Azure - dealing with SSL in a staging deployment

5
votes

I have a web application that is hosted in Windows Azure. We want to use SSL for the production deployment, and we have a custom domain name and SSL certificate for the domain, and all of that is setup and working correctly in production.

The web role currently has both an HTTP and an HTTPS endpoint, but we would like to disable the HTTP endpoint and just use HTTPS in production.

If we remove the HTTP endpoint, my question is: what is the best way to deal with the HTTPS endpoint for a Staging deployment in Azure? Every time you do a new staging deployment in Azure, it gives you a new temporary domain name for the service. In staging, should we just not use an SSL certificate at all, and just skip past all the browser warnings, or is there a way to use SSL in staging when the domain name changes with each deployment? Or when we swap to production, is there a way to just "turn off" an (HTTP) endpoint in an Azure deployment?

My initial thought was to create two packages that had different endpoints, but I don't believe Azure will let you hot-swap the prod and staging deployments if they have different endpoint configurations.

3
deploymentsslhttpsazure

3 Answers

9
votes

For one of our projects we are using URL rewrite module, which comes installed by default on Azure. It works great. A section in web.config makes all HTTP traffic automatically redirected into HTTPS:

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

For staging environment it is best to use the same cert as for production. This allows for easy hot swap between production and staging, and you can verify in your browser that the certificate is the correct one. The downside is that you will have to click "continue to web site" while testing staging deployment.

Note that while the URL Rewrite module is always available in Azure, for DevFabric you will have to download and install it on your dev box. The download is available on http://www.iis.com.

1
votes

For this scenario what we have done is to create 2 different service deployments in Azure, both having their Production\Staging environment. Hence we are using Production instance in both services which keeps the url static.
There is no hot swap between the service deployments but when a build gets promoted from one of the service deployment, it is installed on the second services, staging deployment and then a hot swap is done. Hope i made myself clear.

1
votes

We keep ports 80 and 443 open on production and staging deployments, but we use a custom HttpModule to redirect HTTP traffic to HTTPS based on an Azure configuration setting. If the config value equals "Production", all traffic is forced over HTTPS. Otherwise, both HTTP and HTTPS traffic is handled. This was important for us because we didn't want our users to get confused when HTTP requests were rejected just because they forgot to prefix the URL with https://. Is there a particular reason you need to disable the HTTP endpoint?