Do you need ssl to access Azure AD Directory? - azure

Using this tutorial to connect to azure ad directory and wanted to know if it was necessary to use ssl?

Yes, all authentication endpoints should be HTTPS

In general, you should always secure any API or web site with TLS (in this case, using HTTPS). It is increasingly easy to obtain and use certificates.
For development scenarios, you may use an HTTP reply URL only if the host is localhost.

Related

Custom CouchDb SSL Certificate Verification

I'm trying to configure CouchDB to use SSL on IoT devices accessed via IP. I'm trying to avoid adding a webserver as a reverse proxy in an attempt to keep things as lightweight as possible and instead use CouchDb's builtin SSL functionality.
The problem I'm running into is that replication is going to fail Common Name certificate verification because we're accessing via IP. I'm hoping to use a custom verification function to check certificate thumbprint instead. It looks like verify_fun combined with someting like this ssl_verify_fingerprint function is probably what I'm looking for, but I can't figure out how to use it in the config file. How can I update this config line to use a custom function?
verify_fun = {Module, VerifyFun}
I am not sure I understand your question fully. By "nodes" do you mean a Node.js environment? You can configure CouchDb itself to use SSL, but normally you would serve your HTML from a web server and use CouchDb to provide information for the web pages. So users would not directly access CouchDb in that scenario.
The common solution is to configure Apache, Nginx or some other web server as a reverse proxy and SSL end point. You can then redirect incoming HTTPS requests to other services on your server such as Node.js. There are many guides on setting up a reverse proxy with SSL such as this one and this one. You can use "Let's Encrypt" for secure certificates. I hope this helps.

If I have an external public HTTP web server, can I use Microsoft Azure to set up an HTTPS front?

Given I have a HTTP (non-secure) web server up and running with the public address 111.111.111.11:80.
Are there any / what Microsoft Azure products, where I can setup my own custom domain (mydomain.com) as a HTTPS front/reverse proxy to my web server without buying my own certificate?
(Currently, I am using Cloudflare Crypto to achieve this, so I am investigating if Microsoft Azure can achieve this as well in an easy way)
As far as I know, the recommended Azure way to do this would be to use Application Gateway and a CNAME for the custom domain. This question also has some information on using a custom domain for Application Gateway.
However, if you want to use a custom domain, you will need to buy a certificate. You can do this through Azure as well. You can then use the certificate for the Application Gateway.
Edit: Sorry, Application Gateway does not seem to support the static public IP in your scenario. You would need to work around that. It might be easier to go a different route then...

Azure API Management - bypass SSL validation

I am playing around with Azure API Management as a SOAP passthrough. I was hoping to get some analytics in place to preview the service.
My trouble is that my client endpoint has SSL validation in place. I can't figure out how to load the .cer file in Azure to satisfy this requirement. At the very least I was hoping to find an option to turn off SSL validation (like I can with curl or even postman).
any one found a way to accomplish this?
API Management provides the capability to secure access to the back-end service of an API using client certificates. Below guide shows how to manage certificates in the API publisher portal, and how to configure an API to use a certificate to access its back-end service.
How to secure back-end services using client certificate authentication in Azure API Management
If you are calling the API Management service with https then the certificate that is presented will match the host name that you are calling with. I'm assuming you were able to change the client to point to your service at https://{servicename}.azure-api.net ?
Or did you change your local hostname file to make that happen? If that's the case, then that is why you are getting an SSL error. Without being able to re-compile your client you cannot disable the SSL validation.
You could configure the custom domain in API Management and if you have access to the certificate, you could attach it to the custom domain. However, you would actually have to change the public DNS for the domain to make that work. I don't think you can enable a custom domain in API Management, provide the certificate and only use your local hostname file to do the mapping. But I will check.
The steps under 'Scenario 7: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel' in Troubleshooting 4xx and 5xx Errors with Azure APIM services is what worked for me. I'm using this approach to bypass validating the SSL cert until I switch from using a self-signed cert to a CA signed one.

ReturnUri to Localhost

During development the team prefer to develop against a local database and local IIS Express web server.
We tried to configure an address of http://localhost:<port>/ in the Azure AD B2C application configuration as a return URI, but this isn't permitted (technically it should work, although I can see why it isn't permitted). So at the moment, when anyone signs in, it returns them to the test server URL.
We'd like to be returned to our local development server instance. Is there any way that people know of to achieve this?
You can use localhost, but make sure to use https:
https://localhost:<port>
See also this answer: DNS URLs in Azure AD B2C don't work
Just a self signed certificate is enough to make this work. We use this a lot (together with B2C) for our development machines.

Windows Azure websites https

If I create an azure website let's assume: myname.azurewebsites.net, I can access this by using http (http://myname.azurewebsites.net) or https (https://myname.azurewebsites.net).
What does this mean? Did I understood it right that basically I don't need an SSL certificate as it has one by default?
I need to build a web service that needs to use SSL. Therefore do I need to buy an ssl certificate and custom domain (not important)? I don't need a custom domain and the default one works fine for me. So can I use my service over SSL provided by Azure: https://myname.azurewebsites.net (is a wildcard certificate)?
If you need to build a web service that needs to use SSL I highly suggest that you use your own domain and your own SSL certificate (buy one) if you are going in production with it. If you just test/play around - than you can safely use the default provided one.
And you are correct about default provided one - you get a (free) SSL for your azure web site as long as it is only bound to the default XXX.azurewebsites.net domain. However the certificate you get there is a wildcard certificate issued to *.azurewebsites.net. I would not use it if I have to go for a production service!
If you are to use SSL features of Azure Web Sites with your own domain and certificate, check out the Pricing and requirement pages. There are important things to note!

Resources