Azure App Service Site Extension

  Last updated 2023-11-30

NOTE

The Signal Sciences site extension for Azure App Service does not currently support Azure Functions.

The Azure site extension for Signal Sciences adds the Signal Sciences Next-Gen Web Application Firewall (WAF) to any IIS web application hosted on Azure App Service.

The Signal Sciences Azure site extension downloads and installs the Signal Sciences agent and IIS module. The extension also registers the IIS module to the IIS web server in Azure App Service by generating the XML transformation file, applicationHost.xdt. XML transformations are currently the only way to edit the IIS configuration file, applicationHost.config.

The Signal Sciences IIS module and agent are configured by using environment variables. Environment variables are set in the web app configuration in the Azure Portal.

Module and agent binaries are extracted into a directory in the App Service environment with the name derived from the downloaded zip file. Agent and module binaries may not be deleted if the site is running.

Signal Sciences Agent Access Keys configuration

Before adding the Signal Sciences site extension, you must first set the Signal Sciences Agent Access Key and Secret Key by setting environment variables in the application settings on https://portal.azure.com/.

  1. Log in to the Azure Portal.

  2. Click App Services.

  3. Select your web app.

  4. Click Configuration.

  5. Click Application settings.

  6. Click New application setting.

  7. Locate the Agent Keys for your Signal Sciences site:

    1. Log in to the Signal Sciences console.
    2. From the Sites menu, select a site if you have more than one site.

    3. Click Agents in the navigation bar.

      View agent keys' button.

    4. Click View agent keys.

    5. Copy the Agent Access Key and Agent Secret Key.

      The agent keys window.

  8. In the New Application Setting menu page of the Azure Portal, add the following variables as two name/value pairs:

    1$ Name: SIGSCI_ACCESSKEYID
    2$ Value: <accesskeyid from Signal Sciences console>
    3

    4$ Name: SIGSCI_SECRETACCESSKEY
    5$ Value:<secretaccesskey from Signal Sciences console>

  9. Click Save.

  10. Click on Overview in the side bar.

  11. Click Stop and then Start to restart the web app.

Install the Signal Sciences WAF site extension

NOTE

The site extension will take a few minutes to download and install. During this time, the web application may be unavailable or display a 502 error until the site extension is installed.

  1. Log in to the Azure Portal.
  2. Click App Services.
  3. Select your web app.
  4. Click Overview in the side bar.
  5. Click Stop to stop the web app.
  6. Click Extensions in the sidebar.
  7. Click Add.
  8. Click Choose Extension.
  9. Select the Signal Sciences WAF.
  10. Click OK.
  11. Click Overview in the side bar.
  12. Click Start to start your web app.

Managing the Signal Sciences WAF site extension

Follow these steps when managing the Signal Sciences WAF site extension.

Uninstalling the Signal Sciences WAF site extension

  1. Log in to the Azure Portal.
  2. Click App Services.
  3. Select your web app.
  4. Click Overview in the side bar.
  5. Click Stop to stop the web app.
  6. Click Extensions in the sidebar.
  7. Select the Signal Sciences WAF.
  8. Click Delete.

Upgrading the Signal Sciences agent and module

There are two methods for upgrading the Signal Sciences agent and module:

  • reinstalling the extension
  • using the Azure CLI

Reinstalling the extension

In the Azure Portal, uninstall and reinstall the Signal Sciences WAF site extension. When the extension is reinstalled, the latest version of the Signal Sciences agent and IIS module will be downloaded and installed.

Using the Azure CLI

Open the Azure CLI and run the install.cmd script in the site extension directory. This method can also be used in a PowerShell script for automating the upgrade of multiple agents.

  1. Log in to the Azure Portal.

  2. Click App Services.

  3. Select your web app.

  4. Click on Console in the sidebar.

  5. In the Windows cmd shell run the install script:

    cd D:\home\SiteExtensions\SignalSciences.Azure.Site.Extension
    install.cmd

Enabling agent auto-update

Create a WebJob and an Azure Automation runbook to look for a new version of the agent and update the agent when a new version is available.

To create the WebJob:

  1. Using command prompt, copy the following commands to locally create a bash script with extension (*.sh) that will be uploaded to the Azure Portal.

    cd D:\\home\\SiteExtensions\\SignalSciences.Azure.Site.Extension
    ./install.bash

  2. Navigate to the Azure portal.

  3. Under Settings, click WebJobs

  4. From the WebJobs page, click Add.

  5. Fill out the fields to create a new WebJob as follows:

    • Name - enter a name for the WebJob.
    • File Upload - click Browse to browse to navigate to the bash script you created on your system using the file picker.
    • Type - select Triggered.
    • Triggers - enter Manual.

  6. Click Create WebJob.

  7. Run the WebJob to ensure successful execution.

To create an Azure Automation runbook:

  1. Using the Azure portal, navigate to your Azure Automation account or create an account if you don't already have one.

  2. Under Account Settings, click Identity.

  3. Click Azure role assignments.

  4. Click Add role assignment.

  5. Fill out the fields to create a new role assignment as follows:

    • Scope - select Resource group
    • Resource group - select a resource group.
    • Role - select Contributor.

  6. Click Save.

  7. Under Automation, click Runbooks.

  8. Click Create a runbook.

  9. Fill out the fields to create a new runbook as follows:

    • Name - enter a name for the runbook.
    • Runbook type - select PowerShell.
    • Runtime version - select version 5.1.

  10. Click Create.

  11. Copy the code below and paste in the editor pane, being sure to update with your resource group and web app names:

    1Connect-AzAccount -Identity
    2Start-AzWebAppTriggeredWebJob -ResourceGroupName MyResourceGroupName -AppName MyWebAppName -Name MyWebAppWebJobName
    3Restart-AzWebApp -ResourceGroupName MyResourceGroupName -Name MyWebAppName

  12. (Optional) Open the Test pane to run a test.

  13. Click Publish.

  14. Under Shared Resources, click Schedules.

  15. Click Add a schedule.

  16. To link a schedule to your runbook, click Add a schedule.

  17. Fill out the fields to create a schedule as follows:

    • Name - enter a name for the schedule.
    • Field name - set the time you want it to run each month
    • Click Recurring and select Day from the menu.

  18. Click Create.

Troubleshooting

  • All private site extensions can be disabled by setting WEBSITE_PRIVATE_EXTENSIONS to 0 in Application Settings.

    NOTE

    Restart the web app after saving the setting to reflect the changes.

  • Windows event log can be viewed at https://APP.scm.azurewebsites.net/DebugConsole/?shell=powershell, replacing APP with the name of your web app.

    Click on LogFiles and select eventlog.xml.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2023