Building application firewall for SharePoint site will never been so easy. With Azure App Service we can quickly create public facing application firewall using IIS Application Request Routing and protect SharePoint web site in internal network. In this scenario, you will :
- Create Azure App Service to serve as Reverse Proxy
- Register custom domain in Azure App Service
- Forward request from public URL to SharePoint internal URL
- Create blank Web Site in Azure. You will need at least D1 plan in order to be able to add custom domain.
- After web site is created, access Kudu Dashboard Home which automatically available along with your website. The Kudu Dashboard Home url follows your azure websites. For example: if your azureweb is in https://myazure.azurewebsites.net , then the dashboard is available in https://myazure.scm.azurewebsies.net Look that you only need to add SCM in the url.
- In the dashboard you can expand debug console and select CMD
- Click “Site”. In order to create a file using console, you can just echo empty string to a filename. For example, we are creating applicationHost.xdt by typing echo “” > applicationHost.xdt.
- Click edit icon of applicationHost.xdt , and change the content with following
- Finally in wwwroot , you can start to modify web.config to apply the reverse proxy rule , and add httpmodule code in wwwroot\App_Code to sanitize the response header. Please read previous series “OWASP Top Ten to Secure SharePoint Public Site” for the complete configuration and sample code.