Azure App Service Site Extension

The Azure site extension adds the Next-Gen WAF to any IIS web application hosted on Azure App Service.

The Azure site extension downloads and installs the Next-Gen WAF agent and IIS module. The extension also registers the IIS module to the IIS web server in Azure App Service by generating the XML transformation file, applicationHost.xdt. XML transformations are currently the only way to edit the IIS configuration file, applicationHost.config.

The Next-Gen WAF agent and module for IIS are configured by using environment variables. Environment variables are set in the web app configuration in the Azure Portal.

Module and agent binaries are extracted into a directory in the App Service environment with the name derived from the downloaded zip file. Agent and module binaries may not be deleted if the site is running.

Prerequisites

Access Keys configuration

Before adding the Next-Gen WAF site extension, you must first set the Access Key and Secret Key for the Next-Gen WAF agent by setting environment variables in the application settings on https://portal.azure.com/.

1. Log in to the Azure Portal.

2. Click App Services.

3. Select your web app.

4. Click Configuration.

5. Click Application settings.

6. Click New application setting.

7. In the New Application Setting menu page, add your site's agent keys as two name/value pairs:

   1$ Name: SIGSCI_ACCESSKEYID
   2$ Value: <accesskeyid from the Next-Gen WAF console>
   3
   4$ Name: SIGSCI_SECRETACCESSKEY
   5$ Value:<secretaccesskey from the Next-Gen WAF console>

8. Click Save.

9. Click on Overview in the side bar.

10. Click Stop and then Start to restart the web app.

Install the WAF site extension

1. Log in to the Azure Portal.
2. Click App Services.
3. Select your web app.
4. Click Overview in the side bar.
5. Click Stop to stop the web app.
6. Click Extensions in the sidebar.
7. Click Add.
8. Click Choose Extension.
9. Select the Signal Sciences WAF.
10. Click OK.
11. Click Overview in the side bar.
12. Click Start to start your web app.

Managing the WAF site extension

Follow these steps when managing the WAF site extension.

Uninstalling the WAF site extension

1. Log in to the Azure Portal.
2. Click App Services.
3. Select your web app.
4. Click Overview in the side bar.
5. Click Stop to stop the web app.
6. Click Extensions in the sidebar.
7. Select the Signal Sciences WAF.
8. Click Delete.

Upgrading the Next-Gen WAF agent and module

There are two methods for upgrading the Next-Gen WAF agent and module:

• reinstalling the extension
• using the Azure CLI

Reinstalling the WAF site extension

In the Azure Portal, uninstall and reinstall the WAF site extension. When the extension is reinstalled, the latest version of the Next-Gen WAF agent and IIS module will be downloaded and installed.

Using the Azure CLI

Open the Azure CLI and run the install.cmd script in the site extension directory. This method can also be used in a PowerShell script for automating the upgrade of multiple agents.

1. Log in to the Azure Portal.

2. Click App Services.

3. Select your web app.

4. Click on Console in the sidebar.

5. In the Windows cmd shell run the install script:

   cd D:\home\SiteExtensions\SignalSciences.Azure.Site.Extension
   install.cmd

Enabling agent auto-update

Create a WebJob and an Azure Automation runbook to look for a new version of the agent and update the agent when a new version is available.

To create the WebJob:

1. Using command prompt, copy the following commands to locally create a bash script with extension (*.sh) that will be uploaded to the Azure Portal.

   cd D:\\home\\SiteExtensions\\SignalSciences.Azure.Site.Extension
   ./install.bash

2. Navigate to the Azure portal.

3. Under Settings, click WebJobs

4. From the WebJobs page, click Add.

5. Fill out the fields to create a new WebJob as follows:

   • Name - enter a name for the WebJob.
   • File Upload - click Browse to browse to navigate to the bash script you created on your system using the file picker.
   • Type - select Triggered.
   • Triggers - enter Manual.

6. Click Create WebJob.

7. Run the WebJob to ensure successful execution.

To create an Azure Automation runbook:

1. Using the Azure portal, navigate to your Azure Automation account or create an account if you don't already have one.

2. Under Account Settings, click Identity.

3. Click Azure role assignments.

4. Click Add role assignment.

5. Fill out the fields to create a new role assignment as follows:

   • Scope - select Resource group
   • Resource group - select a resource group.
   • Role - select Contributor.

6. Click Save.

7. Under Automation, click Runbooks.

8. Click Create a runbook.

9. Fill out the fields to create a new runbook as follows:

   • Name - enter a name for the runbook.
   • Runbook type - select PowerShell.
   • Runtime version - select version 5.1.

10. Click Create.

11. Copy the code below and paste in the editor pane, being sure to update with your resource group and web app names:

    1Connect-AzAccount -Identity
    2Start-AzWebAppTriggeredWebJob -ResourceGroupName MyResourceGroupName -AppName MyWebAppName -Name MyWebAppWebJobName
    3Restart-AzWebApp -ResourceGroupName MyResourceGroupName -Name MyWebAppName

12. (Optional) Open the Test pane to run a test.

13. Click Publish.

14. Under Shared Resources, click Schedules.

15. Click Add a schedule.

16. To link a schedule to your runbook, click Add a schedule.

17. Fill out the fields to create a schedule as follows:

    • Name - enter a name for the schedule.
    • Field name - set the time you want it to run each month
    • Click Recurring and select Day from the menu.

18. Click Create.

Troubleshooting

• All private site extensions can be disabled by setting WEBSITE_PRIVATE_EXTENSIONS to 0 in Application Settings.

  NOTE

  Restart the web app after saving the setting to reflect the changes.

• Windows event log can be viewed at https://APP.scm.azurewebsites.net/DebugConsole/?shell=powershell, replacing APP with the name of your web app.

  Click on LogFiles and select eventlog.xml.