Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,063 questions
Allow-Access-Control-Origin Error on Web App
Joseph Dutton
135
Reputation points
Hey everyone. I may be missing something simple, but here's one for you guys!
Turning on App Gateway WAF Policy with a custom rule for geo location match. Essentially just to deny any traffic outside of select countries.
Without this WAF Policy turned on, everything works as expected. As soon as we turn this on, our web application gets a slew of errors that pop up in the developer console.
We've been trying to track down the "Access-Control-Allow-Origin" error first, as we're hoping that will at least alleviate the major error.(it gives us the most detail)
I will also mention, that this application is running .Net 3.1/C#/Angular. We understand that this is a way outdated version of .Net, but we're not sure if that could be the issue or what.
Just unsure of why simply turning on this WAF policy for geolocation match would ding all of these errors, and an explanation on this would be SUPER helpful.
I will mention there is one rewrite rule set configured that looks like so:
Any help on this would be greatly appreciated. We've been working on this for a number of weeks, and with Microsoft's new support request degradation, we've been unable to receive any support on this product there.
-Joseph
{count} votes
-
KapilAnanth-MSFT 44,921 Reputation points Microsoft Employee2024-09-25T10:06:05.01+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing CORS error.
It is highly unlikely that App Gateway WAF can lead to CORS error.
- Can you confirm if the issue is not happening without WAF (not App Gateway)
- Please keep the WAF in Detection Mode and see if this is happening still
- May I ask if the same domain is used to access your WebApp as well as the Application Gateway
- i.e., what is the FQDN of the service via Application gateway?
- what is the FQDN of the service while directly accessing it?
- Are you actually using resources from other sites?
- If so, does the other site has the header? Access-Control-Allow-Origin: *
Cheers,
Kapil
- Can you confirm if the issue is not happening without WAF (not App Gateway)
-
Joseph Dutton 135 Reputation points
2024-09-25T15:13:54.51+00:00 Kapil,
Thank you for your response.
When the WAF is turned off, there is no longer a CORS error popping up. Part of me was wondering if the geolocation match rule is what is causing that Origin Header discrepancy. But I'm unsure if those two have anything to do with the other. I wouldn't think that WAF Policy being turned on would cause all of those errors to just magically pull up. Unfortunately, I'm not too familiar with these specific blades, and I wasn't present when they were configured initially.
From my awareness, the only thing that is changing is that policy being turned on. The primary URL we are using is set up as an Associated listener on the App Gateway.
Nothing has that specific header added into the code. Would adding that Access-Control-Allow-Origin header make a difference here? Why is the WAF policy causing that to trigger? Wouldn't it trigger even if the WAF policy was turned off?
Let me know if I failed to answer any of your questions. Thank you again for all of the help here!
If it would help to jump on a call, I can show you what I can see.
-
Joseph Dutton 135 Reputation points
2024-09-25T18:55:01.23+00:00 -
KapilAnanth-MSFT 44,921 Reputation points Microsoft Employee
2024-09-26T06:12:21.1366667+00:00 Thanks for the information, indeed, this is strange.
As next steps,
- We have to isolate if this is related to WAF as a whole or this specific Geo Match Rule.
- Can you please remove the Geo Match Rule and check with WAF Enabled?
- This way, we will know if this is caused by Geo Match Rule OR by WAF (Managed rules or just the WAF's configuration results in this)
In addition,
- Can you please confirm if there are any logs in Firewall log that indicate "Warning"
- Specifically for details.message
Cheers,
Kapil
-
Joseph Dutton 135 Reputation points
2024-09-26T20:19:52.3266667+00:00 Thank you for the notes.
I am currently checking if it's been tested without the custom rule, and should have an answer for you by early next week.
In terms of Firewall logs, I do know logs are enabled, but do you have a KQL query to identify the Firewall logs? It is also disabled at the moment, but when I do something like
AzureDiagnostics | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"I cannot see any results. Even with my time range set back 30+ days.
I have ensured that Diagnostic Logs are enabled, as I can see Category == "ApplicationGatewayAccessLogs", but am not seeing anything pertaining to the Firewall. Let me know if there is a better query I should be using here!
Thank you.
-
Joseph Dutton 135 Reputation points
2024-09-26T21:04:52.01+00:00 I will be able to test the WAF early next week and double check. I will test the WAF with and without the custom rule enabled.
Could you please provide a KQL query that would show the logs that you are looking for? That would be very helpful!
Thank you.
-
KapilAnanth-MSFT 44,921 Reputation points Microsoft Employee
2024-09-27T05:33:25.71+00:00 Sure. The category should be "ApplicationGatewayFirewallLog".
See :
The query becomes,
AzureDiagnostics | where Category == "AzureFirewallNetworkRule"Cheers,
Kapil
-
Sign in to comment
Sign in to answer