All inbound request port to Azure Linux Webapp is 80, not 443 in logs( in application insights & AppServiceHTTPLogs Table)

Question

All inbound request port to Azure Linux Webapp is 80, not 443 in logs( in application insights & AppServiceHTTPLogs Table)

Gallatin 21V 206

We made request test to azure linux webapp, find all port is 80, no matter I request http or https.

I configed the Diagnostic logs and application insights, the recored was same as below:

(Made same test in windows webapp, there is no this issue. Please help confirm whether this is a bug or bydisgn?)

Diagnostic logs AppServiceHTTPLogs：

Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-24T06:28:09.9233333+00:00

Hi @Gallatin 21V ,
It seems that your observation of all inbound requests to your Azure Linux Web App being logged on port 80, regardless of whether the requests were made via HTTP or HTTPS, could be due to how Azure handles incoming traffic. In Azure App Service, HTTP traffic is typically served on port 80, while HTTPS traffic is served on port 443. However, when HTTPS requests are made, they are often redirected to HTTP for logging purposes, which might explain why you see only port 80 in your logs.

This behavior could be by design, particularly if there are specific configurations or settings applied to your Linux Web App that differ from those of the Windows Web App. It is advisable to review the configuration settings of your Linux Web App to ensure that HTTPS is properly set up and that any necessary SSL certificates are correctly configured.

App Service networking features
App Service Environment networking

Hope this information is helpful, let me know if you have any further queries.
Gallatin 21V 206 Reputation points

2025-04-24T07:26:00.68+00:00

Hi @Bhargavi Naragani , thanks for your quick reply . But it might cloud not explian that when I request windows webapp, it can be record corrcetly. I request https , ports in logs is 443, requset http, ports in logs is 80. Is there any difference when log request for windows webapp and linux webapp?
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-24T07:51:08.8+00:00

Hi @Gallatin 21V

All-incoming requests to your Azure Linux Web App are being logged with port 80, regardless of whether the requests were made using HTTP or HTTPS. This was confirmed through Application Insights logs and AppServiceHTTPLogs (Diagnostic Logs)

The same tests on an Azure Windows Web App do show correct ports, port 443 for HTTPS and port 80 for HTTP. So, this is a real and known behavior difference between Azure Linux and Windows Web Apps. It is not a bug, but rather by design due to how request routing and logging are handled in the underlying infrastructure of Azure App Service for Linux.

When you make an HTTPS request to an Azure App Service, Azure terminates TLS at the front-end load balancer. This means the load balancer decrypts the HTTPS request then forwards the request to the app over HTTP internally (i.e., on port 80). As a result, the app and logging layers (e.g., AppServiceHTTPLogs, Application Insights) only see port 80, not the original 443.

This behavior is specific to Azure App Service on Linux. In contrast, Windows App Services handle the logging stack differently, and the original client port (443) is preserved and visible in logs like AppServiceHTTPLogs.
Gallatin 21V 206 Reputation points

2025-04-25T00:56:02.6366667+00:00

Hi @Bhargavi Naragani , Thanks for your clarify，and if we want to know whitch port the client request(http or https) , is there any way? because all resquest loged as 80(http).
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-25T01:27:38.74+00:00
Hi @Gallatin 21V ,

To determine whether a client request to your Azure App Service was made over HTTP or HTTPS, you can inspect the X-Forwarded-Proto header. This header is added by Azure's load balancer when it terminates SSL and forwards the request to your app over HTTP. The presence and value of this header indicate the original protocol used by the client:

X-Forwarded-Proto: https — The client made an HTTPS request.

X-Forwarded-Proto: http — The client made an HTTP request.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#test-https

Additionally, for language-specific configurations, such as Python on Linux, Microsoft provides examples on how to detect HTTPS sessions by inspecting the X-Forwarded-Proto header
https://learn.microsoft.com/en-us/azure/app-service/configure-language-python#detect-https-session

By checking the X-Forwarded-Proto header in your application code or logs, you can accurately determine the protocol used by the client, even though the internal forwarding to your app occurs over HTTP.

