HTTPS only on Azure App Service Web Apps

This article has been moved to its new home here:

If you are looking for a resource that describes installing an SSL certificate on a Azure Web App, check here.

Here is more information about this configuration.

There are multiple modes currently supported on the Azure Web App platform:

  • SNI base SSL – This is a new feature in IIS 8+ (SNI) that extends the ability for multiple security certificates to be bound to multiple HOSTNAMEs on a server with a single IP and PORT.  (modern browsers support this SSL mode)
  • IP based SSL – The traditional binding of a certificate to a unique IP and PORT on a server

For some further information on how to implement both, please look here.

In some cases you might want to prevent users from accessing your website using anything other than HTTPS.  To achieve this, add the following code, illustrated in Listing 1, to your web.config file.

Listing 1, Prevent HTTP connectivity to you Azure Web App, allow HTTPS only

   <rule name="Redirect to https">
    <match url="(.*)"/>
     <add input="{HTTPS}" pattern="Off"/>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>

Once added, deploy the web.config file to your Azure Web App and requests to HTTP are redirected to HTTPS using this URL Rewrite rule.  That is how you would prevent HTTP traffic onto you Azure Web App.

Note: the configuration shown in Listing 1 contains a condition base on the request method.  For example, GET and HEAD.  In this case only requests using those verbs will be redirected to HTTPS, if, for example, POST is used, the rule would not be executed as the conditions would not be meet.

UPDATE 17-JAN-2014

Here is an article concerning the support and installation of intermediate certificates on windows Azure Web Apps.

Comments (14)
  1. Hi,

    This was what I was looking for, but it seems Visual Studio doesn't accept the <rewrite> node under <system.WebServer>. I'm using ASP.NET with framework 4.5.

    Kind regards

  2. Anonymous says:

    Works perfect for me – Only caveat is that the double quotes around this section:

    <add input=”{REQUEST_METHOD}” pattern=”^get$|^head$” />

    are the wrong format.  Curly quotes makes Azure and WebConfig sad.  

    Thanks for the post!

  3. Anonymous says:


    Thi solution should works for any kind of technology in websites. I tested it with Java Tomcat and it worked.

  4. Anonymous says:

    i just put requireshttps attr on the whole controllerbase…done.  you can also just add a filter.  

  5. Anonymous says:

    Can I use this with PHP App deployed on Azure website?

    1. BENJAMIN CZARNY says:

      This is what I needed. Ed is right about wrong quotes, you’ll get a 500 error. This can be used with PHP app, as all Azure Web Apps are still running on IIS. Here is my web.config file:

  6. Anonymous says:

    Ahhh. ian obermiller (…/require-https-on-azure) also points out that the rule name can't have spaces.

  7. Dougi says:

    Worked perfectly with my AngularJS SPA. Thank you.

  8. Aaron Miller says:

    Worked perfectly! Thanks

  9. Germán says:

    Is it possible to add something to the rule so that this rule isn’t applied in localhost?

    1. Germán says:

      ah, to answer myself, yes:

    2. Germán says:

      Code wasnt shown in my last comment:

      add input=”{HTTP_HOST}” matchType=”Pattern” pattern=”^localhost(:\d+)?$” negate=”true”
      add input=”{HTTP_HOST}” matchType=”Pattern” pattern=”^127\.0\.0\.1(:\d+)?$” negate=”true”

  10. Mukul says:

    Is it possible to add something to the Condition so it would work for POST request

  11. Marty Piecyk says:

    This still works perfectly, thank you!

Comments are closed.

Skip to main content