Is current request being made over SSL with Azure deployment

by

IMPORTANT NOTE:

The custom check referred to in my answer is no longer required for ASP.NET on .NET Framework 4.7 and ASP.NET Core 2.0.

Both HttpContext.Request.IsHttps (Core) and HttpContext.Request.IsSecureConnection will return True if the request originated over HTTPS in Azure App Service.

That’s what i tested with, it may have happened sooner in the life of those stacks (e.g. .NET Framework 4.6.x). You should be fine in any case since App Service now runs your application on top of .NET Framework 4.7.

You most probably have to make the check for any other programming stack.

I’m not asking how to force HTTPS, I’m asking why in Azure deployment is context.Request.IsSecureConnection returning false even when the request is over HTTPS.

Here’s why:

Azure App Service Application Request Routing

The Azure App Service frontend layer TERMINATES the TLS channel (aka TLS offloading) and opens a new plain HTTP connection to your Web Worker, where your code lives. Routing is performed by ARR (Application Request Routing).

Source:
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/AZR305
(View slides, Slide 12)

Therefore, from the point of view of your code every single request is “insecure”.

X-Forwarded-Proto=https hints about the original request (that hit the frontends).

If checks have to be made, make them against X-ARR-SSL instead.

ARR is attaching a special request header to every request that arrives over HTTPS. The value contained in X-ARR-SSL provides information about the TLS server certificate that was used to secure the TCP connection between the client (i.e. browser) and the ARR frontend.

e.g.:

X-ARR-SSL: 2048|256|C=US, S=Washington, L=Redmond, O=Microsoft Corporation,
           OU=Microsoft IT, CN=Microsoft IT SSL SHA2|CN=*.azurewebsites.net

A whole more info around that here:
https://tomasz.janczuk.org/2013/12/secure-by-default-with-ssl-in-windows.html

Tomasz is the author of the iisnode project, which is the mechanism for running Node applications on IIS in Azure App Service.

EXECUTIVE SUMMARY

App Service uses Application Request Routing, which is also the point where TLS is terminated. Since the traffic that hits your web worker will then be plain HTTP, you need to check this header to tell if the request originated over TLS:

if (request.headers['x-arr-ssl'])
{
    // We're good
}
else
{
    // Request made over plain HTTP
}

If you’re running on .NET Framework 4.7 or .NET Core 2.0, you do not need to make this check, there’s baked in logic to return the correct value for HttpContext.Request.IsSecureConnection and HttpContext.Request.IsHttps (.NET Core).

More Related Contents:

  1. Best way in asp.net to force https for an entire site?
  2. How to force HTTPS using a web.config file
  3. The client and server cannot communicate, because they do not possess a common algorithm – ASP.NET C# IIS TLS 1.0 / 1.1 / 1.2 – Win32Exception
  4. The request was aborted: Could not create SSL/TLS secure channel
  5. Check ssl protocol, cipher & other properties in an asp.net mvc 4 application
  6. Requesting html over https with c# Webclient
  7. Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback
  8. Can I reuse HttpWebRequest without disconnecting from the server?
  9. How to pass values across the pages in ASP.net without using Session
  10. ASP.NET use SqlConnection connect MySQL
  11. Ajax method call
  12. What is the right way to populate a DropDownList from a database?
  13. checking user name or user email already exists
  14. How to implement reCaptcha for ASP.NET MVC? [closed]
  15. Error making Azure Management Library API call when authenticating with azure active directory
  16. Does Dispose still get called when exception is thrown inside of a using statement?
  17. System.IO.File.Create locking a file
  18. how to generate a unique token which expires after 24 hours?
  19. Reading FromUri and FromBody at the same time
  20. Call and consume Web API in winform using C#.net
  21. How to share sessions between PHP and ASP.net application?
  22. What is passing parameters to SQL and why do I need it?
  23. Browser detection
  24. How to get the output of a System.Diagnostics.Process?
  25. ASP.NET jQuery Ajax Calling Code-Behind Method
  26. Printing from ASP.NET to a network printer
  27. no overload for method “ToString” takes 1 arguments
  28. {version} wildcard in MVC4 Bundle
  29. Built-in helper to parse User.Identity.Name into Domain\Username
  30. What are some alternatives to ReSharper? [closed]

Leave a Comment