WAWS -- Allow HTTPS access only

  • Article

 

Windows Azure Web Sites supports HTTPS by default. This means you can access the site using both https://yoursite or HTTPS://yoursite. Some of our customers asked about how to disable HTTP access and allow HTTPS access only for their Azure Web Sites.

The direct way is to using the sslFlags setting like below.

   <system.webServer>

      <security>

         <access sslFlags="ssl">

      </security>

   </system.webServer>

 

Unfortunately, this section is locked. Adding these configuration into your web.config leads to 500.19 error.

For Windows Azure Web Sites, there is UrlRewrite installed on every hosting machines. So, we can use UrlRewrite as a workaround.

By merging follow configuration into your web.config, all HTTP request will be redirected to HTTPS.

<configuration>

  <system.webServer>

    <!-- URL Rewrite rule to redirect anyone from -->

    <rewrite>

      <rules>

        <rule name="Redirect to https">

          <match url="(.*)"/>

          <conditions>

            <add input="{HTTPS}" pattern="Off"/>

          </conditions>

          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>

        </rule>

      </rules>

    </rewrite>

  </system.webServer>

</configuration>

 

[Updated Dec 16th, Using ApplicationHost
Config Transformation]

To turn on HTTPS access only, enable the
private site extension, then create a file named applicationHost.xdt and put it
under the /site folder.

<?xml
version="1.0"?>

<configuration
xmlns:xdt="https://schemas.microsoft.com/XML-Document-Transform">

    <location overrideMode="Deny"
path="" xdt:Locator="Match(overrideMode)">

           
<system.webServer>

                <security>

                    <access sslFlags="Ssl" xdt:Transform="SetAttributes" />

                </security>

            </system.webServer>

    </location>

</configuration>

Important: Ssl is case sensitive.

See you next time.

 

Wei from APGC DSI Team