iis - How to remove Azure SSL binding?

Question

I have a production site on Azure, with a Pay-As-You-Go subscription. I have two custom domain names set up for it, too. MySite.org and www.MySite.org

Some of my site's visitors are hitting my site via HTTPS, though I never intended to use HTTPS. I don't need SSL for this site. They get an alarming browser warning: There is a problem with this website’s security certificate. I don't know why or how they are using HTTPS, but no matter, I should be able to address this from the server side.

I want to disable the SSL binding, but I cannot find any place to do it in the Azure management portal. As a workaround, I decided to try a URL Rewrite rule to direct from HTTPS to HTTP (usually one would want to redirect the other direction.), but the certificate warning still fires in the browser, because the browser is still processing an HTTPS request first, before the redirect, to a site that does have SSL set up. Ugh.

I found this:

Windows Azure Web Sites actually comes pre-configured to run on SSL, and if you don’t want your own domain, then you can use SSL immediately. All you have to do is simply browse to it! In your browser, change the prefix from HTTP:// to HTTPS:// and voila! Your site will respond and you will have a secure connection to it. However, we do not recommend using this to secure sensitive content or applications, because the wildcard certificate used is generic for all Azure Web Sites.

http://blogs.msdn.com/b/windowsazure/archive/2013/12/13/securing-your-windows-azure-web-sites-waws-with-https-and-ssl.aspx

That's great, but how do I turn it off?!

Thanks in advance,
Lee C.

Answer 1

Whilst you don't have your own certificate, if someone is hitting a scheme you don't intend to support then it's not going to be much fun for them. At the moment they'd be getting the Azure wildcard cert for azurewebsites.net which, of course, won't be valid for mydomain.com (or whatever) and they'll get a nasty security warning from the browser.

There's no point trying to redirect from HTTPS to HTTP as they'll still get the browser warning on the HTTPS request.

You also can't disable the HTTPS scheme on an Azure website, that's one thing configured centrally and not something you have the ability to turn on or off.

Your best bet is to simply load a free SSL certificate onto the site that's valid for your domain and do the redirect you suggest. Check out The complete guide to loading a free SSL certificate into an Azure website.

Keep in mind that you can only load your own cert on Basic and Standard Azure websites, you won't be able to do this if you're on Free or Shared.