Share via

HTTPS only on Azure App Service Web Apps

  • Article

This article has been moved to its new home here:  https://benperk.github.io/msdn/2014/2014-01-https-only-on-windows-azure-web-sites.html

If you are looking for a resource that describes installing an SSL certificate on a Azure Web App, check here.

Here is more information about this configuration.

There are multiple modes currently supported on the Azure Web App platform:

  • SNI base SSL – This is a new feature in IIS 8+ (SNI) that extends the ability for multiple security certificates to be bound to multiple HOSTNAMEs on a server with a single IP and PORT.  (modern browsers support this SSL mode)
  • IP based SSL – The traditional binding of a certificate to a unique IP and PORT on a server

For some further information on how to implement both, please look here.

In some cases you might want to prevent users from accessing your website using anything other than HTTPS.  To achieve this, add the following code, illustrated in Listing 1, to your web.config file.

Listing 1, Prevent HTTP connectivity to you Azure Web App, allow HTTPS only

 <system.webServer>
 <rewrite>
  <rules>
   <rule name="Redirect to https">
    <match url="(.*)"/>
    <conditions>
     <add input="{HTTPS}" pattern="Off"/>
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
   </rule>
  </rules>
 </rewrite>
</system.webServer>

Once added, deploy the web.config file to your Azure Web App and requests to HTTP are redirected to HTTPS using this URL Rewrite rule.  That is how you would prevent HTTP traffic onto you Azure Web App.

Note: the configuration shown in Listing 1 contains a condition base on the request method.  For example, GET and HEAD.  In this case only requests using those verbs will be redirected to HTTPS, if, for example, POST is used, the rule would not be executed as the conditions would not be meet.

UPDATE 17-JAN-2014

Here is an article concerning the support and installation of intermediate certificates on windows Azure Web Apps.

Comments

  • Anonymous
    January 26, 2014
    Hi,This was what I was looking for, but it seems Visual Studio doesn't accept the <rewrite> node under <system.WebServer>. I'm using ASP.NET with framework 4.5.Kind regards

  • Anonymous
    June 17, 2014
    The comment has been removed

  • Anonymous
    July 20, 2014
    Hi,Thi solution should works for any kind of technology in websites. I tested it with Java Tomcat and it worked.

  • Anonymous
    September 09, 2014
    i just put requireshttps attr on the whole controllerbase...done.  you can also just add a filter.  

  • Anonymous
    September 15, 2014
    Can I use this with PHP App deployed on Azure website?

    • Anonymous
      April 05, 2016
      This is what I needed. Ed is right about wrong quotes, you'll get a 500 error. This can be used with PHP app, as all Azure Web Apps are still running on IIS. Here is my web.config file:

  • Anonymous
    December 28, 2014
    Ahhh. ian obermiller (ianobermiller.com/.../require-https-on-azure) also points out that the rule name can't have spaces.

  • Anonymous
    November 10, 2015
    Worked perfectly with my AngularJS SPA. Thank you.

  • Anonymous
    May 31, 2016
    Worked perfectly! Thanks

  • Anonymous
    August 19, 2016
    Is it possible to add something to the rule so that this rule isn't applied in localhost?

    • Anonymous
      August 19, 2016
      ah, to answer myself, yes:
    • Anonymous
      August 19, 2016
      Code wasnt shown in my last comment:add input="{HTTP_HOST}" matchType="Pattern" pattern="^localhost(:\d+)?$" negate="true"add input="{HTTP_HOST}" matchType="Pattern" pattern="^127.0.0.1(:\d+)?$" negate="true"

  • Anonymous
    April 24, 2017
    Is it possible to add something to the Condition so it would work for POST request

  • Anonymous
    September 07, 2017
    This still works perfectly, thank you!