Add Brotli Support to an Azure Web App

Deflate and GZip compression have been with us on the web for many years. They do a decent job but as times move on, so do compression algorithms. This is something I have talked about before using services like TinyPNG to squeeze the spare bytes out of your images to reduce page load times but this only applies to images obviously.

Brotli is a Google project for a newer, more modern compression algorithm for the web. According to the claims of Google, using Brotli over GZip not only increases the content compression reducing page size but also reduces CPU usage in the decompression process too. With the ever expanding usage of mobile devices, both of these are great things to have.

If you are interested in reducing your page size to improve load times and reduce your outbound bandwidth on your site then read on to learn now. I will cover the requirements, fallback compatibility and also how to get Brotli for Linux and Windows as well as the main point, how to enable it for an Azure Web App.

Read the Full Post

MySQL and PostgreSQL Database as a Service in Azure

Today is the day that ClearDB users rejoice. Today is the day that a viable platform as a service offering for both MySQL and PostgreSQL exist in Microsoft Azure. Announced last night, Microsoft have now launched their own platform as a service offerings for the two database engines.

For years, ClearDB have offered a PaaS solution for MySQL. I had the misfortune of trying it out first hand recently on a web project and I can tell you that the performance was shocking. So bad was the performance that we actually deployed a Linux VM in Azure to run the MySQL service in IaaS and take the management hit on IaaS vs. PaaS. Even the support offered was terrible, blaming the performance on Azure itself when there were no issues with the Azure platform globally at the time.

The announcement puts these new services in preview. This means that the services and features aren’t going to be ready for your production workloads nor are all of the features going to be available right now. For example, I deployed an Azure Database for MySQL server last night to try it out and the Basic pricing tier is the only tier available right now. The ability to force all connections to secure and to define firewall rules for access is important and good to see there from day one.

All in all, it looks like a good first release. As I have been using In App MySQL database for Azure Web Apps to run the MySQL database on this site for sometime now (since preview in fact), and I have been debating whether to step back to IaaS for MySQL because of the fact that In App MySQL limits my ability to use features like Azure Load Balancer or Azure Traffic Manager with multiple site instances, this is going to be something I can definately see me using in the near term for real.

You can check out the documentation, pricing and scaling details for yourself at https://docs.microsoft.com/en-gb/azure/mysql/concepts-servers.

The Case of the Missing Azure Portal Detach Button

This is going to be a really quick post but one I thought may be worth sharing. Imagine that you are working in the Azure Portal and you are trying to update a Virtual Machine configuration to detach an existing data disk on the VM. You’ve done everything right following the steps at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/detach-disk by stopping the VM and waiting for it to fully stop.

For normal users, this wouldn’t be an issue however if you are like me and you care for your eyes and have switched to the dark theme in the Azure Portal, you are in for a problem. When you select Edit on the disk configuration of the VM, you notice that the Detach button that the Microsoft article refers to is missing as shown below.

The Detach button should be visible just to the right of the Host Caching drop-down menu but as you can see, it is not.

It turns out, this is a bug in the Azure Portal when using the dark theme and I have reported this already. If you switch to one of the other theme colours, the button magically appears.

The problem is that the buttons are meant to change when you select the dark theme. If you look at the Save and Discard buttons at the top of the screenshot, you can see that in the dark theme, these two buttons are white to constant with the dark background and when using the white theme, these buttons are black to contrast with the background. The Detach button at the moment, doesn’t appear to be properly changing between white and black to cater for the background colour in use.

HSTS Preloading with Azure Web Apps

In previous posts, I’ve talked about implementing web security features such as HTTPS, CSP, HPKP and HSTS. Almost all of these are things we can configure ourselves within our web applications responses to client requests however one of these features, HSTS requires a little more work to fully implement.

HSTS is a technology of two halves. HTTP Strict Transport Security (HSTS) is a feature which allows a website to instruct the client that it should never be downgraded to HTTP and should only ever request and receive data from the site over HTTPS. We can easily implement this, in the case of Windows and IIS, using a web.config file outbound rewrite rule which I covered in the previous post, Working Hard on Web Security.

The trouble is, this is only half the battle. If a client repeatedly visits your site, their browser will know as a result of previous visits to always use HTTPS due to having previously seen the HSTS header but what about new visitors? What happens if your site is victim of a downgrade attack between you implementing HTTPS and HSTS and the first time a user visits? Their browser doesn’t know it should be using HSTS already so we have a problem.

Read the Full Post