16

I have configured an Application Gateway (AG) to do SSL termination/offload. The AG is configured to only listen on port 443 for HTTPS connections. Is it possible to redirect HTTP to HTTPS without having to:

  • Create a new VM that contains a webserver that redirects the traffic and configure AG to listen on port 80 with the new VM in its backend pool, or
  • Also allow HTTP connections to my application VM's and handle redirect in my application code

I'm hoping I overlooked a flag/feature in AG.

Davey Chu
  • 2,174
  • 2
  • 14
  • 24
  • 1
    This(http --> https) is not supported as per FAQ - https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq – Gopi Kolla Mar 28 '17 at 02:37
  • This (http --> https) is now supported by Application Gateway. https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-redirect-overview – PotatoFarmer Dec 07 '17 at 17:04

7 Answers7

13

EDIT ~2019+: Now done via Azure Portal. See/upvote Matt Sullivan's answer. Commandline-based approach kept below.

Command line approach (like Jonathan Mast's answer but with AZ CLI):

  1. Create a listener for your HTTP traffic (e.g. FE-HTTP-80-Site). This can be done using Azure portal or CLI.

  2. Create a listener for your HTTPS traffic (e.g. FE-HTTPS-443-Site). This can be done in the Azure portal or CLI.

  3. Create a redirect configuration:

az network application-gateway redirect-config create \
--gateway-name AppGateway \
-g RSgroupAppGateway \
-n Redirect-Site-toHTTPS \
--type Permanent \
--include-path true \
--include-query-string true \
--target-listener FE-HTTPS-443-Site
  1. Create a rule for the HTTP traffic:
az network application-gateway rule create \
--gateway-name AppGateway \
-g RSgroupAppGateway \
-n Rule-HTTP-80-Site \
--rule-type Basic \
--http-listener FE-HTTP-80-Site \
--redirect-config Redirect-Site-toHTTPS

Reference on Concept: Create an application gateway with URL path-based redirection using Azure PowerShell

AZ CLI Reference: Azure Command-Line Interface (CLI) documentation

GUI method (added ~2019+): Create an application gateway with HTTP to HTTPS redirection using the Azure portal

PotatoFarmer
  • 2,755
  • 2
  • 16
  • 26
  • Will this work if there is already a rule assigned to the https listener? It's not possible in the portal anyway... – Oliver Feb 21 '18 at 20:13
  • I tried it anyway and answered my own question - it does work! +1 – Oliver Feb 21 '18 at 21:03
  • I managed to do the setup with PowerShell based on this Azure shell and Mr. Nagy's PS examples found from http://eduroll.eu/?p=217 – Jari Turkia Nov 02 '18 at 10:44
  • doesn't this mean that people can reach your application gateway on port 80 as well? whereas the point is to allow access to your frontend only on 443 – Naim Salameh Jan 27 '19 at 22:41
  • @naim-salameh Traffic attempting to communicate over port 80 will be redirected to 443. This is helpful because most people don't type: `mywebsite.com:443` - they usually type `mywebsite.com` which will commonly attempt to connect to `mywebsite.com:80`. This is similar to how most domains define a `www` record, allowing users typing "www.mywebsite.com" or "mywebsite.com" to be served, despite the `@` record the only one technically required.. – PotatoFarmer Jan 28 '19 at 22:10
6

HTTP to HTTPS redirection can now also be configured through the portal. The concept is the same: create a listener for http, then add a rule that redirects to the https listener.

https://learn.microsoft.com/en-us/azure/application-gateway/redirect-http-to-https-portal

Matt Sullivan
  • 206
  • 2
  • 7
  • 1
    This should become the accepted answer now that this functionality is supported through the portal. – mkst Jun 08 '21 at 14:24
3

If you handle the redirect on your backend, you can use the X-Forwarded-Proto header sent by the App Gateway to see the original request and redirect if it was HTTP using a redirect rule.

Apache

To do this on Apache, add the following to your .htaccess file

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}

IIS

Using the IIS rewrite module add this to your web.config file

<rewrite xdt:Transform="Insert">
  <rules>
    <rule name="HTTPS rewrite behind App Gw rule" stopProcessing="true">
      <match url="^(.*)$" ignoreCase="false" />
      <conditions>
        <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="https://{SERVER_NAME}{URL}" />
    </rule>
  </rules>
</rewrite>
Scott Semyan
  • 187
  • 3
3

This is now supported by the Azure Application Gateway product without any additional tools or services. It is configured using PowerShell as described in this link.

