Redirect HTTP to HTTPS in Azure Application Gateway

Question

I have configured an Application Gateway (AG) to do SSL termination/offload. The AG is configured to only listen on port 443 for HTTPS connections. Is it possible to redirect HTTP to HTTPS without having to:

• Create a new VM that contains a webserver that redirects the traffic and configure AG to listen on port 80 with the new VM in its backend pool, or
• Also allow HTTP connections to my application VM's and handle redirect in my application code

I'm hoping I overlooked a flag/feature in AG.

Answer 1

EDIT ~2019+: Now done via Azure Portal. See/upvote Matt Sullivan's answer. Commandline-based approach kept below.

---

Command line approach (like Jonathan Mast's answer but with AZ CLI):

1. Create a listener for your HTTP traffic (e.g. FE-HTTP-80-Site). This can be done using Azure portal or CLI.

2. Create a listener for your HTTPS traffic (e.g. FE-HTTPS-443-Site). This can be done in the Azure portal or CLI.

3. Create a redirect configuration:

az network application-gateway redirect-config create \
--gateway-name AppGateway \
-g RSgroupAppGateway \
-n Redirect-Site-toHTTPS \
--type Permanent \
--include-path true \
--include-query-string true \
--target-listener FE-HTTPS-443-Site

3. Create a rule for the HTTP traffic:

az network application-gateway rule create \
--gateway-name AppGateway \
-g RSgroupAppGateway \
-n Rule-HTTP-80-Site \
--rule-type Basic \
--http-listener FE-HTTP-80-Site \
--redirect-config Redirect-Site-toHTTPS

Reference on Concept: Create an application gateway with URL path-based redirection using Azure PowerShell

AZ CLI Reference: Azure Command-Line Interface (CLI) documentation

GUI method (added ~2019+): Create an application gateway with HTTP to HTTPS redirection using the Azure portal

Answer 2

If you handle the redirect on your backend, you can use the X-Forwarded-Proto header sent by the App Gateway to see the original request and redirect if it was HTTP using a redirect rule.

Apache

To do this on Apache, add the following to your .htaccess file

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}

IIS

Using the IIS rewrite module add this to your web.config file

<rewrite xdt:Transform="Insert">
  <rules>
    <rule name="HTTPS rewrite behind App Gw rule" stopProcessing="true">
      <match url="^(.*)$" ignoreCase="false" />
      <conditions>
        <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="https://{SERVER_NAME}{URL}" />
    </rule>
  </rules>
</rewrite>

Answer 3

This is now supported by the Azure Application Gateway product without any additional tools or services. It is configured using PowerShell as described in this link.

Relevant PoSH code copy and pasted from the reference for redirecting port 80 to 443:

# Get the application gateway
$gw = Get-AzureRmApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG

# Get the existing HTTPS listener
$httpslistener = Get-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener -ApplicationGateway $gw

# Get the existing front end IP configuration
$fipconfig = Get-AzureRmApplicationGatewayFrontendIPConfig -Name appgatewayfrontendip -ApplicationGateway $gw

# Add a new front end port to support HTTP traffic
Add-AzureRmApplicationGatewayFrontendPort -Name appGatewayFrontendPort2  -Port 80 -ApplicationGateway $gw

# Get the recently created port
$fp = Get-AzureRmApplicationGatewayFrontendPort -Name appGatewayFrontendPort2 -ApplicationGateway $gw

# Create a new HTTP listener using the port created earlier
Add-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener2  -Protocol Http -FrontendPort $fp -FrontendIPConfiguration $fipconfig -ApplicationGateway $gw 

# Get the new listener
$listener = Get-AzureRmApplicationGatewayHttpListener -Name appgatewayhttplistener2 -ApplicationGateway $gw

# Add a redirection configuration using a permanent redirect and targeting the existing listener
Add-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -RedirectType Permanent -TargetListener $httpslistener -IncludePath $true -IncludeQueryString $true -ApplicationGateway $gw

# Get the redirect configuration
$redirectconfig = Get-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -ApplicationGateway $gw


# Add a new rule to handle the redirect and use the new listener
Add-AzureRmApplicationGatewayRequestRoutingRule -Name rule02 -RuleType Basic -HttpListener $listener -RedirectConfiguration $redirectconfig -ApplicationGateway $gw

# Update the application gateway
Set-AzureRmApplicationGateway -ApplicationGateway $gw 

Answer 4

HTTP to HTTPS redirection can now also be configured through the portal. The concept is the same: create a listener for http, then add a rule that redirects to the https listener.

https://docs.microsoft.com/en-us/azure/application-gateway/redirect-http-to-https-portal

Answer 5

You certainly can, only with PowerShell to my knowledge though. The instructions for doing this in ARM are on the documentation.

I would usually post the instructions here but a number of steps are involved in this, it would be a monster post!

Answer 6

Scott's answer for IIS did not work for me on Win2k16 \ IIS10 and module 2.0; the AG proxy returns an upstream server error; trying to load the rewrite module via IIS manager would result in a malformed XML error.

Removed the insert transform and the redirects started working.

   <rewrite>
        <rules>
            <rule name="HTTP To HTTPS Redirect Behind App Gtwy" stopProcessing="true">
                <match url="^(.*)$" ignoreCase="false" />
                <conditions logicalGrouping="MatchAny">
                    <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
                </conditions>
                <action type="Redirect" url="https://{SERVER_NAME}{URL}" redirectType="Found" />
            </rule>
        </rules>
    </rewrite>

Answer 7

Please use the below command and it will work for you

$appgw = Get-AzureRmApplicationGateway -Name GatewayName -ResourceGroupName ResourcegroupName

$myHTTPSListener = Get-AzureRmApplicationGatewayHttpListener -Name appGatewayHttpListener -ApplicationGateway $appgw

$myHTTPListener = Get-AzureRmApplicationGatewayHttpListener -Name appGatewayHttpListener -ApplicationGateway $appgw

Add-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps -RedirectType Permanent  -TargetListener $myHTTPSListener -IncludePath $true -IncludeQueryString $true -ApplicationGateway $appgw

$redirectconfig = Get-AzureRmApplicationGatewayRedirectConfiguration -Name redirectHttptoHttps   -ApplicationGateway $appgw

Add-AzureRmApplicationGatewayRequestRoutingRule -Name redirectrule -RuleType Basic -HttpListener $myHTTPListener -RedirectConfiguration $redirectconfig  -ApplicationGateway $appgw

Set-AzureRmApplicationGateway -ApplicationGateway $appgw