private void DisableWeakTLSForIncoming()
{
// Regarding ensuring that TLS1.2 or higher is used for incoming traffic,
// when hosted in Standard Azure... without more infrastructure around it...
// then the answer is ... you can't.
// https://feedback.azure.com/forums/169385-web-apps/suggestions/11533680-disable-tls-1-0-in-azure-website-to-pass-pci-compl
// And requires you to move up to a premium layout:
// https://blogs.msdn.microsoft.com/benjaminperkins/2017/04/11/how-to-disable-tls-1-0-on-an-azure-app-service-web-app/
// Or install and configure an Application Gateway:
// https://www.leowkahman.com/2017/07/04/how-to-disable-tls-1-0-on-an-azure-app-service/
// Other relevent threads are:
// https://forums.asp.net/t/2069611.aspx?I+need+to+disable+TLS+1+0+via+code+Is+it+possible+
// As per Microsoft's response:
// "we can't disable TLS 1.0 in azure web app at currently,
// please submit a feedback in azure feedback
// forum: http://feedback.azure.com/forums/34192--general-feedback,
// if disable TLS 1.0 is your requirement, please try to use
// azure cloud service web role to host your application."
_configurationStepService
.Register(
ConfigurationStepType.Security,
ConfigurationStepStatus.Orange,
"TLS",
"Limiting to > TLS 1.0 for incoming is dependent on host environment. Azure's mininum is 1.1. Default for new App Services is 1.2.");
}
void RegisterActionFilters(HttpFilterCollection filters)
{
using (var elapsedTime = new ElapsedTime())
{
// A difference between MVC and WebAPI Filters is that you cannot specify order
// But inspecting the framework's code it *appears* to be run in the order they
// are added.
filters.Add(
new SessionOperationWebApiActionFilterAttribute(
this._principalService,
_sessionManagmentService,
this._sessionOperationLogService,
this._diagnosticsTracingService
));
_configurationStepService
.Register(
ConfigurationStepType.Security,
ConfigurationStepStatus.White,
"SessionOperation (WebAPI)",
"WebAPI Filter installed to record all operations (includig View).");
// Apply a custom Filter to intercept WebAPI requests and return errors (no redirection).
filters.Add(new RequireHttpsWebApiFilterAttribute());
_configurationStepService
.Register(
ConfigurationStepType.Security,
ConfigurationStepStatus.White,
"HTTPS Required (WebAPI)",
"WebAPI Filter installed to redirect HTTP requests to HTTPS.");
filters.Add(new WebApiAppAuthorizeAttribute());
_configurationStepService.Register(
ConfigurationStepType.Security,
ConfigurationStepStatus.White,
"WebAPI Filter: Authorization",
"WebAPI Filter installed to ensure Authorization is enforced by default.");
// LAST!!!!
filters.Add(new
DbContextCommitWebApiActionFilterAttribute(
this._diagnosticsTracingService,
this._sessionOperationLogService,
this._contextService));
_configurationStepService
.Register(
ConfigurationStepType.General,
ConfigurationStepStatus.White,
"DbContext Commit at end of commands.",
$"WebApi Filter installed to automatically commit all pending changes. Took {elapsedTime.ElapsedText}");
}
}
/// <summary>
/// Configures the specified application builder.
