Ref1: enter link description here
Ref2: enter link description here
I've implemented mutual (certificate) authentication and I hosted my app on the Azure App service. When I open directly my app URL https://apptemp.azurewebsites.net/swagger/index.html and then select client certificate, the app works well and I see my app page.
Now, I've added an Azure Application Gateway V2 ( without WAF) with the below configuration.
I configure this item on my web app
I configure the backend HTTP setting
Create an SSL profile with a Public certificate that is exported from the root certificate. The root certificate was uploaded to the server.
I added a listener
In the health probe with the below config.
for the resulting test, I received this error:
Received invalid status code: 403 in the backend server’s HTTP response. As per the health probe configuration, 200-399 is the acceptable status code. Either modify probe configuration or resolve backend issues.
And also I received the 502 bad gateway when I open the test.mydomain.com URL.
I changed HTTP response status code match to 200-403 and then I received Healthy status.
But when I open the test.mydomain.com URL I received the below error.
Really I am confused that what is the problem :(
I tried to reproduce the same in my environment and got the results successfully.
I created app service with host
https://staxxx.azurewebsites.net/imran/index.html
as same.
Added backend pool:
I have created two backend setting with http port 80 and https port 443 like below ...custom probes automatically added when you are creating probes.
And try to update SSL profile with client authentication and ssl policy like below.
While creating application gateway I created listener 1 with HPPT 80 and now I added listener 2 with port 443 along with sample host name.
While creating app gateway I created rule 1 with listener 1 with path base and then I create another rule with listener 2 with same backend target and setting like below.
Now I added rule 2 with listener 2 with same backend target and setting... So, my ssl certificate will be integrate to listener 2 and listener to http and it will establish a connection to the backend targets.
Added healthy probes
Now, when I try to redirect it's work successfully like below
https://your domain/azurewebsites.net/imran/index.html
It looks like you are attempting to perform mTLS through the App Gateway to your backend App Service. Understand that there are two TLS connections being performed here, one between the client and the App Gateway, and one between the App Gateway and your App Service. No setting in App Gateway's configuration for SSL or certificates will affect both of these connections; they only affect the listener side or the backend side.
The App Gateway is not capable of performing mTLS as a client to a backend service. The only mTLS related function with App Gateway is for clients to connect it using a trusted client certificate and this does not affect the TLS sessions on the backend.
There is a workaround to get this to work with headers, but I would first consider if it's acceptable to just do mTLS on your App Gateway's frontend and have a regular TLS session being done on the backend to the App Service. If so, you can see how to configure this here: https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview
If you want something close to End-to-End mTLS, the best way to accomplish this is using header rewrite as the PEM data from a client certificate can be obtained with the "var_client_certificate" variable. You can place this data in a header for your server to read. The downside is your backend server's code will need rewriting to authenticate using the header data against the issuing authority instead of during the TLS handshake. For header rewrites reference this document here: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-portal
Related
I have setup a SonarQube server on an Azure Windows Server 2016 machine, which sits behind an Azure Application Gateway, with SSL termination. Essentially requests are sent to a public ip address, using HTTPS, the Application Gateway manages SSL with an Azure Self-Signed certificate and sends the request in HTTP to the backend pool, where the VM with SonarQube sits.
I made sure that for the ApplicationGateway the frontend listener uses HTTPS (on port 9000) and the backend HTTP settings is set to HTTP (still on port 9000).
I successfully manage to connect to the VM via browser, i.e. browsing https://“publicIP”:9000. I can also receive the response to this request https://“publicIP”:9000/api/server/version (the response is 9.0.0.45539). In both cases, I have to confirm to proceed (after receiving “Your Connection is not private. NET:ERR_CERT_AUTHORITY_INVALID”), but that should be expected with self-signed certificates.
The problem arises when I try to run an Azure DevOps YAML pipeline (which used to work fine, in the first tests with only HTTP connection). The error I receive is
“[error][SQ] API GET ‘/api/server/version’ failed, error was: {“code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”}”, in the SonarQubePrepare#4 task:
task: SonarQubePrepare#4
inputs:
SonarQube: 'SonarQubeServiceConnection'
scannerMode: 'MSBuild'
projectKey: 'DevTest'
SonarQubeServiceConnection is the Azure DevOps service connection which includes the public IP address (with port) and the personal access token (for SonarQube).
From browsing for answers, it seem that the error UNABLE_TO_VERIFY_LEAF_SIGNATURE should be related to SSL certificate problems, but I would have though that the Application Gateway SSL termination should have had prevented any SSL checks from the SonarQube side.
Thanks for any help given.
