Expose TSL/SSL server on azure app service - azure

I'm trying to deploy a custom server on an APP Service on Azure that only accepts requests on HTTPS instead HTTP.
My idea is deploying using the APP Service for avoid deploying on myself any SSL certificate.
I have found this on the documentation of the APP Service:
App Service terminates TLS/SSL at the front ends. That means that TLS/SSL requests never get to your app. You don't need to, and shouldn't implement any support for TLS/SSL into your app.
The front ends are located inside Azure data centers. If you use TLS/SSL with your app, your traffic across the Internet will always be safely encrypted.
So when I try to access via HTTPS on the 443 port the requests are being sent to port 80 and by HTTP. I tried to expose the port 443 directy using the config WEBSITES_PORT but result is that as that port doesn't accept HTTP request, the APP Service is not starting and keeps rebooting some time.
2022-09-14T16:05:22.335Z ERROR - Container xxxx_3_4a82d922 didn't respond to HTTP pings on port: 443, failing site start. See container logs for debugging.
My question is, is there any possibility to resend those HTTPS requests to the 443 as HTTPS on the APP Service in any way?
Thanks!

So your App Service essentially runs on a VM in isolated regions of Azure Data Centers often referred to as Stamps or Scale Units.
Unless you are on an ASE, your App Services live on these stamps which are multi tenant environments sharing a few incoming load balancers and the later is where TLS/SSL is terminated and is the entry point for your app. From the load balancer, the traffic is routed to a proxy (for linux apps) such as Nginx on a VM, over http and forwarded from there to the port exposed by your app service app(docker containers in linux). The defaults are 80 or 8080 but you could change this using the setting WEBSITES_PORT (note the use case here).
So you wouldn't really need end to end TLS given the above architecture. You could turn on the HTTPS only flag in your App Service->Configuration->General settings blade and this would redirect all http requests at the front end to https. This still would not result in end to end TLS.
TLS is often terminated outside the applications in the infrastructure (API gateway or Traffic Managers for instances) and this is by design and offer many benefits (less overhead, certificate management etc).

Related

Why Azure Container Instance does not have a default HTTPS endpoint?

I am wondering, what is the reason for Azure Container instances not to have an HTTPS address?
In comparison, Web Apps do have HTTPS endpoint by default, while Container Instances have just HTTP endpoint assigned.
Why is that?
When you deploy an application to Azure Web Apps, you are basically running your application behind IIS. You can configure the Web Apps platform to terminate SSL connections and all incoming requests received by your application will be via HTTP.
On Azure Container Instances, you container is directly connected to the network. If you want to terminate SSL before it reaches your application, you would need to have a service which provides SSL termination. The typical way to do this without creating any more infrastructure is to run nginx as a sidecar to your application container.

How reverse proxy with SSL/TSL and plain traffic works?

I have a containerized Docker ASP.NET Core application created with
mcr.microsoft.com/dotnet/core/runtime:3.1.3-alpine
When launched the only reference to the port is this ENV variable from the base image
ASPNETCORE_URLS http://+:80
I deployed the app to Azure, setuped the registry and created a new Web Application.
I setup the TLS/SSL settings for working with https only.
Everythings works.
Question:
I want to know how this is possible since I don't config the certificate on my container, I suppose the Kudu service (the reverse proxy) rebind the 443 port to the 80 of the container. Is this true ? The plain http traffic between Kudu and the container on port 80 can cause a possible security hole ?
If I deploy a container with NGINX as a reverse-proxy for ASP.NET Core I must configure the TSL/SSL into NGINX ? On ASP.NET Core ? None at all ?
I want to understand how Kudu, NGINX, and the reverse proxy in general works with and without SSL/TSL
With a Reverse Proxy the client never connects to the HTTP server in your application, in your case Kestrel. The connections you get are requests coming from the Reverse Proxy, and you send your responses back to the Reverse Proxy. Most HTTP stuff is copied from the incoming client request and passed along to your application, but the Reverse Proxy can terminate the SSL tunnel, offload the Authentation, and perform other request transformations.

How can I start HTTPS Node JS Server with certificates in Pivotal Cloud Foundry?