/// <para>
/// Invoked from <see cref="StartupExtended.Configure"/>
/// </para>
/// </summary>
/// <param name="appBuilder">The application builder.</param>
public void Configure(IAppBuilder appBuilder)
{
using (var elapsedTime = new ElapsedTime())
{
var scopes = ScanForAllModulesRequiredScopeDefinitions();
var authorisationConfiguration = this._keyVaultService.GetObject <AuthorisationConfiguration>();
var demoType = authorisationConfiguration.AuthorisationType;
switch (demoType)
{
case AuthorisationType.AadUsingOidcAndCookies:
AppDependencyLocator.Current.GetInstance <AadV2ForOidcCookiesConfiguration>()
.Configure(appBuilder);
break;
case AuthorisationType.B2CUsingOidcAndCookies:
AppDependencyLocator.Current.GetInstance <B2CAuthCookieBasedAuthenticationConfig>()
.Configure(appBuilder, scopes);
break;
case AuthorisationType.B2CUsingOidcAndBearerTokens:
AppDependencyLocator.Current.GetInstance <AuthBearerTokenAuthenticationConfiguration>()
.Configure(appBuilder);
break;
case AuthorisationType.B2CUsingOidcAndCookiesAndBearerTokens:
AppDependencyLocator.Current.GetInstance <AuthBearerTokenAuthenticationConfiguration>()
.Configure(appBuilder);
AppDependencyLocator.Current.GetInstance <B2CAuthCookieBasedAuthenticationConfig>()
.Configure(appBuilder, scopes);
break;
}
// 11.0836463 secs
var color = ConfigurationStepStatus.Green;
if (elapsedTime.Elapsed.TotalMilliseconds > 5000)
{
color = ConfigurationStepStatus.Orange;
}
if (elapsedTime.Elapsed.TotalMilliseconds > 10000)
{
color = ConfigurationStepStatus.Red;
}
_configurationStepService
.Register(
ConfigurationStepType.Performance,
color,
"Telemetry",
$"OIDC configuration. Took {elapsedTime.ElapsedText}.");
}
}
/// <summary>
/// Configures the specified application builder.
/// <para>
/// Invoked from <see cref="StartupExtended.Configure"/>
/// </para>
/// </summary>
/// <param name="appBuilder">The application builder.</param>
public void Configure(IAppBuilder appBuilder)
{
using (var elapsedTime = new ElapsedTime())
{
// SETUP STEP: Remove the X-AspNetMvc-Version Header disclosing too much:
MvcHandler.DisableMvcResponseHeader = true;
_configurationStepService
.Register(
ConfigurationStepType.Security,
ConfigurationStepStatus.White,
"Verbose Headers",
$"X-AspNetMvc-Version removed. Took {elapsedTime.ElapsedText}");
}
}
/// <summary>
/// <para>
/// Invoked from <see cref="StartupConfigure.Configure"/>
/// </para>
/// <para>
/// Must be invoked before ServiceLocatorConfig is invoked.
/// </para>
/// </summary>
/// <param name="appBuilder"></param>
public void Configure(IAppBuilder appBuilder)
{
using (var elapsedTime = new ElapsedTime())
{
// This will be a first integration call...
var analyticsConfiguration = this._keyVaultService
.GetObject <ApplicationInsightsConfigurationSettings>();
//Seriously WTF?
TelemetryConfiguration.Active.DisableTelemetry = !analyticsConfiguration.Enabled;
if (!TelemetryConfiguration.Active.DisableTelemetry)
{
if (string.IsNullOrWhiteSpace(analyticsConfiguration.Key))
{
throw new ConfigurationErrorsException(
$"Missing app setting '{App.Core.Shared.Constants.ConfigurationKeys.AppCoreIntegrationAzureApplicationInsightsInstrumentationKey}' used for Application Insights.");
}
TelemetryConfiguration.Active.InstrumentationKey = analyticsConfiguration.Key;
Trace.Listeners.Add(new ApplicationInsightsTraceListener(analyticsConfiguration.Key));
}
var color = ConfigurationStepStatus.White;
if (elapsedTime.Elapsed.TotalMilliseconds > 5000)
{
color = ConfigurationStepStatus.Orange;
}
if (elapsedTime.Elapsed.TotalMilliseconds > 10000)
{
color = ConfigurationStepStatus.Red;
}
_configurationStepService
.Register(
ConfigurationStepType.General,
color,
"Telemetry",
$"Telemetry configured. Took {elapsedTime.ElapsedText}.");
}
}