": 403
}
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,826 questions
0 comments
Accepted answer
  1. Ivar Hagen 96 Reputation points
    2020-12-29T21:10:22.043+00:00

    Hi!

    Thanks for your fast reply to my mail @ajkuma
    I've tried your suggestions but it seems like the problem is with the proxy implementation I'm using (http-proxy-middleware).
    To resolve it I've created my own proxy functionality which do not have problems with 403 error . 

    app.get('/docebo/*', (req, res, next) => {  
  console.log('url', req.url);  
  console.log('auth', req.headers.authorization);  
  axios.defaults.headers.common['Authorization'] = req.headers.authorization;  
  var newUrl = req.url.replace('/docebo', 'https://mysite.docebosaas.com');  
  console.log('newUrl', newUrl);  
  axios.get(newUrl)  
    .then(function (response) {  
         res.send(response.data);  
        next();  
 })

    })

    Thanks again for you support.

    Regards Ivar Hagen

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 22,086 Reputation points Microsoft Employee
    2020-12-21T09:25:15.987+00:00

    @Ivar Hagen , App Service sets the environment variable PORT in the Node.js container, and forwards the incoming requests to your container at that port number. For requests, the must listen to that port using process.env.PORT. Kindly see this example

    Also, the TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests.
    To check if the user requests are encrypted or not, inspect the 'X-Forwarded-Proto' header.

    For other framework - X-Forwarded-* standard info app pattern.
    In Express (In your case), you can use trust proxies. For example: 

    app.set('trust proxy', 1)  
...  
if (req.secure) {  
  // Action -do something when HTTPS is used  
}
    0 comments
  2. ajkuma 22,086 Reputation points Microsoft Employee
    2020-12-21T09:29:03.963+00:00

    @Ivar Hagen , Just adding more info:

    Kindly see the sample nodejs-docs-hello-world and refine the web.config file similarly as required: 

    <?xml version="1.0"?>  
<configuration>  
  <system.web>   
    <compilation batch="false" />  
  </system.web>  
  <system.webServer>  
    <handlers>  
      <add name="iisnode" path="scripts.js" verb="*" modules="iisnode" />  
    </handlers>  
    <rewrite>  
      <rules>  
        <rule name="yourwebapp">  
          <match url="/*" />  
          <action type="Rewrite" url="scripts.js" />  
        </rule>  
      </rules>  
    </rewrite>  
  </system.webServer>  
</configuration>
    0 comments
  3. ajkuma 22,086 Reputation points Microsoft Employee
    2020-12-21T09:31:29.003+00:00

    Adding more: Other than the code itself returning the error, Access Restrictions or IP Restrictions could also affect:

    If the request is being blocked by IP restrictions it occurs on the FrontEnds of the infrastructure so the 403s would not be seen in the application logs. There's a detector available in the Azure Portal to confirm what IPs are being blocked if that is the cause, see below.

    To access App Service diagnostics, navigate to your App Service app in the Azure portal. In the left navigation, click on Diagnose and solve problems –

    49872-image.png

    Thanks for the detailed description of the problem. I have added multiple things that you can try/for info, sorry for the long post.

    @Ivar Hagen , kindly let us know if you need further assistance we will be more than happy to assist you further.

    0 comments