...Azure: Redirecting HTTP to HTTPS with Azure Application Gateways and SSL Offload

OK, someone at Microsoft really dropped the ball with this one. HTTP to HTTPS redirection is one of those things that everyone needs to do, and in fact everyone should do (seriously, there is no excuse for unencrypted HTTP now, stop it).

This is even stranger when you consider the fact that all the Application Gateway actually consists of is a specially configured IIS VM set. And to do this natively in IIS is really quite easy. Until Microsoft fix this little faux pas however there is a simple workaround using a small Ubuntu VM and a little reconfiguration of our Application Gateway.

Concept

What we are trying to achieve is summarized in this diagram.
Application Gateway redirect diagram We will be setting up two ports on our application gateway, one for plain traffic (port 80) and one for HTTPS traffic (port 443). When the gateway receives HTTP traffic it will forward it to an Ubuntu server running nginx where the request will be redirected to HTTPS. HTTPS traffic will be decrypted at the gateway and passed to our IIS box as normal.

How To

For the purposes of this guide I will assume you have already configured an Application Gateway with SSL offload and the backend IIS (or other web server) to match. I will focus on building the Ubuntu 16.04 VM and configuring nginx, as well as modifying the Application Gateway configuration.

Building the redirect server

  1. Provision a new Ubuntu VM from the Azure Portal. It does not have to be particularly large, remember it will exist solely to redirect traffic.

  2. Once the machine is provisioned and you have logged in lets get everything up to date.

    sudo apt-get update && sudo apt-get upgrade

  3. Next we install nginx.

    sudo apt-get install nginx

  4. With nginx installed we can now start getting it configured. As we will be using this box for redirects only we can simply modify the default configuration.

    sudo nano /etc/nginx/sties-available/defuault

  5. Delete the contents of this file and replace them with the following.

    server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; }

  6. Restart nginx to apply the new configuration.

    sudo service restart nginx

Configuring the Application Gateway

  1. Log into the Azure Portal and find the Application Gateway that you wish to modify.

  2. Under Settings select Backend Pools and add a new pool with your redirect server configured as the target IP.

  3. Select listeners and create a new listener on port 80 for HTTP if you do not have one already.

  4. Select Rules and create a new basic rule which takes your newly created listener and forwards it to your new backend pool.

And thats it. I agree, this is a "hack" at best and Microsoft need to add a simple "Redirect HTTP to HTTPS" button somewhere in there. But if you need this capability now, this works!