Azure Websites Dropping Custom Headers

2
votes

An Azure Website I am working on inspects custom headers of incoming requests to decide what to do with the request internally. The request is being sent/received by the website server with the customer headers:

X-HEADER-1: ...
X-HEADER-2: ...

among other standard and non-standard headers.

I verified this by inspecting the FREB logs and looking at GENERAL_REQUEST_HEADERS, which correctly includes my custom headers.

When the application receives the request, those custom headers are not there. I explicitly check for one of them then throw and dump all available headers in the error message.

I have read around that Application Request Routing module can drop these headers. I tried adding this to the website's web.config but still doesn't work:

<system.webServer>
    <rewrite>
        <allowedServerVariables>
            <add name="HTTP_X_HEADER_1" />
            <add name="HTTP_X_HEADER_2" />
        </allowedServerVariables>
    </rewrite>
</system.webServer>

Any idea how I can whitelist my headers to let ARR/Azure let them through?

Update 1

Here is some more info.

  1. This works locally on my dev box. I set up the site in IIS and point it to the project folder and headers are coming in and processed as expected.
  2. It is an ASP.NET MVC website.

  3. Here is the part of the code that reads the header. Again, this works locally.

    public class BaseController : Controller { public AppControllerBase(...) { }

    protected override void Initialize(RequestContext requestContext)
{
    var header1Value = requestContext.HttpContext.Request.Headers["X-HEADER-1"];
    if (string.IsNullOrEmpty(header1Value))
    {
        var stringBuilder = new StringBuilder();
        // append all headers to stringBuilder
        var errorMessage = string.Format("SiteId header is not set. Headers: {0}", stringBuilder);
        throw new HttpRequestException(errorMessage);
    }

    base.Initialize(requestContext);
}

...

    }

Update 2

I just deployed the same app as an azure cloud service and it worked well. The headers were received and the app read them successfully. Something with web apps is not letting those headers through.

2
azureazure-web-app-service
You shouldn't need anything special to let Azure flow all the headers (standard or not) to your application. Can you describe more what you're seeing? What application framework are you using? ASP.NET, node, PHP, etc. It would be useful to see the part of the code where you're trying to access these headers.ahmelsayed
huh, that's pretty odd. I just created a vanilla MVC app from VS here and put your code snippet in there and it works as you would expect it. running curl -I https://<mySiteName>.azurewebsites.net returns a 500 and running curl -I -H "X-HEADER-1: random-value" https://<mySiteName>.azurewebsites.net returns 200. you do see your headers in the FREB log, right?ahmelsayed
Be sure that you are not removing server headers from your site with request filters in your web.configcory-fowler
Thans @cory-fowler. I have not removed any headers in web.config. As I mentioned in my update, this is now working well as a Cloud Service instead of an Azure Website. I will still need to move it back to being a website as that is much more economical.Tarek Ayna
@ahmelsayd. I found a way to get around this but it is not documented anywhere. I noticed that when the application logs the headers, it includes a header X-LiveUpgrade set to 1. I explicitly set this in the request and set it to 0. Now all my headers pass through to the application. Would be good to get some documentation about this.Tarek Ayna

2 Answers

1
votes

The answer that worked for me was in the comments. Credit goes to @Tarek Ayna.

The custom headers are transmitted when you set X-LiveUpgrade to 0. For example:

<httpProtocol>
  <customHeaders>
    <add name="X-LiveUpgrade" value="0" />**
    <!-- Prevent iframes -->
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="X-XSS-Protection" value="1" />
  </customHeaders>
</httpProtocol>
-3
votes

One possibility is to disable ARR if your services are stateless... to do that:

(Inside web.config)

<system.webServer>
   <httpProtocol>       
      <customHeaders>         
         <add name="Arr-Disable-Session-Affinity" value="True" />
      </customHeaders>     
   </httpProtocol>
</system.webServer>