Implement Azure WAF IP Restriction on specific sub-domains

Question

We have a multi-tennant app, with each client's instance hosted on a sub-domain. E.g.:

client1.mydomain.com
client2.mydomain.com

To support this we have an App-Gateway in Azure with a wildcard listener: *.mydomain.com that directs traffic to the backend pool (IIS on a VM).

I need to restrict access to one client's site to a range of IP Addresses. I'm trying to achieve this by making use of a Web Application Firewall (WAF). I'm having trouble making the Custom Rule match the incoming requests for the specific sub-domain.

The rule is attached to a WAF Policy that is attached to the wildcard Listener in the App Gateway.

It looks like the RequestURI value does not include the host name.

Custom rule definition:

"matchConditions": [
{
    "matchVariables": [
    {
        "variableName": "RemoteAddr"
    }
    ],
    "operator": "IPMatch",
    "negationConditon": false,
    "matchValues": [
        "xxx.xxx.xxx.xxx"
    ],
    "transforms": [
        "Lowercase"
    ]
},
{
    "matchVariables": [
    {
        "variableName": "RequestUri"
    }
    ],
    "operator": "Contains",
    "negationConditon": false,
    "matchValues": [
        "client1.mydomain.com"      <--- this is not capturing any requests
    ],
    "transforms": [
        "Lowercase"
    ]
}
]

How do I apply an IP restriction to specific subdomains in Azure using an App Gateway?

score 1 · Answer 1 · answered Jun 01 '22 at 14:10

1

The RequestUri value passed by the gateway only contains the path, or in your case only "/" to indicate the root path of the target backend. You can match on the Host header instead to target the sub-domains.

Condition definition example:

{
    "matchVariables": [
        {
            "variableName": "RequestHeaders",
            "selector": "Host"
        }
    ],
    "operator": "Contains",
    "negationConditon": false,
    "matchValues": [
        "client1.mydomain.com"
    ],
    "transforms": [
        "Lowercase"
    ]
}

answered Jun 01 '22 at 14:10

jH-

11
3

This looks promising. Do you know if the Host header is secure? i.e. could it be spoofed easily? – RikRak Jun 01 '22 at 14:45
1

It's fairly easy to spoof, so depending on your use-case it might not be the best fit. You are pairing it with other conditions though, so you need to evaluate what best fits your solution and try to work out any potential risks/gaps. – jH- Jun 02 '22 at 07:40

score 0 · Answer 2 · answered Feb 09 '23 at 08:35

Finding request header names

Fiddler is a useful tool once again to find request header names. In the following screenshot, you can see the headers for this GET request, which include Content-Type, User-Agent, and so on. You can also use request headers to create exclusions and custom rules in WAF.

From Azure docs, we can use some tools like Live HTTP Headers , to get the headers.

and the make your custom rule:

Implement Azure WAF IP Restriction on specific sub-domains

2 Answers2

Finding request header names