Azure App Service terminating https before application? [duplicate]

Question

I'm building an asp.net core web application on framework 2.2 and hosting on an azure app service on a linux app service plan.

Inside my application I inspect HttpRequest.Scheme. Running locally this returns https if I make a request using https. Running on azure it returns http.

It appears Azure App Services is terminating the SSL connection and proxying to my app. Is there a way to configure Azure App Services so the https request makes it to my application unmodified? Or at least HttpRequest.Scheme matches the original request?

---

I've built a sample diagnostic page to show this behavior:

var healthStatus = new
{
    Port = context.Request.Host.Port?.ToString() ?? "unknown",
    context.Request.Scheme,
    context.Request.IsHttps,
    Headers = context.Request.Headers.Select(x => $"{x.Key}:{x.Value}").ToArray()
 };

context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(healthStatus));

Debugging in VS Locally: https://localhost:1234/ping:

{
   "Port":1234,
   "Scheme": "https",
   "IsHttps": true,
   "Headers": <standard headers - nothing interesting>
}

Deploying to Azure App Services: https://appServiceExample.myDomain.com/ping:

{
   "Port":"unknown",
   "Scheme": "http",
   "IsHttps": false,
   Headers: [ 
     // there are several more headers, but only these looked interesting:
     "X-Forwarded-For:195.206.xxx.xxx:6922",
     "X-Forwarded-Proto:https",
     "X-AppService-Proto:https"
    ]
}

As a workaround: Could I solve this problem my relying on the X-AppService-Proto or X-Forwarded-Proto header? But this seems a bit of a hack, as I'd rather inspect the original incoming request - and I'm unsure how reliable these headers are.

Answer 1

Just summarize your comment.

The Azure App Service frontend layer TERMINATES the TLS channel (aka TLS offloading) and opens a new plain HTTP connection to your Web Worker, where your code lives. Routing is performed by ARR (Application Request Routing).

Therefore, from the point of view of your code every single request is "insecure".

X-Forwarded-Proto=https hints about the original request (that hit the frontends).

If checks have to be made, make them against X-ARR-SSL instead.

For more details, you could refer to this SO thread.