Enabling Cloudflare SSL on Azure Storage Static Web Hosting Applications

Enable Cloudflare SSL for custom domains on Azure Storage Static Web Hosting.


Overview

Static Web Hosting allows an Azure storage container to directly serve static content.  However, the current Azure Static Web Hosting technology stack does not support SSL for certain URLs. For example, if foo.com were the domain using Static Web Hosting, traffic destined for https://www.foo.com and https://foo.com could not use SSL.  However, proxying Static Web Hosting Applications through Cloudflare allows SSL to be enabled for these URLs.

Static Web Hosting enables https with the following URLs, for example, if foo.com is the domain:

https://<<account>>.blob.core.windows.net/ 
https://<<account>>.<<foo.com>>.web.core.windows.net 

A Static Web Hosting custom domain, foo.com, uses a CNAME to point to another CNAME which utilizes the *.blob, *.web URLs.  That CNAME then resolves to another CNAME which is the A record of the FE pool for the Azure storage account.  To clarify this configuration, see the following example:

storage.foo.com CNAME foo.blob.core.windows.net
foo.blob.core.windows.net CNAME blob.exampleprdstr01.store.core.windows.net
blob.exampleprdstr01.store.core.windows.net  A  13.78.152.64
Currently, one IP address is returned for the A record except in the case of ZRS (zone redundant storage) which will return the IP addresses of all FE pools (one in each availability zone).

Route traffic from the Static Web Hosting application to Cloudflare in order to enable Cloudflare SSL:

Browser <—SSL—> Cloudflare Proxy <—SSL—> Static Web Hosting

Setup a Cloudflare Account to get started.


Create a Cloudflare Account

To receive SSL on a custom domain:

     1. Create a new Cloudflare account or use an existing account. 

     2. Enter the name of your custom domain under Add Your Site.

     3. Cloudflare queries authoritative DNS servers for the DNS records registered for the domain.


Choose a plan

Select the Free, Pro, or Business plan for the domain. If you choose Free or Pro, Cloudflare will generate an SSL certificate for communications between browsers and the Cloudflare proxy. If you prefer to upload your own SSL certificate to Cloudflare, choose the Business plan.


Select a DNS Method

If you want Cloudflare to provide authoritative DNS, use the Cloudflare nameservers provided for your domain and place them in the DNS manager of your domain registrar.

If you want to use the CNAME method, you’ll need to follow additional steps.


Select an SSL Method

When logged into your Cloudflare account, select the SSL/TLS tab.  The default SSL setting is Flexible SSL; however, there are other SSL options

For domains activated on Free or Pro plans, it may take up to 24 hours for new SSL certificates to issue.

Because DNS settings are cached in various locations throughout the Internet, including on a client's browser, changes to SSL settings may take time to propagate and start functioning as expected.

If you want an HTTPS connection between CF and Azure, a valid SSL certificate must be installed on the blob itself. Since this is enabled in Azure by default, you may immediately change your SSL settings to Full or Full (strict) to ensure encryption between the client, Cloudflare, and Azure.


Related resources

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk