1

I'm just trying to host a static website on a custom domain.

So far, it seems like I'm on step 477 out of 653 trying to accomplish this on Azure.

So, I've...

  1. Created a storage account
  2. Activated "Static website" under capabilities
  3. Uploaded Files
  4. Checked to see that they're served! They are! But only http. CDN required for https.
  5. Added a CDN endpoint
  6. Checked to see that the CDN works! After a couple minutes, IT DOES! YAY!
  7. Added a custom domain (which doesn't tell you you need to do a CNAME from cdnverify.[domain] to cdnverify.[cdn name].azureedge.net, but... after doing it, it let me add it)
  8. Checked to see that the domain serves! Well, sure but with giant warnings in the browser because it's an invalid certificate
  9. Start adding a "Custom HTTPS"

And at this point, I have two options:

Option #1: Let Azure handle it for me. Except it doesn't work. It complains that apex domains aren't supported. Apparently they used to be, but they decided "nah".

Option #2: Manage certificates manually

Which means I have to remember every 3 months for the rest of my life to manually renew and upload certificates...

Am I missing an easy option here?

It would seem to me that Azure static websites are unusable except in insecure contexts or with a lot of manual work. I could see redirects as a possible solution, but I don't think it actually works:

http://example.com could redirect to https://www.example.com (or be hijacked since it's insecure) https://example.com can't redirect because the certificate is invalid

But it seems like such a common thing that I must be blind to the solution, missing something obvious?

Help :)

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
Josh
  • 2,958
  • 3
  • 16
  • 27

1 Answers1

0

• I would suggest you configure your root custom domain, i.e., ‘example.com’ in Azure by verifying its public DNS records, i.e., ‘TXT’ and ‘MX’ records in Azure AD thereby confirming that you own the custom domain. Once done, then create a CNAME record for the hostname of the blob endpoint or static website endpoint according to your custom domain. This should map the static website endpoint to your custom domain name.

• Hence, doing this is the correct method for hosting your static website endpoint with Azure CDN. Also, once you create a CDN endpoint, the requests to your custom domain mapped static website endpoint are redirected via the newly created CNAME record alias to the CDN endpoint since, mapping a CDN profile to the static website endpoint redirects the requests received to the static website endpoint to the CDN endpoint.

• Now, follow the below Microsoft documentation link for configuring HTTPS on your Azure CDN endpoint. It describes two methods for configuring SSL/TLS certificate, i.e., Azure CDN managed certificate or self-managed own certificate.

https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate#tlsssl-certificates

A) If you select Azure CDN managed certificate, then you will have to create one more CNAME record in your public DNS server for the CDN endpoint other than the one created earlier for the static website endpoint. Since, the one created for static website endpoint doesn’t extend the certificate chain to the CDN endpoint.

B) If you select self-managed certificate, you will have to have an Azure key vault in which you will have to store the SSL certificate and configure it accordingly for the Azure CDN endpoint.

I would suggest you go for managing a SSL certificate with Azure CDN managed certificate because, that functionality is free, and you are rest assured about the SSL/TLS security of your static website since the CA is one of Microsoft’s trusted lists. Also, if you are opting for self-managed certificate, I would suggest you create a wildcard certificate for your custom domain like ‘*.example.com’ as the CN in it which will make it usable anywhere for any number of subdomains, CNAME records and other DNS records.

Microsoft Trusted CA list: - https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT

For more information on the above in detail, kindly refer the below official documentation: -

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-custom-domain-name?tabs=azure-portal#map-a-custom-domain-with-https-enabled

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • 1
    Thanks for your well-constructed answer, but unfortunately it doesn't answer the question. Option A = unsupported by Azure. Option B = Manual maintenance – Josh Jul 22 '22 at 03:30
  • Option B is not a manual maintenance, a wildcard certificate for your custom domain will last you for a year's time after which you will have to renew it and furthermore, the same certificate can be used anywhere multiple times. And as for option A is considered, you can register a subdomain or a registered CNAME record in that regard. These are the easiest options that you have and they are secure as they fulfil your security obligations unless you provide access to the storage web container to someone not trusted enough. – Kartik Bhiwapurkar Jul 22 '22 at 07:42
  • 1
    Yes, it will last a year ... after which: I must do manual maintenance. The manual certificate renewal and installation is the manual maintenance I seek to avoid. – Josh Jul 23 '22 at 14:40
  • If you are hosting a static website with custom domain and HTTPS support, there is no way, you will deploy and forget it, in that case, Azure provided certificate will do the thing for you with just a CNAME record created for the static website endpoint and configuring it as then the TLS/SSL security of the website becomes the responsibility of Azure not yours, also as stated in the answer, Azure will provided certificate for the website from the trusted CA list only. Thus, there are no gaps for breaches since Azure is managing everything for you. – Kartik Bhiwapurkar Jul 25 '22 at 04:04
  • 2
    Thanks again, but no - Azure does not support managing certificates on a domain apex – Josh Jul 26 '22 at 02:14
  • Yes, it doesn't support managing certificates on a domain apex but you can create a CNAME record for that static website endpoint and use it as a 'Common Name' for the certificate in Azure provided certificate. – Kartik Bhiwapurkar Jul 27 '22 at 03:41
  • 1
    Thanks once again, but we've strayed far off-topic. Bottom line is there's no built-in solution. Thanks tho. – Josh Jul 27 '22 at 05:23