6

We have some content hosted for our Azure application on the Azure CDN - we can access this nicely over https using the standard endpoint address, however for 'neatness' our customer would like to use a custom domain with https - so we can access our assets from https://cdn.app.com. Is this possible with the Azure CDN?

Arthur Dent
  • 163
  • 1
  • 7

2 Answers2

4

It's currently not possible to use the Azure CDN to deliver content over SSL with a custom domain name.

It would involve giving Azure access to your private key for them to propagate it to all of their sites, so I can't see them offering it anytime soon.

The closest you could get to this is if you used a traffic manager endpoint and served these from your own Azure instances. This would be more costly than running off the CDN though, and won't offer as many sites to benefit from.

Matthew Steeples
  • 1,303
  • 1
  • 10
  • 17
  • 1
    +1 - "It would involve giving Azure access to your private key" - First time I've actually heard an explanation given for why this might be problematic, and it seems like a somewhat valid security concern (although if we are already willing to trust them with it for the Azure Compute endpoints, I don't see why they shouldn't be able to mitigate this risk for the CDNs as well) – Steve Feb 28 '13 at 09:17
  • 1
    It's not so much the problem of them having access to your private key, it's the number of IP addresses that would be required (as the way that SSL works for compatibility is the server presents the certificate before knowing what the URL is). – Matthew Steeples Mar 02 '13 at 11:35
  • Thanks. Could you explain a bit further? Other CDNs offer SSL support on custom domains - so even without digging down into the technical details I feel like whatever the issue is, it must be able to be handled (as other people already are). My 5 second google search gave me at least one example; gogrid supports SSL for custom domains. Can't Microsoft accomplish whatever GoGrid (which is based on EdgeCast AFAIK) can? – Steve Mar 02 '13 at 18:27
  • 2
    They can accomplish it in the same way, but it'd be the same reason that the feature from GoGrid costs $300. Basically they'd need to run your CDN endpoint on a different IP address to the rest of the services so that the correct certificate could be served up. I believe that the technical reasons are being addressed but won't be available for some years to give all platforms chance to adopt it. – Matthew Steeples Mar 03 '13 at 00:57
  • Thanks for the extra information! I'm now remembering a bit more about how SSL connections work - and that the HTTP Host header is the only way the server would know which domain name the client was attempting to access (short of an exclusive IP) and, in fact, is part of what is encrypted. Makes total sense now. Thanks again! – Steve Mar 03 '13 at 02:42
  • Note: most modern systems support [SNI](http://en.wikipedia.org/wiki/Server_Name_Indication), which allows the server to support multiple sites with SSL on a single IP. – Michael Haren Apr 08 '15 at 17:24
  • @MichaelHaren Yes SNI is a lot more commonplace now than back in 2012. Azure Websites supports SSL using SNI. I believe now that CDN won't get SSL support simply because it's not considered a priority. In theory no one ever sees your CDN address unless they're browsing through the source of your website anyway. – Matthew Steeples Apr 08 '15 at 22:32
0

Update: As of 6th Feb 2017 this is now available. See the related Azure blog post.

I know this is an old post, but just incase anybody else stumbles across this while looking for an answer to this question:

HTTPS for custom CDN domains is currently due to be released in Q4 2016 (although that has already slipped from Q1 2016)

dan
  • 101
  • 3