search

Azure / azure-functions-host

The host/runtime that powers Azure Functions
https://functions.azure.com
MIT License
1.94k stars 442 forks source link

BUG: HSTS stopped working. #10520

Open cr3wdayt5p opened 1 month ago

cr3wdayt5p commented 1 month ago

We enabled HSTS around 2024-08-29 but now (2024-10-10) it is no longer working. The header is no longer sent. This applies to both the *.azurewebsites.net domain and our custom domain.

We have made no other configuration changes in this period.

host.json:

{
    "version": "2.0",
    ...
    "extensions": {
        ...
        "http": {
            "hsts": {
                "isEnabled": true,
                "maxAge": "730",
                "includeSubDomains": true,
                "preload": true
            }
        }
    }
}

Runtime Stack: DOTNET-ISOLATED|8.0 Runtime Version: 4.1036.2.2 OS: Linux Plan: Premium V3 (App Service Plan) Region: North Europe

Docs for the HSTS setting can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#hostjson-settings

bhagyshricompany commented 1 month ago

Hi @cr3wdayt5p Thanks for reporting there may be this reason. If you're using a custom domain, double-check that your SSL certificate bindings are still in place and valid. HSTS requires a valid SSL certificate. If the certificate expired or was removed, the HSTS header won't be sent.

cr3wdayt5p commented 1 month ago

Hi @bhagyshricompany

Image

The certificate is assigned by Azure and is still valid (expiration 2025-01-23). The custom domain binding has also not been touched and is valid (see image).

cr3wdayt5p commented 1 month ago

My guess is that your bug is related to either the App Service Environment plan or to the Linux host.

We have another Azure Function running on the Dynamic plan on a Windows host in the same region (North Europe) with identical HSTS configuration – and this works. That host is also running a slightly newer runtime (4.1036.3.23284).

bhagyshricompany commented 2 weeks ago

please ref this doc .https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-8.0&source=recommendations&tabs=visual-studio%2Clinux-ubuntu%2Clinux-sles

cr3wdayt5p commented 2 weeks ago

please ref this doc .https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-8.0&source=recommendations&tabs=visual-studio%2Clinux-ubuntu%2Clinux-sles

Why? What would I be looking for there? You are linking to some ASP.NET thing – which does not appear to be related to Azure Functions at all.

The documentation for HSTS setup for Azure Functions is here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp And it is quite simple – and it used to work – but now it has stopped working due some apparent bug on the Azure side.

bhagyshricompany commented 1 week ago

please provide your code for azure fuc and sdk version you have used.Thanks

cr3wdayt5p commented 5 days ago

Our code contains nothing fancy regarding the setup. When our stuff is filtered out it is basically the default template.

host.json: See above.

OurProjectName.fsproj:

<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <AzureFunctionsVersion>v4</AzureFunctionsVersion>
        <OutputType>Exe</OutputType>
    </PropertyGroup>
    <ItemGroup>
        <None Include="host.json">
            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
        </None>
    </ItemGroup>
    <ItemGroup>
        <!-- ... -->
        <Compile Include="Functions.fs" />
        <Compile Include="Program.fs" />
    </ItemGroup>
    <ItemGroup>
        <PackageReference Update="FSharp.Core" Version="8.0.403" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.23.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
        <!-- ... -->
    </ItemGroup>
</Project>

Program.fs:

module OurProjectName.Program

open Microsoft.Extensions.Hosting

[<EntryPoint>]
HostBuilder().ConfigureFunctionsWorkerDefaults().Build().Run ()

Functions.fs:

namespace OurProjectName

open System
open System.Threading.Tasks
open Microsoft.Azure.Functions.Worker
open Microsoft.Azure.Functions.Worker.Http
open Microsoft.Extensions.Logging

// ...

type Functions (logger : ILogger<unit>) =
    [<Function("Ping")>]
    member _.Ping ([<HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "ping")>] req : HttpRequestData, funcCtx : FunctionContext) =
        async {
            let resp = req.CreateResponse System.Net.HttpStatusCode.OK
            do resp.WriteString "pong"
            return resp
        }
        |> Async.StartAsTask

    // ...

Everything works as expected except for HSTS.

bhagyshricompany commented 4 days ago

H @cr3wdayt5p Thanks for your input will check and update you.Thanks