You can fix this issue by setting "NODE_TLS_REJECT_UNAUTHORIZED" = 0
Working on a project where we are starting to use Deployment Slots in our App Services.
All our Prod apps are located behind Application Gateway, and we would like to also have our Slots located behind Application Gateway.
I understand we can not do this using "App Services" as target type in the Backend Pools as of now, but wondered if it is doable using "IP Address or FQDN" as target type.
I have tried to set it up, with various changes in the "HTTP Settings", Probe and so, but haven´t gotten it up spinning.
Can anyone confirm if this is possible, and have any tips on how this should be configured?
Thanks!
I was able to get this working on one of my slots.
Basically setup the listener with your necessary protocol, port cert, hostname, etc... I'm using multi-site listeners so I can have multiple URLs for the one AppGW/Public IP.
The rule points to the listenter, backend pool and appropriate http setting.
The HTTP setting should be configured to connect to your app service URL accordingly. I'm using the azurewebsite.net URL, so I use well known CA cert & override hostname from backend target:
The backend pool then points to the azurewebsites.net URL:
Make sure that GET / works on your app service and returns 200-399 HTTP status codes. Anything outside that range is a failure and the backend pool will be removed. If you need to create a custom health probe to a URL that will respond properly, or adjust the acceptable HTTP status code (if 401 or 403 due to required auth, then just override it with that for testing purposes for now).
I'm trying to do it again with a second slot and running into 502 errors from the App Gateway... However, I'm also waiting on DNS changes from my network team. My first one with my company domain works via hosts file edit, but the 2nd slot (which has 2 different URLs/listeners configured in the AppGW) doesn't want to work the same way for some reason.
I have an Azure app service and in some cases I need to send a web request to a non-azure webserver. What do I need to do to make it possible.
Currently the web request fails with no clear error message.
In response to a HttpClient Put request I get a System.Net.WebException exception which says there were errors.
THe same request works from a desktop application.
If your webserver is reachable from the internet you should be able to access it through your App Service. Try to log a ping to your webserver and google (8.8.8.8).
If your App Service is in a VNET you should enable some outbound rules to your webservers IP adress.
The server I am connecting to is an other Azure service. After some more investigating, It appears that I can connect to it if I do not use SSL (i.e. http://) but the connection is immediately closed when using SSL (https://). I assume that the problem must be related to the use of SSL.
I have created the Azure Application Gateway with HTTPS backend.
The problem here is the health check is showed healthily.
But when I connect to Application Gateway it returns 502
I check directly to the backend server but it still fine. HTTP Backend works fine also, only self-signed HTTPS backend got the problem.
Do you have any idea or troubleshooting way for this?
This could happen in the scenario that AppGW v2 when the client receives 502 through the Application Gateway when the back-end is Healthy and no Request Time-Outs.
You could first check these common scenarios, Also you could consider two cases of the health probe.
Default Probe:
AppGW v2 will always show the back-end as healthy when the probe used is the default. So ALWAYS verify if the back-end is really healthy.
Custom Probe:
In this case, the AppGW v2 is supposed to be showing the right health of the back-end.
Furthermore, Authentication Certificates have been deprecated and replaced by Trusted Root Certificates in the Application Gateway v2 SKU. Read more details here.
If the certificate is self-signed, or signed by unknown
intermediaries, then to enable end to end SSL in v2 SKU a trusted root
certificate must be defined. Application Gateway will only communicate
with backends whose Server certificate’s root certificate matches one
of the list of trusted root certificates in the backend http setting
associated with the pool.
Note
The self-signed certificate must be a part of a certificate chain. A
single self-signed certificate with no chain is not supported in V2
SKU.
You can also check if the back-end returns the complete chain of Certs to AppGW via any of the SSL Checkers Online: https://www.sslshopper.com/ssl-checker.html
More references:
Generate an Azure Application Gateway self-signed certificate with a custom root CA
Create certificates to allow the backend with Azure Application Gateway
I have an App Service hosted in azure and I need to secure that using Azure's Web Application Firewall (WAF). I've created the WAF and also specified the app service's FQDN but when I hit that from the browser I get a timeout response after ~3mins.
I've validated that I can hit the AppService using the http://FQDN. The WAF's BackendHttpSetting is configured for HTTP port 80. The listener is also configured for http 80. Ive tried hitting the WAF endpoint using the IP as well as the {guid}.cloudapp.net
I'm out of ideas now.
Any pointer?
Thanks
Support for Azure Web Application requires additional configuration on backend setting and probe for correctly overriding Host headers from incoming requests. This is documented at link1 and link2 for a working example.