Relevant PoSH code copy and pasted from the reference for redirecting port 80 to 443:

# Get the application gateway
$gw = Get-AzureRmApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG

# Get the existing HTTPS listener
$httpslistener = Get-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener -ApplicationGateway $gw

# Get the existing front end IP configuration
$fipconfig = Get-AzureRmApplicationGatewayFrontendIPConfig -Name appgatewayfrontendip -ApplicationGateway $gw

# Add a new front end port to support HTTP traffic
Add-AzureRmApplicationGatewayFrontendPort -Name appGatewayFrontendPort2  -Port 80 -ApplicationGateway $gw

# Get the recently created port
$fp = Get-AzureRmApplicationGatewayFrontendPort -Name appGatewayFrontendPort2 -ApplicationGateway $gw

# Create a new HTTP listener using the port created earlier
Add-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener2  -Protocol Http -FrontendPort $fp -FrontendIPConfiguration $fipconfig -ApplicationGateway $gw 

# Get the new listener
$listener = Get-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener2 -ApplicationGateway $gw

# Add a redirection configuration using a permanent redirect and targeting the existing listener
Add-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -RedirectType Permanent -TargetListener $httpslistener -IncludePath $true -IncludeQueryString $true -ApplicationGateway $gw

# Get the redirect configuration
$redirectconfig = Get-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -ApplicationGateway $gw


# Add a new rule to handle the redirect and use the new listener
Add-AzureRmApplicationGatewayRequestRoutingRule -Name rule02 -RuleType Basic -HttpListener $listener -RedirectConfiguration $redirectconfig -ApplicationGateway $gw

# Update the application gateway
Set-AzureRmApplicationGateway -ApplicationGateway $gw
Jonathan Mast
  • 140
  • 1
  • 6
1

You certainly can, only with PowerShell to my knowledge though. The instructions for doing this in ARM are on the documentation.

I would usually post the instructions here but a number of steps are involved in this, it would be a monster post!

Martyn C
  • 1,109
  • 9
  • 18
  • I actually followed that article, but AFAIK this will not handle redirecting http traffic to https. Could you highlight the step that would implement this? – Davey Chu Apr 12 '16 at 14:37
  • You would have to create two listeners, the HTTP one to a server which handles the redirect. It can be same server, however depending on the situation you might want to have them separate. As you have suggested in your post. Apologies - I misunderstood that part of your post, I assumed you wasn't sure if it could do SSL offload. – Martyn C Apr 12 '16 at 14:41
  • I'm hoping to find an alternative as both options feel like workarounds. Not to mention that the separate server (or two, since you would want it load balanced / in an availability set as well) would cost extra money. – Davey Chu Apr 12 '16 at 14:51
  • Yep I agree, all I can suggest is logging a suggesting on UserVoice as some product feedback. – Martyn C Apr 12 '16 at 15:18
0

Scott's answer for IIS did not work for me on Win2k16 \ IIS10 and module 2.0; the AG proxy returns an upstream server error; trying to load the rewrite module via IIS manager would result in a malformed XML error.

Removed the insert transform and the redirects started working.

   <rewrite>
        <rules>
            <rule name="HTTP To HTTPS Redirect Behind App Gtwy" stopProcessing="true">
                <match url="^(.*)$" ignoreCase="false" />
                <conditions logicalGrouping="MatchAny">
                    <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
                </conditions>
                <action type="Redirect" url="https://{SERVER_NAME}{URL}" redirectType="Found" />
            </rule>
        </rules>
    </rewrite>
Sam Murcio
  • 171
  • 2
0

Please use the below command and it will work for you

$appgw = Get-AzureRmApplicationGateway -Name GatewayName -ResourceGroupName ResourcegroupName

$myHTTPSListener = Get-AzureRmApplicationGatewayHttpListener -Name appGatewayHttpListener -ApplicationGateway $appgw

$myHTTPListener = Get-AzureRmApplicationGatewayHttpListener -Name appGatewayHttpListener -ApplicationGateway $appgw

Add-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -RedirectType Permanent  -TargetListener $myHTTPSListener -IncludePath $true -IncludeQueryString $true -ApplicationGateway $appgw

$redirectconfig = Get-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps   -ApplicationGateway $appgw

Add-AzureRmApplicationGatewayRequestRoutingRule -Name redirectrule -RuleType Basic -HttpListener $myHTTPListener -RedirectConfiguration $redirectconfig  -ApplicationGateway $appgw

Set-AzureRmApplicationGateway -ApplicationGateway $appgw
Gagravarr
  • 47,320
  • 10
  • 111
  • 156
Sayed Azharuddin
  • 55
  • 5