Azure App Service applicationHost.xdt appears to have no effect

I faced the same issue with the TomSSL article, @David Ebbo's comment ultimately got me to the answer, but felt it was worth adding this to save people some time. It's because applicationHost.config is missing xdt:Locator="Match(name)":

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
    <system.webServer>
        <proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
        <rewrite xdt:Transform="InsertIfMissing">
            <allowedServerVariables xdt:Transform="InsertIfMissing">
                <add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
            </allowedServerVariables>
        </rewrite>
    </system.webServer>
</configuration>  

The key to investigating these issues is to determine whether the problem is with the transform not doing the right thing, or with the applicationhost.config not working as you expect.

You can check the generated applicationhost.config in D:\local\Config from Kudu console.

See this page for more details about this.