Geeks With Blogs
Thorvald Bøe
I was just working on an Azure web site that needs to work on https only. I came across this solution that pointed me in the right direction:

http://blogs.msdn.com/b/benjaminperkins/archive/2014/01/07/https-only-on-windows-azure-web-sites.aspx

However, as pointed out in the comments, there are curly quotes in the code that prevents compilation. Furthermore, the rule name does not allow spaces, which does not prevent compilation, but simply makes it not work. After removing the spaces, it worked perfectly. Here is the working web.config syntax:

  <system.webServer>
    <!--Setup https only-->
    <rewrite>
      <rules>
        <rule name="RedirectToHttps">
          <match url="(.*)"/>
          <conditions>
            <add input="{HTTPS}" pattern="Off"/>
            <add input="{REQUEST_METHOD}" pattern="^get$|^head$|^post$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

Just remember this:
  • If you are working on a web api (like I did), it still works (seemingly) using http, because the url is rewritten behind the scenes. Although this is nice and good, it can be dangerous because it will make it more difficult to detect situations where http is used. Let's say your client is incorrectly configured with a http url. This will work fine, and the response will be sent using https, but the initial request will still be open for attackers, possibly containing sensitive data. So it would probably be better to just return an error to help spot misconfigurations
  • If you are developing a web site (not an API), this will prevent you from debugging locally, unless you set up https. To mitigate this, you should probably set up web.config transformations to omit the rewrite section when debugging locally


Posted on Friday, March 27, 2015 10:55 AM azure , website , https | Back to top


Comments on this post: Set up https only in an Azure website

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Thorvald Bøe | Powered by: GeeksWithBlogs.net