Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AbuseProtection always fails in Replicas and custom domain #598

Open
2 of 3 tasks
JialinXin opened this issue Aug 28, 2023 · 1 comment
Open
2 of 3 tasks

AbuseProtection always fails in Replicas and custom domain #598

JialinXin opened this issue Aug 28, 2023 · 1 comment

Comments

@JialinXin
Copy link
Contributor

JialinXin commented Aug 28, 2023
edited
Loading

Describe the bug

When in Replicas and custom domain scenarios, the request origins will be multiple values. And current server side to validate the origin has a bug correctly deserialize it, so Abuse Protection will always fail and block further requests.

Impacts

  • Microsoft.Azure.WebJobs.Extensions.WebPubSub(version <=1.6.0)
  • Microsoft.Azure.WebPubSub.AspNetCore(version <= 1.1.0)
  • Microsoft.Azure.Functions.Worker.Extensions.WebPubSub(verson = 1.5.0-beta.1)

Exceptions

Check live trace and find Abuse Protection request returns 400.

Further technical details

Multiple origins in header are not correctly parsed in server SDK where there's a space between multiple values.

See fix: Azure/azure-sdk-for-net#38359

Workaround

Option 1. Disable AbuseProtection.

  • Microsoft.Azure.WebJobs.Extensions.WebPubSub
    Update the function.json to set input/output binding required connection from a custom name, for example, MyConnection and put it empty in trigger binding.
{
  "disabled": false,
  "bindings": [
    {
      "type": "webPubSubTrigger",
      "direction": "in",
      "name": "data",
      "dataType": "binary",
      "hub": "sample_funcchat",
      "eventName": "message",
      "eventType": "user",
      "connection": "" //make empty
    },
    {
      "type": "webPubSub",
      "name": "actions",
      "hub": "sample_funcchat",
      "connection": "MyConnection", //make custom name
      "direction": "out"
    }
  ]
}

And also set the value in configuration, for example: local.settings.json:

{
  "IsEncrypted": false,
  "Values": {
   "AzureWebJobsStorage": "<storage-connectionstring>",
   "FUNCTIONS_WORKER_RUNTIME": "node",
   "WebPubSubHub": "<HubName>",
   "MyConnection": "<webpubsub-connectionstring>" //set the connection string with your custom name `MyConnection`
  },
  "Host": {
   "LocalHttpPort": 7071,
   "CORS": "*"
  }
}

Option 2. Update to latest SDK.

a. Remove extensionBundle settings in host.json. For example, make it simple as below.

{
  "version": "2.0"
}

b. Explicit install required extensions.

> func extensions install --package Microsoft.Azure.WebJobs.Extensions.WebPubSub --version 1.7.0

Tasks
Beta Give feedback
@JialinXin
Copy link
Contributor Author

UPDATE: The issue is mitigated as service now return single request host as it is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JialinXin