Is there improved security with web applications if you use "Require SSL" in the SSL Setting section of IIS? I was planning on creating a URL Rewrite rule.
"Require SSL" will cause a 403.4 Forbidden response if you try to access the site using http://example.com. It won't automatically redirect to the https:// url.
This may be confusing for users if you're not linking in some way to the https://example.com SSL'd url.
If you want users to be able to randomly hit the site using plain http:// and then redirect them to the SSL'd url then you're better off leaving "Require SSL" turned off and do a rewrite.
Related
I have a site in Azure. Pages are generated by Azure Functions, but for a given URL generated page will always be identical, so I put it behind a CDN endpoint. I added custom domains to the endpoint: www.example.com is the main domain and there is also a naked domain version example.com, but any request to it is redirected to the www.example.com. Any http requests are also redirected to https. Both redirects are performed by returning redirect result from Azure Function.
So, both http://example.com and http://www.example.com properly redirected to https://www.example.com. The problem arises if someone tries to access https://example.com. The certificate served for this url is *.azureedge.net and the browser predictably displays a warning message (if instructed to proceed - it receives a redirect and works fine after that).
When I try to enable Custom HTTPS on example.com - I get an error Enabling Https with CDN Managed Certificate is not supported anymore for apex (root) domains.
Is there any way I can fix this, perhaps instruct a redirect from example.com to www.example.com on DNS level? I've seen suggestions to use alternative CDNs available in Azure, but I'm not ready to go down that route yet.
As you've discovered, as of April 2021 Managed certificates are not supported on Apex domains. The only supported way to get round this at present is to upload your own certificate (either free or purchased) or purchase one through KeyVault.
Having said that, Jack Tracey has put together a list of instructions to achieve this in an unsupported manner.
We have an azure website, where we have the https only setting turned on, and we also have url rewrite rules set up as well so that when you go to our site at http://example.com (we have a custom domain that is secured with a cert using IP SSL - both example.com and www.example.com), you get redirected to https://example.com. When using a web browser, this clearly works. However, when using a tool such as Postman or vulnerability scanning, such as ZAP, the server is clearly responding to http and not redirecting the request to https. We are currently failing a vulnerability scan due to this, and we cannot figure out what else to do to get the site to force https. As I said, it works when using a web browser, but not with direct web requests from non-browser tools. Thanks!
I have a setup like this:
A website at domain abc.com
Azure CDN points to it. So if you go to abc.azuredge.net you see abc.com
content. In the URL bar you see abc.azuredge.net.
I have another domain, qwe.com, I want abc.qwe.com to be the custom domain for the CDN endpoint.
In qwe DNS settings, I set a CNAME record, for abc to point to abc.azuredge.net.
I add the abc.qwe.com as a custom domain in the CDN endpoint.
My expectation:
I go to abc.qwe.com. I see abc.com content, from abc.qwe.com domain.
What happens: I go to abc.qwe.com, it responds with a parmanent redirect to abc.com.
Did I miss configured something, or it's supposed to work this way? I don't understand why it doesn't do a redirect on abc.azureedge.net, but if I add a layer on top of it, suddenly it just redirects to the origin.
In my case it ended up being not related to CDN. It was actually rules on a server that were doing a redirect under certain conditions, e.g. http to https, or www redirect.
As a side note, https redirect can be tricky. Now chrome uses https by default, so if you type in the url, it will go to https, thus no redirect. But if you select your custom domain text in azure portal and choose "go to xxx", it will actually go to http version, which will result in a redirect. So you might be under impression that you are going to https and it was redirecting, when in fact it was http.
I was planning to delete the question, but Erik H commented that he's having same issue so I decided to self-answer. Maybe it will help someone.
This might be a stupid question, and for that I'm sorry, I'm not well-versed in DNS configurations (so perhaps I shouldn't be meddling in this, lol), but anyhow..
I have a web app running in Azure that is currently undergoing a bit of a name change. Therefore, I want to redirect users trying to access my domain to another domain, let's say https://example.com to https://subdomain.anotherexample.com. I own both domains and have certificates for both of them, but I cannot for the life of me understand how (or if its even possible) to redirect users in this way?
I have both URLs configured as A records for the underlying IPv4 adress, and have tried to configure a re-direct in my cPanel to redirect the domain example.com to https://subdomain.anotherexample.com, but if I try to access https://example.com it just complains that the certificate is from another provider (not my Azure certificate, but instead my web hosting certificate used for other sites). Both URLs are set up as custom domains for the same app service in Azure with SNI SSL certificate bindings where example.com is bound to a standard certificate for that specific domain, while subdomain.anotherexample.com is bound to a wildcard certificate for *.anotherexample.com.
I assume there must be something that's not allowed in trying to redirect between two different domains where https is involved because trying to access http://example.com works (i.e. it re-directs to https://subdomain.anotherexample.com). Do I have to write some kind of script server-side that re-directs users manually?
I have 2 websites in my hosting account at bluehost. The main domain (maindomain.com) has an SSL and there is one registration page where I need to use https//www.maindomain.com.
I also have an add-on domain (addondomain.com) and am hosting the website for that in the same account. There is no necessity for a secure connection.
However, I want to make sure that if https://addonsite.com is used, it redirects to http://addonsite.com. The reason is that now if you go to https://addonsite.com, it shows that in the URL address window, but the maindomain.com website loads.
I have tried adding redirects to both .htaccess files (for maindomain.com and addondomain.com), but cannot seem to get it to work. Is it possible to do this with a main domain and add on domain if there is an SSL on the main domain?