FastAPI running on Azure App Service returns 405 Method Not Allowed in response to POST when the App Service is set to HTTPS Only

Question

FastAPI running on Azure App Service returns 405 Method Not Allowed in response to POST when the App Service is set to HTTPS Only

Tom Burgess 31

As above, with the FastAPI app running with HTTPS Only set to false, POST requests succeed using https. As soon as I set HTTPS Only to true, a POST request to the same endpoint returns a 405 Method Not Allowed.

Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-15T20:24:48.05+00:00

brgsstm, Thanks for the good question. To better assist you on this, are you calling using unsecured HTTP? What endpoint are you using? How exactly are you making the POST requests? (Postman or browser?).

In some cases, it could be due to redirection going on from POST to other method , you may review this.
Also, check the browser network trace to see if it provides any pointes.

-Review the App Service Diagnostics for any additional pointers:
-On the Azure portal for your web app, select **Diagnose and solve problems* from the left menu.
Select Availability and performance. Examine the information in the Application Logs. Please see this doc for info.
Tom Burgess 31 Reputation points

2022-02-16T08:10:00.173+00:00

Hi @Anonymous ,

I'm only ever calling on HTTPS from a number of scenarios, with different results.

1) Curl - request made from zsh on MAC - this succeeds
2) Postman - this results in a 405 Method Not Allowed
3) Azure App Service (different app, same app service plan) - This is the frontend of the application, so calling the API with the app service - this results in a 405 Method Not Allowed

The API only has the 1 endpoint on the path /users and accepts GET and POST.

If I turn HTTPS only off on the app service hosting the API everything succeeds, as soon as I turn it on again I get a 405. Even with HTTPS only off, i'm POSTing via HTTPS.
Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-17T13:46:40.76+00:00

brgsstm, Thanks for sharing additional details. I'm checking on this internally and will get back to you shortly.
~Any insights that can be shared from the community on dealing with similar setup/experience is still encouraged.
Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-18T18:12:20.393+00:00

brgsstm, Following-up on this:

HttpsOnly will only impact HTTP request (App Service Load Balancer will redirect HTTP to HTTPs).
If the incoming is already HTTPs – then no-op. You mentioned the call is always HTTPs – so HTTPsOnly should not matter.

Could you provide a UTC time and URL for each of the below? (If you do not wish to provide the WebApp name publicly, I'm also reaching out to you privately).

-405 when HTTPsOnly is enabled.
-200 when HTTPsOnly is disabled.

Answer accepted by question author

0 additional answers

Your answer

Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-15T20:24:48.05+00:00

brgsstm, Thanks for the good question. To better assist you on this, are you calling using unsecured HTTP? What endpoint are you using? How exactly are you making the POST requests? (Postman or browser?).

In some cases, it could be due to redirection going on from POST to other method , you may review this.
Also, check the browser network trace to see if it provides any pointes.

-Review the App Service Diagnostics for any additional pointers:
-On the Azure portal for your web app, select **Diagnose and solve problems* from the left menu.
Select Availability and performance. Examine the information in the Application Logs. Please see this doc for info.
Tom Burgess 31 Reputation points

2022-02-16T08:10:00.173+00:00

Hi @Anonymous ,

I'm only ever calling on HTTPS from a number of scenarios, with different results.

1) Curl - request made from zsh on MAC - this succeeds
2) Postman - this results in a 405 Method Not Allowed
3) Azure App Service (different app, same app service plan) - This is the frontend of the application, so calling the API with the app service - this results in a 405 Method Not Allowed

The API only has the 1 endpoint on the path /users and accepts GET and POST.

If I turn HTTPS only off on the app service hosting the API everything succeeds, as soon as I turn it on again I get a 405. Even with HTTPS only off, i'm POSTing via HTTPS.
Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-17T13:46:40.76+00:00

brgsstm, Thanks for sharing additional details. I'm checking on this internally and will get back to you shortly.
~Any insights that can be shared from the community on dealing with similar setup/experience is still encouraged.
Ajay Kumar N 28,261 Reputation points Microsoft Employee Moderator

2022-02-18T18:12:20.393+00:00

brgsstm, Following-up on this:

HttpsOnly will only impact HTTP request (App Service Load Balancer will redirect HTTP to HTTPs).
If the incoming is already HTTPs – then no-op. You mentioned the call is always HTTPs – so HTTPsOnly should not matter.

Could you provide a UTC time and URL for each of the below? (If you do not wish to provide the WebApp name publicly, I'm also reaching out to you privately).

-405 when HTTPsOnly is enabled.
-200 when HTTPsOnly is disabled.

Answer 1

To benefit the community, summarizing the answer here; from comments (above).

HttpsOnly will only impact HTTP request (App Service Load Balancer will redirect HTTP to HTTPs).
If the incoming is already HTTPs – then no-op. You mentioned the call is always HTTPs – so HTTPsOnly should not matter.

From the investigations - it seems to be a combination of POSTMAN and your code issue. When you redirect /users to /users/ - it always redirect to HTTP regardless of incoming http or https. You may try to change the code when redirect /users to /users/ to preserve HTTP/HTTPS incoming scheme (http -> http, https -> https).

@Tom Burgess

(mentioned in the private comment):

"
thanks for the response, it has led me to the answer I required.
I was using the prefix parameter of the APIRouter class as per https://fastapi.tiangolo.com/tutorial/bigger-applications/#apirouter. It appears that this was responsible for the 307 redirect on HTTP.
I'm still using that class but now without the prefix parameter. If I find that I require that in the future I have found this article to assist with that
https://stackoverflow.com/questions/63511413/fastapi-redirection-for-trailing-slash-returns-non-ssl-link
"

Thanks again @Tom Burgess for your patience and cooperation!

Share via

FastAPI running on Azure App Service returns 405 Method Not Allowed in response to POST when the App Service is set to HTTPS Only

0 additional answers

Your answer