HTTPS only on Azure App Service Web Apps

If you are looking for a resource that describes installing an SSL certificate on a Azure Web App, check here.

Here is more information about this configuration.

There are multiple modes currently supported on the Azure Web App platform:

  • SNI base SSL – This is a new feature in IIS 8+ (SNI) that extends the ability for multiple security certificates to be bound to multiple HOSTNAMEs on a server with a single IP and PORT. (modern browsers support this SSL mode)
  • IP based SSL – The traditional binding of a certificate to a unique IP and PORT on a server

For some further information on how to implement both, please look here.

In some cases you might want to prevent users from accessing your website using anything other than HTTPS. To achieve this, add the following code, illustrated in Listing 1, to your web.config file.

    <rule name="Redirect to https">
     <match url="(.*)"/>
      <add input="{HTTPS}" pattern="Off"/>
     <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>

Listing 1, Prevent HTTP connectivity to you Azure Web App, allow HTTPS only

Once added, deploy the web.config file to your Azure Web App and requests to HTTP are redirected to HTTPS using this URL Rewrite rule. That is how you would prevent HTTP traffic onto you Azure Web App.

Note: the configuration shown in Listing 1 contains a condition base on the request method. For example, GET and HEAD. In this case only requests using those verbs will be redirected to HTTPS, if, for example, POST is used, the rule would not be executed as the conditions would not be meet.

UPDATE 17-JAN-2014

Here is an article concerning the support and installation of intermediate certificates on windows Azure Web Apps.