Hope this information is helpful, let me know if you have any further queries.
Gallatin 21V 206 Reputation points

2025-04-25T03:13:07.61+00:00

Hi @Bhargavi Naragani, due to this way need to change code. customer don't want have coding injection, and just want to know the requests port or protocol，is there any way? such as do some logs setting in portal.Because it seems couldnt get it from applicaiton insights and diagnostic logs.
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-25T04:37:26.3433333+00:00
Hi @Gallatin 21V ,

Application Insights and standard Diagnostic Logs don’t directly show the request port or protocol; there are a couple of Azure-native options that might help:

Enable Access Logs via Azure App Service Logging, Web Server Logs (under App Service => Your App => Diagnostics Settings) can log raw HTTP request data at the IIS level, which includes protocol details and other connection information. This won't give you the exact port (since most Azure Apps run behind a load balancer), but it will capture the protocol (HTTP vs. HTTPS) and headers, which might be all that's needed.

How to enable:

Go to your App Service in Azure Portal.

Navigate to Monitoring => App Service logs.

Turn on Web server logging and specify a retention period.

You can also stream logs live or download from the storage location.

Note: The actual port is typically abstracted by Azure's front-end load balancers. App Services generally use port 80 (HTTP) and port 443 (HTTPS) for inbound traffic, and this can't be customized.

You can also integrate Azure Front Door or Application Gateway in front of your App Service. These services give deeper traffic insights, including protocol and TLS versions, and can log headers, client IPs, etc., without modifying your app.

Azure Front Door – good for global apps with WAF and edge acceleration

Application Gateway – good for advanced HTTP routing and SSL insights

Kindly refer to the below documentations for better understanding:
Enable App Service Logging (Azure Docs)
Azure Application Gateway Diagnostics
Azure Front Door Access Logging
Gallatin 21V 206 Reputation points

2025-04-27T09:32:06.7366667+00:00

Hi @Bhargavi Naragani, due to this way need to change code. customer don't want have coding injection, and just want to know the requests port or protocol，is there any way? such as do some logs setting in portal.Because it seems couldnt get it from applicaiton insights and diagnostic logs.

1 answer

Your answer

Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-24T06:28:09.9233333+00:00

Hi @Gallatin 21V ,
It seems that your observation of all inbound requests to your Azure Linux Web App being logged on port 80, regardless of whether the requests were made via HTTP or HTTPS, could be due to how Azure handles incoming traffic. In Azure App Service, HTTP traffic is typically served on port 80, while HTTPS traffic is served on port 443. However, when HTTPS requests are made, they are often redirected to HTTP for logging purposes, which might explain why you see only port 80 in your logs.

This behavior could be by design, particularly if there are specific configurations or settings applied to your Linux Web App that differ from those of the Windows Web App. It is advisable to review the configuration settings of your Linux Web App to ensure that HTTPS is properly set up and that any necessary SSL certificates are correctly configured.

App Service networking features
App Service Environment networking

Hope this information is helpful, let me know if you have any further queries.
Gallatin 21V 206 Reputation points

2025-04-24T07:26:00.68+00:00

Hi @Bhargavi Naragani , thanks for your quick reply . But it might cloud not explian that when I request windows webapp, it can be record corrcetly. I request https , ports in logs is 443, requset http, ports in logs is 80. Is there any difference when log request for windows webapp and linux webapp?
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-24T07:51:08.8+00:00

Hi @Gallatin 21V

All-incoming requests to your Azure Linux Web App are being logged with port 80, regardless of whether the requests were made using HTTP or HTTPS. This was confirmed through Application Insights logs and AppServiceHTTPLogs (Diagnostic Logs)

The same tests on an Azure Windows Web App do show correct ports, port 443 for HTTPS and port 80 for HTTP. So, this is a real and known behavior difference between Azure Linux and Windows Web Apps. It is not a bug, but rather by design due to how request routing and logging are handled in the underlying infrastructure of Azure App Service for Linux.

When you make an HTTPS request to an Azure App Service, Azure terminates TLS at the front-end load balancer. This means the load balancer decrypts the HTTPS request then forwards the request to the app over HTTP internally (i.e., on port 80). As a result, the app and logging layers (e.g., AppServiceHTTPLogs, Application Insights) only see port 80, not the original 443.

