Mark's Sitecore Blog

Using IP Geolocation and SSL on Azure

I want to share some lessons learned from a recent migration of a Sitecore infrastructure to Azure. If you are running a load balanced environment over SSL and relying on IP Geolocation then you need to look out for the following gotchas:

Azure Load Balancer doesn’t support SSL offloading

Its 2017 so by now you better be running your site over SSL. Unfortunately, the Azure Load Balancer doesn’t support SSL offloading. This is a problem as you need to terminate the SSL connection at the load balancer. You are relying on the X-Forwarded-For header to contain the visitor’s IP address. The load balancer cannot inject this header if the connection is encrypted all the way down to IIS.

To get past this problem, Azure offers Application Gateway which has more advanced features such as SSL offloading. Keep in mind that it comes at a higher price than the basic load balancer though, but there is essentially no way around it.

Handling the Application Gateway’s X-Forwarded-For header

The format which Application Gateway writes IPs to the X-Forwarded-For header differs from most other load balancers I’ve encountered so far as it also adds port numbers behind IPs. I.E. 192.168.0.155:1234
To allow Sitecore’s UpdateGeoIpData processor to be able to work with these, the port numbers need to be stripped off. Otherwise you’ll end up with errors in your log like:

Cannot parse a valid IP address from X-Forwarded-For header

Grant Killian has written this post on how to patch the XForwardedFor processor in the createVisit pipeline which handles this.

Enforcing SSL

Neither the basic Load Balancer nor Application Gateway currently offer a way of redirecting requests to https. You will need to take care of this yourself on IIS. A handy way of doing this is through a rewrite rule which listens to the X-Forwarded-Proto header:

<rule name="HTTPS rewrite behind load balancer" stopProcessing="true">
      <match url="^(.*)$" ignoreCase="false" />
      <conditions>
        <add input="{HTTP_X_FORWARDED_PROTO}" pattern="^http$" ignoreCase="false" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="https://{SERVER_NAME}{URL}" />
 </rule>

Mark

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *