HTTPS on Azure RESTAPI

Question

I am deploying a docker image on Azure that is publishing some REST API I can use to store some information in a database.
The question is: Is it possible to force HTTPS instead of HTTP and use a self signed certificate?

so if my rest api is something like this:

curl -i -H "Content-type: application/json" http://AZURE_IP_ADDRESS:5100/module/api/v1.0/person -X POST -d '{ "name" : "test", "surname": "test_surname" }'

I want that just certificate machines can perform the previous command.

As far as I understood Azure works with Certificate register by a Truster CA, but I want to do some test before to do everything.

In few words I want to call a REST API only if the machine where I am doing the HTTPS request is "Admitted" to perform the request.
I am a bit confused. I mean, I wish to know how to protect my REST API provided by my docker running on Azure.. but I would like to be more generic.. in terms of not use just Azure functionality and be ready when I will use something else than Azure.

By following below steps:

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

# We're self signing our own server cert here.  This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt



openssl rsa -in server.key -out server_without_key.key    

and configure nginx.conf as follow:

server {
        listen 443 ssl;


        ssl_certificate        /etc/nginx/certs/server.crt;
        ssl_certificate_key    /etc/nginx/certs/server_without_key.key;
        ssl_client_certificate /etc/nginx/certs/ca.crt; # the cert used to sign the client certificates
        ssl_verify_client      on; # force SSL verification (can also be set to 'optional')


        ssl     on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   70;

    }

Once I curl:

curl -v -s -k --key client.key --cert client.crt https://172.18.0.9   

(in the dir` where client.key and *crt are stored) I have the following output

* Rebuilt URL to: https://172.18.0.9/
*   Trying 172.18.0.9...
* Connected to 172.18.0.9 (172.18.0.9) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 key or certificate file: Error while reading file.
* Closing connection 0

Any suggestion? Is it possible?

Thanks

Answer 1

Depending on the web server you are using your exact configuration details will vary, but in the nutshell what you want to do is redirect all http requests to https. See below for some links.

On the client side for this to work you will need to follow the redirect. Typically the browsers are configured to do that automatically. Using curl this is accomplished by the -L flag.

curl -L -i -H "Content-type: application/json" http://AZURE_IP_ADDRESS:5100/module/api/v1.0/person -X POST -d '{ "name" : "test", "surname": "test_surname" }'

On the server side these are instructions that might help.

NGINX https://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom

Apache https://wiki.apache.org/httpd/RedirectSSL

IIS https://www.iis.net/configreference/system.webserver/httpredirect