This behavior is specific to Azure App Service on Linux. In contrast, Windows App Services handle the logging stack differently, and the original client port (443) is preserved and visible in logs like AppServiceHTTPLogs.
Gallatin 21V 206 Reputation points

2025-04-25T00:56:02.6366667+00:00

Hi @Bhargavi Naragani , Thanks for your clarify，and if we want to know whitch port the client request(http or https) , is there any way? because all resquest loged as 80(http).
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-25T01:27:38.74+00:00

Hi @Gallatin 21V ,

To determine whether a client request to your Azure App Service was made over HTTP or HTTPS, you can inspect the X-Forwarded-Proto header. This header is added by Azure's load balancer when it terminates SSL and forwards the request to your app over HTTP. The presence and value of this header indicate the original protocol used by the client:

X-Forwarded-Proto: https — The client made an HTTPS request.

X-Forwarded-Proto: http — The client made an HTTP request.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#test-https

Additionally, for language-specific configurations, such as Python on Linux, Microsoft provides examples on how to detect HTTPS sessions by inspecting the X-Forwarded-Proto header
https://learn.microsoft.com/en-us/azure/app-service/configure-language-python#detect-https-session

By checking the X-Forwarded-Proto header in your application code or logs, you can accurately determine the protocol used by the client, even though the internal forwarding to your app occurs over HTTP.

Hope this information is helpful, let me know if you have any further queries.
Gallatin 21V 206 Reputation points

2025-04-25T03:13:07.61+00:00

Hi @Bhargavi Naragani, due to this way need to change code. customer don't want have coding injection, and just want to know the requests port or protocol，is there any way? such as do some logs setting in portal.Because it seems couldnt get it from applicaiton insights and diagnostic logs.
Bhargavi Naragani 3,820 Reputation points Microsoft External Staff Moderator

2025-04-25T04:37:26.3433333+00:00

Hi @Gallatin 21V ,

Application Insights and standard Diagnostic Logs don’t directly show the request port or protocol; there are a couple of Azure-native options that might help:

Enable Access Logs via Azure App Service Logging, Web Server Logs (under App Service => Your App => Diagnostics Settings) can log raw HTTP request data at the IIS level, which includes protocol details and other connection information. This won't give you the exact port (since most Azure Apps run behind a load balancer), but it will capture the protocol (HTTP vs. HTTPS) and headers, which might be all that's needed.

How to enable:

Go to your App Service in Azure Portal.

Navigate to Monitoring => App Service logs.

Turn on Web server logging and specify a retention period.

You can also stream logs live or download from the storage location.

Note: The actual port is typically abstracted by Azure's front-end load balancers. App Services generally use port 80 (HTTP) and port 443 (HTTPS) for inbound traffic, and this can't be customized.

You can also integrate Azure Front Door or Application Gateway in front of your App Service. These services give deeper traffic insights, including protocol and TLS versions, and can log headers, client IPs, etc., without modifying your app.

Azure Front Door – good for global apps with WAF and edge acceleration

Application Gateway – good for advanced HTTP routing and SSL insights

Kindly refer to the below documentations for better understanding:
Enable App Service Logging (Azure Docs)
Azure Application Gateway Diagnostics
Azure Front Door Access Logging
Gallatin 21V 206 Reputation points

2025-04-27T09:32:06.7366667+00:00

Hi @Bhargavi Naragani, due to this way need to change code. customer don't want have coding injection, and just want to know the requests port or protocol，is there any way? such as do some logs setting in portal.Because it seems couldnt get it from applicaiton insights and diagnostic logs.

Answer 1

Hi @Gallatin 21V,

Since your customer prefers not to modify application code ("no code injection") and is looking for a solution based purely on Azure platform logs (such as Application Insights or Diagnostic Logs). Currently, Azure does not automatically log X-Forwarded-Proto or the original client port into Application Insights or AppServiceHTTPLogs by default, this means without code changes, you cannot get the original protocol (HTTP/HTTPS) purely from Azure’s standard logs at the App Service level.

If no code changes are allowed but you still need to log the original protocol, as I mentioned in previous response consider using Azure Front Door or Azure Application Gateway, these services sit in front of your App Service, handle TLS termination, and can log client protocol/port into their respective diagnostic logs.

Azure Front Door logs can show the original client protocol (HTTPS/HTTP) in diagnostic logs. Configure Azure Front Door logs
Application Gateway WAF logs also capture incoming request protocols. Azure Application Gateway diagnostics and access logs

Share via

All inbound request port to Azure Linux Webapp is 80, not 443 in logs( in application insights & AppServiceHTTPLogs Table)

1 answer

Your answer