Azure App Service For Containers SSL Termination - azure

Goal: Deploy a website to Azure App Service in a container that works from the php-apache base image as has a custom domain with SSL.
Current Situtation:
Website setup to use Dockerfile for building an image
Image uploaded to Docker Hub and successfully built
Image deployed to Azure App Service as a container
Configured custom domain in Azure and pointed DNS to provided IP Address
Problem: How do I configure my container? Currently, I am getting an SSL warning when trying to connect to my website which makes perfect sense as my domain does not match the default certificate azure provides for *.azurewebsite.net (and Azure tells you this when you setup a custom domain, which is neat).
Does Azure pass a request made on 443 to my container on 443 requiring me to configure my container for an SSL connection?
Does Azure terminate the SSL connection and pass the request to my container on port 80?
I understand I need to upload my certificate to Azure, but if Azure is passing the request to my container on 443, that would mean I would need to setup my container to accept requests on 443 and configure the certificate inside the container (which is fairly trivial). However, if Azure terminates the SSL and passes the request over port 80, then my life is a bit simpler as I can just configure my container to listen on 80 and let Azure do the heavy lifting.
If you have any questions, or need clarification please let me know.

From what I can tell, Azure is terminating the SSL connection and passing the request to my container on port 80. I am making this assumption because at this point I am hosting a number of websites in containers and none of them expose 443.
It seems that all that is necessary is to upload your certificate to the Azure App Service Plan and do a bit of configuring to associate it with the correct App Service and website. The container running a website requires no special configuration for SSL.

Related

Expose TSL/SSL server on azure app service

I'm trying to deploy a custom server on an APP Service on Azure that only accepts requests on HTTPS instead HTTP.
My idea is deploying using the APP Service for avoid deploying on myself any SSL certificate.
I have found this on the documentation of the APP Service:
App Service terminates TLS/SSL at the front ends. That means that TLS/SSL requests never get to your app. You don't need to, and shouldn't implement any support for TLS/SSL into your app.
The front ends are located inside Azure data centers. If you use TLS/SSL with your app, your traffic across the Internet will always be safely encrypted.
So when I try to access via HTTPS on the 443 port the requests are being sent to port 80 and by HTTP. I tried to expose the port 443 directy using the config WEBSITES_PORT but result is that as that port doesn't accept HTTP request, the APP Service is not starting and keeps rebooting some time.
2022-09-14T16:05:22.335Z ERROR - Container xxxx_3_4a82d922 didn't respond to HTTP pings on port: 443, failing site start. See container logs for debugging.
My question is, is there any possibility to resend those HTTPS requests to the 443 as HTTPS on the APP Service in any way?
Thanks!
So your App Service essentially runs on a VM in isolated regions of Azure Data Centers often referred to as Stamps or Scale Units.
Unless you are on an ASE, your App Services live on these stamps which are multi tenant environments sharing a few incoming load balancers and the later is where TLS/SSL is terminated and is the entry point for your app. From the load balancer, the traffic is routed to a proxy (for linux apps) such as Nginx on a VM, over http and forwarded from there to the port exposed by your app service app(docker containers in linux). The defaults are 80 or 8080 but you could change this using the setting WEBSITES_PORT (note the use case here).
So you wouldn't really need end to end TLS given the above architecture. You could turn on the HTTPS only flag in your App Service->Configuration->General settings blade and this would redirect all http requests at the front end to https. This still would not result in end to end TLS.
TLS is often terminated outside the applications in the infrastructure (API gateway or Traffic Managers for instances) and this is by design and offer many benefits (less overhead, certificate management etc).

Publishing a container app on Azure Cloud

I have a nextJS app working in local container. I uploaded the image to Azure and now my application is up from Azure Container Instances.
its listening on port 3000 on http protocol.
I want to utilize Azure https certificate and have site like https://mysitexyz.azurewebsites.net which should point to my container: http://containerip:3000
What Azure resource should i using to achieve that?
You can point your custom DNS to an Azure Container Instances: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-custom-dns
EDIT: *.azurewebsites.net is the DNS assigned when you use Azure App Service. You can't use it outside Azure App Service. What you can do, is run Containers on top of it using Azure Web App for Containers.

How do I enable HTTPS for a Container Instance on Azure

I've got a nodejs app running inside docker on a container instance in Azure.
I have a URL which is an IP address with HTTP only.
e.g.
http://123.456.789
I need it to be HTTPS because it is providing content to a React frontend and therefore I have a mixed content issue.
The App services on Azure just works by adding a https to the front of the address, but these are different and I can't figure it out.
You could add an extra sidecar container running the public Nginx image, configured to use TLS. Read this tutorial to enable a TLS endpoint in a sidecar container and read this for more choices. If you want to automatic HTTPS with Azure Container Instances (ACI) with terraform, you could refer to this.

Why Azure Container Instance does not have a default HTTPS endpoint?

I am wondering, what is the reason for Azure Container instances not to have an HTTPS address?
In comparison, Web Apps do have HTTPS endpoint by default, while Container Instances have just HTTP endpoint assigned.
Why is that?
When you deploy an application to Azure Web Apps, you are basically running your application behind IIS. You can configure the Web Apps platform to terminate SSL connections and all incoming requests received by your application will be via HTTP.
On Azure Container Instances, you container is directly connected to the network. If you want to terminate SSL before it reaches your application, you would need to have a service which provides SSL termination. The typical way to do this without creating any more infrastructure is to run nginx as a sidecar to your application container.

How to attach SSL certificate to Azure Container Instance

I have created a Docker image by building a Dockerfile from Nodejs application then pushed the Docker image to Azure Container Registry(ACR).
Then created linux Azure container instance as service by referring the Docker image that we pushed to ACR.
The application is running fine on port 80.
Now We have a SSL certificate , now in order to run my application on port 443, How can i attach this SSL certificate to that Azure container Instance.
Thanks in Advance :)
You could configure Nginx to use SSL as a sidecar container in your application container group. You could create an Nginx configuration file and Base64-encode the Nginx configuration file, the SSL certificate, and the SSL key. Then, you enter the encoded contents in a YAML file used to deploy the container group.
You could follow this document to enable an SSL endpoint in a container group.
You can attach shared storage as a volume to container, where you can store your SSL certificate files
And you can use nginx in the container and always manually renew certificate OR
you can use caddy, as described in this tutorial

Resources