Azure App Service Site Extension
Last updated 2024-09-17
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
NOTE
The Next-Gen WAF site extension for Azure App Service does not support Azure Functions.
The Azure site extension adds the Next-Gen WAF to any IIS web application hosted on Azure App Service.
The Azure site extension downloads and installs the Next-Gen WAF agent and IIS module. The extension also registers the IIS module to the IIS web server in Azure App Service by generating the XML transformation file, applicationHost.xdt
. XML transformations are currently the only way to edit the IIS configuration file, applicationHost.config
.
The Next-Gen WAF agent and module for IIS are configured by using environment variables. Environment variables are set in the web app configuration in the Azure Portal.
Module and agent binaries are extracted into a directory in the App Service environment with the name derived from the downloaded zip file. Agent and module binaries may not be deleted if the site is running.
Prerequisites
Copy the agent keys for the site that you want the agent to be able to access. You will use the agent keys when configuring the Next-Gen WAF agent package.Access Keys configuration
Before adding the Next-Gen WAF site extension, you must first set the Access Key and Secret Key for the Next-Gen WAF agent by setting environment variables in the application settings on https://portal.azure.com/.
Log in to the Azure Portal.
Click App Services.
Select your web app.
Search for
environment
in the Search header bar.Click Environment variables, which should be under the Settings header.
Click Add to include a new App setting.
In the New Application Setting menu page, add your site's agent keys as two name/value pairs:
1$ Name: SIGSCI_ACCESSKEYID2$ Value: <accesskeyid from the Next-Gen WAF control panel>34$ Name: SIGSCI_SECRETACCESSKEY5$ Value:<secretaccesskey from the Next-Gen WAF control panel>Optionally, add the following variable to provide a unique agent name if using the same agent keys for multiple web apps.
$ Name: SIGSCI_SERVER_HOSTNAME$ Value: <unique value/name for the agent>Click Save.
Click on Overview in the side bar.
Click Stop and then Start to restart the web app.
Install the WAF site extension
NOTE
The site extension will take a few minutes to download and install. During this time, the web application may be unavailable or display a 502
error until the site extension is installed.
- Log in to the Azure Portal.
- Click App Services.
- Select your web app.
- Search for
extension
in the Search header bar. - Click Extensions, which should be under the Development Tools header.
- Click Add.
- Filter for Signal Sciences WAF within the Add site extension menu and confirm the acknowledgement to add.
Managing the WAF site extension
Follow these steps when managing the WAF site extension.
Upgrading the Next-Gen WAF agent and module
There are two methods for upgrading the Next-Gen WAF agent and module:
- reinstalling the extension
- using the Azure CLI
Reinstalling the WAF site extension
In the Azure Portal, delete and reinstall the WAF site extension. When the extension is reinstalled, the latest version of the Next-Gen WAF agent and IIS module will be downloaded and installed.
Using the Azure CLI
Open the Azure CLI and run the install.cmd
script in the site extension directory. This method can also be used in a PowerShell script for automating the upgrade of multiple agents.
Log in to the Azure Portal.
Click App Services.
Select your web app.
Search for
Console
, in the Search header bar.Click Console, which should be under the Development Tools header.
In the Windows
cmd
shell run the install script:cd D:\home\SiteExtensions\SignalSciences.Azure.Site.Extensioninstall.cmd
Enabling agent auto-update
Create a WebJob and an Azure Automation runbook to look for a new version of the agent and update the agent when a new version is available.
To create the WebJob:
Using command prompt, copy the following commands to locally create a bash script with extension (*.sh) that will be uploaded to the Azure Portal.
cd D:\\home\\SiteExtensions\\SignalSciences.Azure.Site.Extension./install.bashNavigate to the Azure portal.
Under Settings, click WebJobs
From the WebJobs page, click Add.
Fill out the fields to create a new WebJob as follows:
- Name - enter a name for the WebJob.
- File Upload - click Browse to browse to navigate to the bash script you created on your system using the file picker.
- Type - select Triggered.
- Triggers - enter Manual.
Click Create WebJob.
Run the WebJob to ensure successful execution.
To create an Azure Automation runbook:
Using the Azure portal, navigate to your Azure Automation account or create an account if you don't already have one.
Under Account Settings, click Identity.
Click Azure role assignments.
Click Add role assignment.
Fill out the fields to create a new role assignment as follows:
- Scope - select Resource group
- Resource group - select a resource group.
- Role - select Contributor.
Click Save.
Under Process Automation, click Runbooks.
Click Create a runbook.
Fill out the fields to create a new runbook as follows:
- Name - enter a name for the runbook.
- Runbook type - select PowerShell.
- Runtime version - select version 5.1.
Click Create.
Copy the code below and paste in the editor pane, being sure to update with your resource group and web app names:
1Connect-AzAccount -Identity2Start-AzWebAppTriggeredWebJob -ResourceGroupName MyResourceGroupName -AppName MyWebAppName -Name MyWebAppWebJobName3Restart-AzWebApp -ResourceGroupName MyResourceGroupName -Name MyWebAppName(Optional) Open the Test pane to run a test.
Click Publish.
Under Resources, click Schedules.
Click Add a schedule.
To link a schedule to your runbook, click Add a schedule.
Fill out the fields to create a schedule as follows:
- Name - enter a name for the schedule.
- Field name - set the time you want it to run each month
- Click Recurring and select Day from the menu.
Click Create.
Troubleshooting
To enable debug logging for the extension, add the following environment variable, SIGSCI_MODULE_DEBUG to
1
.Windows event log can be viewed gathered in the KuduPlus environment. Search for
Advanced
in the Search header bar—Advanced Tools
should be under Development Tools.Click on Go and select Debug Console from the menu.
Click on LogFiles and select eventlog.xml.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.