Azure is blocking request that come from the same server

问题

Context

Umbraco CMS website runs on Azure as App Service

Scheduled Publishing

One of the Umbraco functionalities is to allow to publish content on a given time. The publish functionality makes a HTTP call to same web site (or a different server but same website in load balanced environment).

API call url:

http://sample-site-umbraco.azurewebsites.net/umbraco/RestServices/ScheduledPublish/Index

IP Security

Due to client requirements, access to the site is restricted to a given list of IP addresses. This task is being completed with IP Security restriction in web.config.

<security>
  <requestFiltering>
    <requestLimits maxAllowedContentLength="52428800" />
  </requestFiltering>
  <ipSecurity allowUnlisted="false" denyAction="NotFound">
    <!-- "clear" removes all upstream restrictions -->
    <clear />

    <!-- permit the loopback address  -->
    <add ipAddress="127.0.0.1" allowed="true" />

    ...
    ...
    ...

    <!-- domain Name for Scheduled Publishing -->
    <add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>
  </ipSecurity>
</security>

Problem

When IP Security is turned on, the HTTP call to publish API is being blocked as not white listed one.

API call response Status Code and Content:

404 - NotFound
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

Problem Thread on our.umbraco.com

Fix attempts

Adding domainName to the list of allowed entries

<!-- domain Name for Scheduled Publishing -->
<add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>

This solution doesn't work. Calls are still being blocked.

Question

How this can be fixed? Is there any functionality that can be override?

回答1:

Ok, I've found the solution. I think it will work.

I've found this question on stackoverflow and it worked :)

Solution

Solution is to add ALL outbound IP addresses into System.WebServer > Security > ipSecurity > [List].

Outbound Ip Addresses are comma separated list of ips. You need to add all of them to the WhiteList in web.config.

Drawback

I'm not sure if the list of Outbound Ips is static and will not change in the future...

来源：https://stackoverflow.com/questions/44100886/azure-is-blocking-request-that-come-from-the-same-server