07 February, 2022

Sitecore PaaS - Azure Front Door Implementation Impact

For one of the Sitecore client, we had Sitecore Managed Cloud instance with Sitecore version 10. As part of initial setup, Azure Front Door was not implemented. So there was no web application firewall (WAF). 

Recently we faced huge number of invalid requests from a particular location in Asia and requestor was hitting the site with malicious URLs, cookie values, query strings etc. To block these malicious requests, we added Azure Front Door with WAF and most of the malicious requests were blocked in the firewall itself.

This is a Sitecore headless solution and we had custom forms where user can enter their details and download documents and software. On form submission, we had a feature to validate the data and client IP with an external 3rd party service. We obtain the user IP from X-FORWARDED-FOR header and send it for validation. 

Request Flow with and without Azure Front Door:

When we had App Service without Azure Front Door, the header had only IPv4 address with port number. Ex: In the code, the port number was removed using Split function (:) and sent for validation. 

When the App Service with Azure Front Door, only 4 characters were sent as part of client IP. Example: 2065. We debugged the code and most of our QA folks had IPv4 address and issue was not reproducible. I setup a Azure VM with IPv6 address using this blog. I created a simple debug page to flush the context and request data in the browser (see below). This page will read the Sitecore Context and also read the headers from HttpContext Request object and display it in the page. Also we can modify this to display more details. 

Since Azure Front Door natively supports IPv6 address, the IPv6 address is being sent in the X-FORWARDED-FOR header and it is being sent as the first address in the list. Since our code was splitting the string with colon (:), the first 4 characters were sent to the 3rd party for validation. Once we modified our code to support both IPv4 address and IPv6 address, the issue was resolved. 

Azure Front Door comes with more features like routing, web application firewall and various support. It is very important to see the impact of certain features in the site. It may have negative impact as well.  

Display Context and Request Data:

No comments:

Post a Comment

blockquote { margin: 0; } blockquote p { padding: 15px; background: #eee; border-radius: 5px; } blockquote p::before { content: '\201C'; } blockquote p::after { content: '\201D'; }