Is it possible to deploy a node.js app on Cloud Foundry that listens for HTTPS requests on port 443?
Well, the good news is that you don't have to do that. The Cloud Foundry platform takes care of it for you.
All you need to do is push your app and assign a route to the app. Your platform operations team will already have everything set up so that traffic for both HTTP and HTTPS routes through to your application.
The only thing you probably want to do in your application is to look at the x-forwarded-proto (should be http or https) or x-forwarded-port (80 or 443) header. You can use this to determine if the client's connection was over HTTP or HTTPS, and if it's HTTP then issue a redirect to ask the client to connect over HTTPS (this force clients to use HTTPS).
You can read more about this in the docs at the following link:
https://docs.cloudfoundry.org/adminguide/securing-traffic.html
Having said all that, if you really want to control the certs for some reason you can do that. You would need to map a TCP route to your application. This will enable TCP traffic to flow directly to your application. Then you can configure your application as an HTTPS endpoint on the mapped TCP route and port.
Some notes about this:
You will almost certainly end up with some high numbered port, not 443. The platform will have a pool of available ports, which is configured by your operations team, and you are limited to using only those ports.
The platform and buildpacks will not help set up TLS, you will need to handle that all on your own. The good news is that it should work exactly the same as if your app were running on a VM or your local laptop.
You will need to create your own TLS certs and push them with the application. You can probably use Let's Encrypt, but you may need to obtain these through your employer, if you work for a large company.

Azure App Service For Containers SSL Termination

Goal: Deploy a website to Azure App Service in a container that works from the php-apache base image as has a custom domain with SSL.
Current Situtation:
Website setup to use Dockerfile for building an image
Image uploaded to Docker Hub and successfully built
Image deployed to Azure App Service as a container
Configured custom domain in Azure and pointed DNS to provided IP Address
Problem: How do I configure my container? Currently, I am getting an SSL warning when trying to connect to my website which makes perfect sense as my domain does not match the default certificate azure provides for *.azurewebsite.net (and Azure tells you this when you setup a custom domain, which is neat).
Does Azure pass a request made on 443 to my container on 443 requiring me to configure my container for an SSL connection?
Does Azure terminate the SSL connection and pass the request to my container on port 80?
I understand I need to upload my certificate to Azure, but if Azure is passing the request to my container on 443, that would mean I would need to setup my container to accept requests on 443 and configure the certificate inside the container (which is fairly trivial). However, if Azure terminates the SSL and passes the request over port 80, then my life is a bit simpler as I can just configure my container to listen on 80 and let Azure do the heavy lifting.
If you have any questions, or need clarification please let me know.
From what I can tell, Azure is terminating the SSL connection and passing the request to my container on port 80. I am making this assumption because at this point I am hosting a number of websites in containers and none of them expose 443.
It seems that all that is necessary is to upload your certificate to the Azure App Service Plan and do a bit of configuring to associate it with the correct App Service and website. The container running a website requires no special configuration for SSL.

how to transparently wrap tcp/ip request with ssl using windows api

I'm developing a security system. It has a proxy server acting like a ssl termination using Nginx which will forwards all tcp/ip connections from clients to other third-party systems.
The client-proxy connections must be authenticated and securely encrypted by ssl.
And my problems is:
Each client is a computer which installed Windows 7 OS or higher. It has been installed with some third-party applications which cannot be interfered. For the better user experience, all clients' tcp/ip outbound requests from any applications must be transparently "converted" into (or "wrapped" in) ssl requests before coming to proxy server. And my first idea is to develop a network driver to access these requests using windows api, namely WFP(Windows Filtering Platform). I have read its online documentation but it's not easy to understand. Can you have to find some projects like this or tell me which sections in the documentation need to be focused? Thank you in advance!
Your issue is a bit unclear but here are my thoughts:
You want to have full encryption between the End User Client to the App Service.
Current:
Client --(443: TLS)--> NGINX --(Clear; Port 80)--> App Service
(Terminate TLS)
Change:
Client --(443: TLS)--> NGINX --(TLS; Port 443)--> App Proxy -(Plain; 80)-> App Service
(Terminate TLS) (Nginx with self-signed Cert)
The change is to add an additional Nginx server on the app server to provide the last layer of TLS between the load balancer and the App Service.
If your App service has the capability to serve SSL connections directly that's even better as you can just configure that in place of running an additional Nginx server on the app host. (If you wanted you could run apache or any other web server that supports proxy/load balancing capabilities)
If you are worried about the App Service port, it won't make a difference, the idea is that the App Proxy (being Nginx or the likes) will handle the encryption on a different port to then pass via localhost to the App Service (in plain text).
Additional Resources:
Can Nginx do TCP load balance with SSL termination?
https://serverfault.com/questions/978922/nginx-proxy-pass-to-https
https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html
https://nginx.org/en/docs/http/ngx_http_ssl_module.html

Resources