Azure App Service terminating https before application?

Question

I'm building an asp.net core web application on framework 2.2 and hosting on an azure app service on a linux app service plan.

Inside my application I inspect HttpRequest.Scheme. Running locally this returns https if I make a request using https. Running on azure it returns http.

It appears Azure App Services is terminating the SSL connection and proxying to my app. Is there a way to configure Azure App Services so the https request makes it to my application unmodified? Or at least HttpRequest.Scheme matches the original request?

I've built a sample diagnostic page to show this behavior:

var healthStatus = new
{
    Port = context.Request.Host.Port?.ToString() ?? "unknown",
    context.Request.Scheme,
    context.Request.IsHttps,
    Headers = context.Request.Headers.Select(x => $"{x.Key}:{x.Value}").ToArray()
 };

context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(healthStatus));

Debugging in VS Locally: https://localhost:1234/ping:

{
   "Port":1234,
   "Scheme": "https",
   "IsHttps": true,
   "Headers": <standard headers - nothing interesting>
}

Deploying to Azure App Services: https://appServiceExample.myDomain.com/ping:

{
   "Port":"unknown",
   "Scheme": "http",
   "IsHttps": false,
   Headers: [ 
     // there are several more headers, but only these looked interesting:
     "X-Forwarded-For:195.206.xxx.xxx:6922",
     "X-Forwarded-Proto:https",
     "X-AppService-Proto:https"
    ]
}

As a workaround: Could I solve this problem my relying on the X-AppService-Proto or X-Forwarded-Proto header? But this seems a bit of a hack, as I'd rather inspect the original incoming request - and I'm unsure how reliable these headers are.

Only a guess here, but does this help? https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load#make-the-certificate-accessible if there is a setting required to enable the asp.net stack to see SSL certificates, I'd expect it to have to be enabled for any SSL-handling code to work. — Tom W, Aug 04 '19 at 08:34
@tomw unfortunately it doesn't. I do have SSL configured in the App Service, my cert is uploaded and everything looks fine from the browser side. It's only server side that the SSL seems to terminate before my application code is invoked. — Philip Pittle, Aug 04 '19 at 08:49
@Philip, see my answer here - https://stackoverflow.com/questions/38501618/is-current-request-being-made-over-ssl-with-azure-deployment/38726543#38726543 — evilSnobu, Aug 04 '19 at 11:44
@evilSnobu - thanks, figured this had to be a duplicate - but my google skills were failing me. — Philip Pittle, Aug 04 '19 at 12:03
This is a duplicate, it should be closed as a duplicate. I voted to close it. But I think it needs a few move close votes. — Philip Pittle, Aug 18 '19 at 23:48

score 3 · Answer 1 · answered Aug 13 '19 at 09:36

Just summarize your comment.

The Azure App Service frontend layer TERMINATES the TLS channel (aka TLS offloading) and opens a new plain HTTP connection to your Web Worker, where your code lives. Routing is performed by ARR (Application Request Routing).

Therefore, from the point of view of your code every single request is "insecure".

X-Forwarded-Proto=https hints about the original request (that hit the frontends).

If checks have to be made, make them against X-ARR-SSL instead.

For more details, you could refer to this SO thread.

Azure App Service terminating https before application?

1 Answers1