Merge pull request #297930 from halkazwini/afd-cipher

TLS policy

Author: prmerger-automator[bot]

articles/frontdoor/end-to-end-tls.md

@@ -6,7 +6,7 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: concept-article
-ms.date: 03/26/2025
+ms.date: 04/09/2025
 zone_pivot_groups: front-door-tiers
 ---
 
@@ -33,9 +33,11 @@ Azure Front Door offloads the TLS sessions at the edge and decrypts client reque
 Azure Front Door supports two versions of the TLS protocol: TLS versions 1.2 and 1.3. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum with TLS 1.3 enabled. Currently, Azure Front Door doesn't support client/mutual authentication (mTLS).
 
 > [!IMPORTANT]
-> As of March 1, 2025, TLS 1.0 and 1.1 are not allowed on new Azure Front Door profiles. If you didn't disable TLS 1.0 and 1.1 on legacy settings before this date, they'll still work temporarily but will be updated to TLS 1.2 in the future.
+> As of March 1, 2025, TLS 1.0 and 1.1 are not allowed on new Azure Front Door profiles. 
 
-You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). For a minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2 and TLS 1.3.
+For Azure Front Door Standard and Premium, you can configure predefined TLS policy or choose the TLS cipher suite based on your organization's security needs. For more information, see [Azure Front Door TLS policy](/azure/frontdoor/standard-premium/tls-policy) and [configure TLS policy on a Front oor custom domain](/azure/frontdoor/standard-premium/tls-policy-configure).
+
+For Azure Front Door classic and Microsoft CDN classic, you can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). For a minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2 and TLS 1.3. If you want to custom the cipher suite per needs, [migrate Front Door classic](/azure/frontdoor/tier-migration) and [Microsoft CDN classic](/azure/cdn/tier-migration?toc=/azure/frontdoor/TOC.json) to Azure Front Door standard and premium.
 
 > [!NOTE]
 > - Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3.

articles/frontdoor/front-door-rules-engine.md

@@ -6,7 +6,7 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: concept-article
-ms.date: 08/12/2024
+ms.date: 04/09/2025
 ms.custom: devx-track-arm-template
 zone_pivot_groups: front-door-tiers
 ---
@@ -32,6 +32,10 @@ A rule set is a customized rules engine that groups a combination of rules into
 * Add, modify, or remove request/response header to hide sensitive information or capture important information through headers.
 
 * Support server variables to dynamically change the request header, response headers, or URL rewrite paths/query strings. For example, when a new page load or when a form gets posted. Server variable is currently supported in **[rule set actions](front-door-rules-engine-actions.md)** only.
+* Populate or modify a response header based on a request header value (e.g., adding the same FQDN in Access-Control-Allow-Origin as the request Origin header).
+* Rename a response header generated by a cloud provider to a brand-specific one by adding a new response header and deleting the original.
+* Redirect to a destination host using a value captured from an incoming query string key/value pair in format of {http_req_arg_key1}.
+* Leverage URL path segment capture in URL redirect and rewrite, e.g. extract tenantID from your incoming URL path `/abc/<tenantID>/<otherID>/index.html` and insert elsewhere in the URL path by using "{url_path:seg1}" in the destination. 
 
 ## Architecture
 

articles/frontdoor/rule-set-server-variables.md

@@ -6,7 +6,7 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: concept-article
-ms.date: 05/07/2024
+ms.date: 04/09/2025
 ---
 
 # Azure Front Door Rule set server variables
@@ -37,6 +37,9 @@ When you use [Rule set actions](front-door-rules-engine-actions.md), you can use
 | `ssl_protocol`   | The protocol of an established TLS connection.<br/> To access this server variable in a match condition, use [SSL protocol](rules-match-conditions.md?toc=%2fazure%2ffrontdoor%2fstandard-premium%2ftoc.json#ssl-protocol).|
 | `server_port`    | The port of the server that accepted a request.<br/> To access this server variable in a match condition, use [Server port](rules-match-conditions.md?toc=%2fazure%2ffrontdoor%2fstandard-premium%2ftoc.json#server-port).|
 | `url_path`       | Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments or leading slash.<br />For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the `url_path` value is `article.aspx`. <br /> Azure Front Door supports dynamic capture of URL path with `{url_path:seg#}` server variable, and converts URL path to lowercase or uppercase with `{url_path.tolower}` or `{url_path.toupper}`. For more information, see [Server variable format](#server-variable-format) and [Server variables](rule-set-server-variables.md). <br/> To access this server variable in a match condition, use [Request path](rules-match-conditions.md#request-path) condition. |
+| `http_req_header_<headername>`       | Captures the value of a request header. E.g. for request header Device: Desktop, the variable is http_req_header_Device, the value of this variable is Desktop. <br /> The header name in the variable syntax support alphanumeric and hyphen (a-z, A-Z, 0-9 and “-”).   |
+| `http_req_arg_<querystringkeyname>`       | Captures the value from a query string key value pair. E.g. in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the variable is http_req_header_id, the value of this variable is 123.  <br /> The query string key in the variable syntax support alphanumeric and hyphen (a-z, A-Z, 0-9 and “-”).  |
+| `http_resp_header_<headername>`       | Captures the value of a response header from origin. E.g. for a response header Access-Control-Allow-Origin `https://learn.microsoft.com`, the variable is http_req_header_ header Access-Control-Allow-Origin, the value of this variable is `https://learn.microsoft.com`. <br /> The header name in the variable syntax support alphanumeric and hyphen (a-z, A-Z, 0-9 and “-”). |
 
 ## Server variable format 
 

articles/frontdoor/standard-premium/tls-policy-configure.md

@@ -1,5 +1,5 @@
 ---
-title: Configure Azure Front Door TLS policy (preview)
+title: Configure Azure Front Door TLS policy
 description: Learn how you can configure TLS policy to meet security requirements for your Front Door custom domains.
 author: halkazwini
 ms.author: halkazwini
@@ -55,6 +55,6 @@ View the supported cipher suite of your domain via [www.ssllabs.com/ssltest](htt
 
 ## Related content
 
-- [Azure Front Door TLS Policy (preview)](tls-policy.md)
+- [Azure Front Door TLS Policy](tls-policy.md)
 - [Add a custom domain on Azure Front Door](how-to-add-custom-domain.md)
 - [Configure HTTPS for your custom domain on Azure Front Door](how-to-configure-https-custom-domain.md)

articles/frontdoor/standard-premium/tls-policy.md

@@ -1,5 +1,5 @@
 ---
-title: Azure Front Door TLS policy (preview)
+title: Azure Front Door TLS policy
 description: Learn how custom TLS policies help you meet security requirements for your Azure Front Door custom domains.
 author: halkazwini
 ms.author: halkazwini