FIRST – I am stealing code here and re-sharing (with very little modification). All credit goes the fine gentleman that wrote these two articles, I would urge you to read them:

Bulk Add IP Access Restrictions to Azure App Service Using AZ Powershell

Bulk Add Cloudflares IPs to Azure App Service Access Restrictions Using AZ Powershell

I made a few minor modifications the provided code. First, I like to just run a lot of my Azure Powershell stuff from an ISE session and don’t like encapsulating everything in new commands. Partly because I am not all that familiar with working that way even though it is probably a MUCH better way of doing things.

Before we get to the code though, what is this for exactly?

If you use cloudflare as a protection and CDN layer for a website it works by acting as a reverse proxy for your site. I.E. client connects to your site by a cloudflare hosted DNS record… instead of connecting directly to your server, their connection terminates at Cloudflare, they do things, then the pass the connection along to your actual service. ‘Nuff said, google if you need more info.

In the case of an Azure Web App (or any other web server I supposed), the app is hosted/available on some public IP and/or azure domain name that azure provides when you create the app…

What this means is that someone can easily bypass your cloudflare layer (and the associated performance enhancements and protections like web application firewalls) if they know your source systems IP address and in the case of azure, your azure provided domain name for your app.

So what that means is that you need to setup an ACL (Access Control List) on your source system to say “Allow traffic from all Cloudflare IP ranges and block everyone else”.

Cloudflare has like 20 IP ranges… And setting up that ACL by hand on a web app in Azure is arduous at best. But that is why we have scripting… to make things that are generally a pain in the rear… NOT a pain in the rear. (more…)

I had a recent requirement from one of our clients that took a little bit of tinkering to figure out… we will call our client Contoso LLC. and our project that we host for them we will call the “Cool Widget Project.”

We built a really neat widget of an application for Contoso to use and we are hosting it under a sub-domain of a domain we control. We needed to keep hosting it under this domain. However, our client, Contoso, wanted to hand out a link for their users to the new widget we built using an existing sub-domain from a domain they control. This was of course under their main domain, constosollc.com, and they already had existing users that came to the old version of the widget (built by another vendor) at widget.contosollc.com.

Our company was hosting the new widget app at widgetapp.appworks.net.

To further complicate things… our company appreciates security, likes fast DNS updates, and the app really benefits from using a CDN… so we are using Cloudflare to manage DNS for the appworks.net domain. Better yet, we also like the cloud, and this new widgetapp is actually an Azure Web App.

So there’s the situation…

We essentially need this to happen:

User visits widget.contosollc.com --> widgetapp.appworks.net.

Oh but this is Azure… so actually widgetapp.appworks.net is already a CNAME record and it actually points to widgetapp.azurewebsites.net. So it is this:

User visits widget.contosollc.com --> widgetapp.appworks.net --> widgetapp.azurewebsites.net.

To elaborate the above just a little bit more:

widget.contosollc.com (DNS from random provider) --> widgetapp.appworks.net (Cloudflare DNS, CNAME) --> widgetapp.azurewebsites.net (the DNS name provided by Azure for the application)

Simple right? Just get our client to create a CNAME record that points to widgetapp.appworks.net and move on with life… wrong…
(more…)

Let’s Encrypt is an incredible, FREE, service that allows you to get trusted SSL certificates for your website. The certs expire every 90-days but what is great is that there are a lot of tools for auto-renewing the certificate without you ever having to touch anything on your server… until that process breaks.

Case-in-point: If you are running a Drupal 7 and are using the Apache Rewrite module (you should be…) then the default .htaccess file supplied with Drupal 7 core will block all access to hidden folders. (folders that start with a “.”) This is a problem for Let’s Encrypt because the auto-renew process generates a temporary key file that gets placed in a hidden folder on your web server that the Let’s Encrypt system has to be able to reach publicly (on port 80) in order to validate your server and fulfill your renewal request. Thankfully, another member of the Drupal community has already written the rewrite condition rule that needs to be placed in your .htaccess file to allow access to just the hidden folder required by Let’s Encrypt.
(more…)

I haven’t posted in ages due to being generally slammed with work but this little piece I threw together was too good to forget about so I wanted to put it down.

If you work with a larger owncloud deployment and have a lot of users and allow file sharing, you may be curious to occasionally take a look at how many shares there are, who owns them, who they are shared with. This isn’t easy to get from the Web GUI but via the command line and mysql it isn’t bad at all.

So, login to mysql on the command line and then use your owncloud database; ie. (if your db name is “owncloud”)

use owncloud;

Then run the following:

select id, share_with, uid_owner, item_type, file_target from oc_share
INTO OUTFILE '/var/lib/mysql-files/shares.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n';

Exit mysql command line and go to /var/lib/mysql-files and you will find a nicely formatted CSV file with a list of all shares and who they are shared with. The columns from left to right…

ID, Who it is shared with (one line per person/group), the person that owns the share, whether or not it is a file or folder, the name/location of the file/folder that is shared

Cheers…

I work with a lot of IIS servers. Keeping track of what sites are present on which servers can sometimes be a daunting task. Heretofore I have been dealing with the rather obnoxious and time consuming process of checking sites and bindings by looking at each one in the IIS console. The other day I thought to myself, surely there must be a more effecient way to do this from the CLI via PowerShell… There is… I quickly found the following code on Stack Overflow after a Google search: (more…)