none
How to Auto-Forward HTTP traffic to HTTPS? Basically Enforce SSL.

    Question

  • I have an ASP.NET application hosted on Azure that needs to have SSL / HTTPS enforced. Basically, when a user goes to "http://app" it needs to automatically forward them to "https://app" so that they always use it under SSL. It seems you can't tell Azure to forward HTTP (port 80) traffic to HTTPS / SSL (port 443). To set it up I needed to create two Input Endpoints for the application (one for HTTP on port 80 and the other for HTTPS / SSL on port 443), then add a custom HttpModule to the application that auto-redirects all non-SSL traffic to be SSL.

    Is there an easier way of doing this in Azure? If not, it sure would be nice to be able to configure Windows Azure to auto-forward any non-SSL website traffic to SSL. It seems impracticle to tell users to always type "https://" to go to the site. It's much simpler to just tell them "app.com" and not have them confused that they can't access the application since they didn't type "https://".


    Microsoft MVP - Windows Live Platform
    Blog: http://pietschsoft.com | Web.Maps.VE - ASP.NET AJAX Bing Maps Server Control
    Monday, December 27, 2010 4:15 PM

Answers

All replies

  • I think the standard practice outside Windows Azure is to use the IIS URL Rewrite module.  The same thing should work in Windows Azure.  Something like this:

    <rewrite>
     <rules>
      <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
       <match url="(.*)"/>
       <conditions>
        <add input="{HTTPS}" pattern="^OFF$"/>
       </conditions>
       <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
      </rule>
     </rules>
    </rewrite>
    
    Yes, you'll need to have port 80 open, but that's the only Windows Azure specific part about this.

    • Marked as answer by Mog Liang Tuesday, January 04, 2011 7:04 AM
    • Unmarked as answer by Steve Marx Thursday, August 11, 2011 2:57 AM
    Monday, December 27, 2010 7:20 PM
  • Hi Steve,

    I have a Windows azure website and using windows live OAuthentication as login access.  I registered my URL Return as https://www.abc.com on windows live.  On godaddy, I created a cname and redirect my domain abc.com to to https://www.abc.com (my live url return).  Everything is working as expected.  I want to redirect an http to https..  for example, when a user type abc.com or www.abc.com, I want it to redirect to https://www.abc.com. 

    When I created the forwarding on GODADDY, it forword directly to https://www.dockfly.com and the return url on my serviceConfiguration (wll_returnurl) has the the windows live register url as https://www.dockfly.com.  I'm not sure how the URL rewrite will work for this case.  Any help will be greatly appreciated.

    The following is my serviceconfiguration:

    <?xml version="1.0" encoding="utf-16"?>
    <ServiceConfiguration serviceName="dockfly.com" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration">
      <Role name="DockflyWebRole">
        <ConfigurationSettings>
          <Setting name="DiagnosticsConnectionString" value="UseDevelopmentStorage=true" />
          <Setting name="BlobConn" value="DefaultEndpointsProtocol=https;AccountName=dockfly;AccountKey=xxxxxxxxxxxxxxxxxxxxx" />
          <Setting name="DataConnectionString" value="DefaultEndpointsProtocol=https;AccountName=dockfly;AccountKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
          <Setting name="wll_appId" value="xxxxxxxxxxxxxxxx" />
          <Setting name="wll_secret" value="xxxxxxxxxxxxxxxxxxxxxxx" />
         
          <Setting name="BlobStorageEndPoint" value="http://blob.core.windows.net/" />
          <Setting name="TableStorageEndPoint" value="http://table.core.windows.net/" />
          <Setting name="QueueStorageEndPoint" value="http://queue.core.windows.net/" />
          <Setting name="AccountName" value="dockfly" />
          <Setting name="AccountSharedKey" value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
          <Setting name="SMTP" value="allocatedparts.com" />
          <Setting name="EmailAccount" value="p@allocatedparts.com" />
          <Setting name="PWD" value="XXXXXXXXXXXX />
          <Setting name="Port" value="25" />
          <Setting name="From" value="p@allocatedparts.com" />
          <Setting name="ssl" value="false" />
         
          <Setting name="wll_securityalgorithm" value="wsignin1.0" />
          <Setting name="wll_returnurl" value="https://www.dockfly.com/webauth-handler.aspx" />
        </ConfigurationSettings>
        <Instances count="2" />
        <Certificates>
          <Certificate name="www.dockfly.com" thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXX" thumbprintAlgorithm="sha1" />
        </Certificates>
      </Role>
    </ServiceConfiguration>
    Monday, March 14, 2011 5:51 PM
  • Just to add to this answer, see http://blog.smarx.com/posts/redirecting-to-https-in-windows-azure-two-methods which has a couple improvements to this. Notably, using {SERVER_NAME} instead of {HTTP_HOST} makes this work better on the compute emulator (where the original port is rarely 80, resulting in redirects to goofy URLs like https://foo:81, which won't work).
    • Marked as answer by Steve Marx Thursday, August 11, 2011 2:57 AM
    Thursday, August 11, 2011 2:57 AM