HTTPS only on Azure App Service Web Apps
This article has been moved to its new home here: https://benperk.github.io/msdn/2014/2014-01-https-only-on-windows-azure-web-sites.html
If you are looking for a resource that describes installing an SSL certificate on a Azure Web App, check here.
Here is more information about this configuration.
There are multiple modes currently supported on the Azure Web App platform:
- SNI base SSL – This is a new feature in IIS 8+ (SNI) that extends the ability for multiple security certificates to be bound to multiple HOSTNAMEs on a server with a single IP and PORT. (modern browsers support this SSL mode)
- IP based SSL – The traditional binding of a certificate to a unique IP and PORT on a server
For some further information on how to implement both, please look here.
In some cases you might want to prevent users from accessing your website using anything other than HTTPS. To achieve this, add the following code, illustrated in Listing 1, to your web.config file.
Listing 1, Prevent HTTP connectivity to you Azure Web App, allow HTTPS only
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to https">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
</rule>
</rules>
</rewrite>
</system.webServer>
Once added, deploy the web.config file to your Azure Web App and requests to HTTP are redirected to HTTPS using this URL Rewrite rule. That is how you would prevent HTTP traffic onto you Azure Web App.
Note: the configuration shown in Listing 1 contains a condition base on the request method. For example, GET and HEAD. In this case only requests using those verbs will be redirected to HTTPS, if, for example, POST is used, the rule would not be executed as the conditions would not be meet.
UPDATE 17-JAN-2014
Here is an article concerning the support and installation of intermediate certificates on windows Azure Web Apps.
Comments
Anonymous
January 26, 2014
Hi,This was what I was looking for, but it seems Visual Studio doesn't accept the <rewrite> node under <system.WebServer>. I'm using ASP.NET with framework 4.5.Kind regardsAnonymous
June 17, 2014
The comment has been removedAnonymous
July 20, 2014
Hi,Thi solution should works for any kind of technology in websites. I tested it with Java Tomcat and it worked.Anonymous
September 09, 2014
i just put requireshttps attr on the whole controllerbase...done. you can also just add a filter.Anonymous
September 15, 2014
Can I use this with PHP App deployed on Azure website?- Anonymous
April 05, 2016
This is what I needed. Ed is right about wrong quotes, you'll get a 500 error. This can be used with PHP app, as all Azure Web Apps are still running on IIS. Here is my web.config file:
- Anonymous
Anonymous
December 28, 2014
Ahhh. ian obermiller (ianobermiller.com/.../require-https-on-azure) also points out that the rule name can't have spaces.Anonymous
November 10, 2015
Worked perfectly with my AngularJS SPA. Thank you.Anonymous
May 31, 2016
Worked perfectly! ThanksAnonymous
August 19, 2016
Is it possible to add something to the rule so that this rule isn't applied in localhost?- Anonymous
August 19, 2016
ah, to answer myself, yes: - Anonymous
August 19, 2016
Code wasnt shown in my last comment:add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true"add input="{HTTP_HOST}" matchType="Pattern" pattern="^127.0.0.1(:\d+)?$" negate="true"
- Anonymous
Anonymous
April 24, 2017
Is it possible to add something to the Condition so it would work for POST requestAnonymous
September 07, 2017
This still works perfectly, thank you!