Tom Gullen Tom Gullen - 2 months ago 9
ASP.NET (C#) Question

Is current request being made over SSL with Azure deployment

context.Request.IsSecureConnection


Always returns false in an Azure deployment even when the connection is being served over HTTPS. After looking through the headers sent for an Azure deployed site I've found:

X-Forwarded-Proto=https


Does this header guarantee that the client connection to the website is under HTTPS in the same way that
context.Request.IsSecureConnection
does?

Answer

I'm not asking how to force HTTPS, I'm asking why in Azure deployment is context.Request.IsSecureConnection returning false even when the request is over HTTPS.

Here's why [click to embiggen]:

Azure-App-Service-ARR

The Azure App Service Frontend layer TERMINATES the TLS channel (aka TLS offloading) and opens a new plain HTTP connection to your Web Worker, where your code lives. Routing is performed by ARR (Application Request Routing).

Source:
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/AZR305
(View slides, Slide 12)

Therefore, from the point of view of your code every single request is "insecure".

X-Forwarded-Proto=https hints about the original request (that hit the Frontends). Although i'm not entirely sure who adds that in.

If checks have to be made, i'd make them against X-ARR-SSL instead.

ARR is attaching a special request header to every request that arrives over HTTPS. The value contained in X-ARR-SSL provides information about the TLS server certificate that was used to secure the TCP connection between the client and the ARR.

e.g.:

X-ARR-SSL: 2048|256|C=US, S=Washington, L=Redmond, O=Microsoft Corporation,
           OU=Microsoft IT, CN=Microsoft IT SSL SHA2|CN=*.azurewebsites.net

A whole more info around that here:
https://tomasz.janczuk.org/2013/12/secure-by-default-with-ssl-in-windows.html

(Tomasz is the author of the iisnode project, which is the mechanism for running Node applications in Azure App Service.)

Comments