Redirect HTTP to HTTPS when using ASP.NET Core in Web App on Linux - Azure App Service

A couple things to consider when implementing HTTP to HTTPS redirect for an ASP.NET Core application running in Web App on Linux - Azure App Service.

-Since you are using the .NET Core server to process requests, configuring a redirect rule in .htaccess won't work the way it does with sites that are closely coupled with Apache. What you can do instead is implement the redirect in code, using ASP.NET Core Middleware to handle the request and response.

-SSL is offloaded to port 80 from the ARR / front end servers, so using a method such as AddRedirectToHttps() causes the request to end up in an infinite redirect loop since the offloaded requests remain on port 80. The way around this is to check for the presence of an X-ARR-SSL header, which indicates that the originating request on the ARR front end was sent over SSL and if this header is not present, redirect to https://url .

Here is a basic example of how to implement this redirect via middleware:

1. Create a Middleware class that contains the logic to redirect the request:

using Microsoft.AspNetCore.Http;

namespace MyNamespace
{
public class RedirectToHttpsArrMiddleware
{
private readonly RequestDelegate _next;

    public RedirectToHttpsArrMiddleware(RequestDelegate next)
{
_next = next;
}

    public Task Invoke(HttpContext context)
{
//if the request isn't HTTPS
if (!(context.Request.IsHttps || context.Request.Headers.ContainsKey("X-ARR-SSL")))
{

//redirect to https://url
var request = context.Request;
var redirectUrl = $"https://{request.Host}{request.PathBase}{request.Path}{request.QueryString}";
context.Response.Redirect(redirectUrl, true);

}

// Call the next delegate/middleware in the pipeline
return this._next(context);
}
}

2. Create an extension class that will the Middleware via IApplicationBuilder:

using Microsoft.AspNetCore.Builder;

namespace MyNamespace
{
    public static class RedirectToHttpsArrMiddlewareExtensions
    {
        public static IApplicationBuilder UseRedirectToHttpsArr(
    this IApplicationBuilder builder)
        {
            return builder.UseMiddleware<RedirectToHttpsArrMiddleware>();
        }
    }
}

 

3. In the Configure method of the Startup class (in Startup.cs), invoke the Middleware.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();

if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}

app.UseRedirectToHttpsArr();

app.Run(async (context) =>
{
await context.Response.WriteAsync(
$"Hello world");
});
}

 

Further information about using ASP.NET Core Middleware is found at the following link:

/en-us/aspnet/core/fundamentals/middleware

Comments

  • Anonymous
    August 15, 2017
    Not quite sure how this works, however couldn't an attacker just inject a X-ARR-SSL header in the unencrypted request and avoid that the attacked user is ever redirected to https?
    • Anonymous
      September 02, 2017
      sorry about the late reply. I tested this with Fiddler Composer and Failed Request Tracing. It looks like the front end servers remove the X-ARR-SSL header if it is sent by a client, presumably to avoid this type of injection attack.