Force Https Redirection for NodeJs Apps hosted in Azure

There seems to be many posts and stackoverflow questions around forcing HTTPS in NodeJs/Express applications.  I’ve found a few specific ones dealing with Azure web app hosting to be missing some key points.

A note on Azure NodeJs hosting

Microsoft extended IIS to include a NodeJs module.  This essentially means, your node app is still running on IIS.  It is leveraging IIS for the rest of the benefits it provides being an application server (not just a web server).  The “web server” piece is being swapped out for whatever you’re including in your node app… Express for example.

Do you even middleware, bro?

Let’s start by saying: ‘like all things in development, there are many ways to do the same thing’.  That doesn’t mean that they are all the right way for the right problem.  There are numerous example of adding Express middleware to process the incoming request for either a secure check or a header check (azure adds the x-arr-ssl header to SSL requests)

These implementations will work.  But why add code at the application level when the application server has runtime modules baked in to support them?  The lower level the implementation can be processed at, the faster it will execute.  Despite your feelings for Microsoft or IIS, IIS is still extremely proficient and efficient.  Now, adding the fact that Azure orchestrates IIS (and balanced instances with scaling) for you only strengthens the approach to configure application server features on the application server and not the application being served.

How to configure IIS for a Node app in Azure

I will assume you can deploy your node web app to Azure already.  There are official MSDN instructions and easily searchable blogs with enough instructions to generate your and git push or CI it from Azure and VCS-of-your-choice.

The key is, after you deploy the first time and get your awesome “Hello, world” loaded from * something happens during the  It generated a web.config.  This is familiar to any .Net developer that’s been awake in the last decade.

When you examine this web.config, it has barebones IIS features since it is not hosting a .Net app, it’s hosting a Node app.  In particular, it loads up the ‘iisnode’ module.  Once this is done, you need to get your favorite FTP client ready.

Azure allows an FTP user/pwd to be defined PER subscription (yes subscription – not per app/azure resource provisioned).  You can find it from most any resource’s Settings (in the new preview portal Settings->Deployment Credentials).  Once this is set up, grab the FTP address (in the new preview portal Settings->Properties).

You’ll find the web.config in /site/wwwroot.  Download it and add it to your root source directory.  Include it in your git repo as well.  From this point on, when your site deploys Azure will use the existing web.config instead of creating a vanilla one.

Add the ReWrite rule

Now that you have your web.config in your development source, you can add the rewrite rule for IIS to manage before it ever touches your node application.

Add an xml child element under <rules> to redirect to HTTPS:

  <!-- Redirect all traffic to SSL -->
  <rule name="Force HTTPS" enabled="true">
    <match url="(.*)" ignoreCase="false" />
      <add input="{HTTPS}" pattern="off" />
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />

  .. omitted ..

This will instruct IIS to force HTTPS on all requests.  There are more things that can be done in the web.config for node apps too to make life easier and keep the warm fuzzy “I know it will work with Azure because I’m using their IaaS deployment configuration strategy”.

This gist has the details:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: