When I use this URL I get this error "AADSTS500117: The reply uri specified in the request isn't using a secure scheme." I am guessing this is beacuse I am not using HTTPS, is there any way I get this app working with HTTP
Azure does not redirect from authorization requests to non-HTTPS URLs. Localhost is the only exception. You need to use HTTPS to protect your website and make sure that the redirect you provide is HTTPS.
So you can use http://localhost/ .
Related
I have a blazor app that redirects to the login page using 302 redirection. If open it from the local network, it returns in http headers:
Status Code: 302
http://myvm/Identity/Account/Login?returnUrl=%2F
It works as expected.
When access to this vm from the Azure Application Gateway, the redirection works but the Gateway only replaces the host, not the protocol.
For example, I call:
https://example.com
This domain points to the Azure Application Gateway.
The gateway returns
Status Code: 302
http://example.com/Identity/Account/Login?returnUrl=%2F
Note that it has replaced the host but not the protocol (it should be https, not http).
My workaround is to add a rule for redirection, from https to http.
I do not like it because the gateway still returns http, but then the new rule is executed and redirected to https.
Is there an elegant solution for this?
In my opinion the best solution is to rewrite the Location header in your backend responses. This documentation describes how you can create a rewrite rule from the Azure portal for specifically the location header. Then create your rule specifically to replace http:// with https://
We have an azure website, where we have the https only setting turned on, and we also have url rewrite rules set up as well so that when you go to our site at http://example.com (we have a custom domain that is secured with a cert using IP SSL - both example.com and www.example.com), you get redirected to https://example.com. When using a web browser, this clearly works. However, when using a tool such as Postman or vulnerability scanning, such as ZAP, the server is clearly responding to http and not redirecting the request to https. We are currently failing a vulnerability scan due to this, and we cannot figure out what else to do to get the site to force https. As I said, it works when using a web browser, but not with direct web requests from non-browser tools. Thanks!
For my Web Java application, Which is deployed on Azure VM I have done the http to https redirection on azure waf listener. which looks working fine on web but not for rest webservices.
For example: When I access the http url like http: //www.abc.com it will automatically redirect to https: //www.abc.com.
But when I am trying to access the rest post webservice with http for example: http: //www.abc.com/rs/savedata it gives error with status code -301 and status message "Moved Permanently".
However when we access rest post api with https it works fine.
I am not sure what configuration is required on Azure, so that it can automatically redirect to https for http rest request.
This is the normal behavior that is described in here: you will have to manage it from the client to call the new redirect to URL as described in here:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-redirect-overview
if you want transparent redirect you will need to look at putting in place a Reverse Proxy Like Nginx which will handle the redirect and make a pass through.
I choose to host my website in Azure.So I've created a App Service.Then Created a new domain for my App then created/bind the SSL certificate to my corresponding website.
After done with the SSL certificate .I'm still seeing my website url as http//: and not https://
Also i'm not seeing the Green URL for my Website ..!
It look like this
(P.s : My App Service Tier is AzureFreeTier (Basic: 1 Small)
My SSL Type is SNL SSL)
Please help to resolve my problem here
Thanks in Advance,
Jayendran
You need to do a redirect from HTTP to HTTPS. Installing a certificate just makes using HTTPS with your custom domain name possible.
You can either:
Configure your app to redirect to HTTPS when it receives a request over HTTP + enable HTTP Strict Transport Security
Or use an extension in Web Apps to do the first thing:
To install the extension, open your web app blade in Azure Portal. Go to Extensions, then click Add. Then you should find Redirect HTTP to HTTPS from the list and install it.
That will redirect any HTTP calls to HTTPS for you. I would still recommend adding Strict-Transport-Security headers to your responses to make sure your clients do not access your site insecurely the next time.
The reason you arrive to your site on HTTPS after AAD login is because the HTTPS version of your app's URL has been configured in AAD as the reply URL.
And this:
Your Connection to this site is not fully secure Attackers might be able to see the images
is a mixed content warning. It means you are loading content (e.g. images) using an HTTP URL in your pages. Change them to HTTPS and you will solve that problem.
I get "504 gateway" error when I do a "http://xyz.com" request for a website hosted on azure. However, if I do a "https://xyz.com" request for the same website I get the webpage. How do I always do a https request for this URL even if somebody forgets to do https
Found this in StackOverflow
Best way in asp.net to force https for an entire site?
And I think URL Rewrite or Http Module might help as well.