FIRST – I am stealing code here and re-sharing (with very little modification). All credit goes the fine gentleman that wrote these two articles, I would urge you to read them:

Bulk Add IP Access Restrictions to Azure App Service Using AZ Powershell

Bulk Add Cloudflares IPs to Azure App Service Access Restrictions Using AZ Powershell

I made a few minor modifications the provided code. First, I like to just run a lot of my Azure Powershell stuff from an ISE session and don’t like encapsulating everything in new commands. Partly because I am not all that familiar with working that way even though it is probably a MUCH better way of doing things.

Before we get to the code though, what is this for exactly?

If you use cloudflare as a protection and CDN layer for a website it works by acting as a reverse proxy for your site. I.E. client connects to your site by a cloudflare hosted DNS record… instead of connecting directly to your server, their connection terminates at Cloudflare, they do things, then the pass the connection along to your actual service. ‘Nuff said, google if you need more info.

In the case of an Azure Web App (or any other web server I supposed), the app is hosted/available on some public IP and/or azure domain name that azure provides when you create the app…

What this means is that someone can easily bypass your cloudflare layer (and the associated performance enhancements and protections like web application firewalls) if they know your source systems IP address and in the case of azure, your azure provided domain name for your app.

So what that means is that you need to setup an ACL (Access Control List) on your source system to say “Allow traffic from all Cloudflare IP ranges and block everyone else”.

Cloudflare has like 20 IP ranges… And setting up that ACL by hand on a web app in Azure is arduous at best. But that is why we have scripting… to make things that are generally a pain in the rear… NOT a pain in the rear. (more…)

I have been taking a free networking class from Stanford University’s online “open source” education platform. I have really been enjoying the first unit of the course as it has started filling in some gaps in the foundation of my understanding regarding networking, the internet, and TCP/IP. I highly recommend this to anyone that has been in IT for a while but has never taken a more “academic” approach to their work. Okay, so that is my plug for free education. You can check out more here if interested:

OSI 7-Layer Model, TCP/IP 4-Layer Model
One of the gaps in my understanding of networking has to do with the OSI 7-layer networking model and the more simplified TCP/IP 4-Layer model (which was developed by DARPA? and predates the OSI Model). I didn’t even realize there was anything other than the 7-Layer model until taking this class and furthermore didn’t realize that while the OSI model gets talked about and referenced more frequently, academia (I think… and perhaps the industry) is shifting to using the simpler 4-layer model for discussion, understanding, and development regarding networking. Please don’t take any of this as gospel truth, this is just my understanding based on coursework and reading. I also find it much easier to think about and reference the 4-layer model. If you are curious how the two compare, this technet article is an interesting read, Technet: TCP/IP Protocol Architecture. Okay, so for this article, I will be sticking with what I am most comfortable with at this point and will be talking about and referencing the 4-layer TCP/IP model and discussing how VPN works. (more…)

Let’s Encrypt is an incredible, FREE, service that allows you to get trusted SSL certificates for your website. The certs expire every 90-days but what is great is that there are a lot of tools for auto-renewing the certificate without you ever having to touch anything on your server… until that process breaks.

Case-in-point: If you are running a Drupal 7 and are using the Apache Rewrite module (you should be…) then the default .htaccess file supplied with Drupal 7 core will block all access to hidden folders. (folders that start with a “.”) This is a problem for Let’s Encrypt because the auto-renew process generates a temporary key file that gets placed in a hidden folder on your web server that the Let’s Encrypt system has to be able to reach publicly (on port 80) in order to validate your server and fulfill your renewal request. Thankfully, another member of the Drupal community has already written the rewrite condition rule that needs to be placed in your .htaccess file to allow access to just the hidden folder required by Let’s Encrypt.

I have decided to give Ubuntu 17.04 LTS Desktop a go. On a whim I installed it on a laptop I had lying about (being an IT person they tend to proliferate over a given period of time in my office… older units becoming doorstops, newer units lovely “Jenga” blocks and maybe the occasional Proxmox cluster…) Since this seems to be the final days of Unity (which I actually don’t mind as a Desktop all that much), I figured now was a good time to take another poke at it as a daily personal driver. I was happy to come across an option for full disk encryption during the install process and wanted to pass my few thoughts on it along. (more…)

One of most difficult things to find (imho) is information about API and Service URL’s for just about any and all applications. Microsoft is better than some (Dell, I am looking at you…) but it can still require some metaphorical google search back flips to get to the right information.

That said… I wanted to quickly document the right mix of URL’s that must be allowed in order for Windows OS license activation to work: (more…)