Our platform has an Azure Application Gateway configured with a number of back services hosted in an AKS cluster using the Azure Application Gateway ingress controller. One of the services is our core identity service eg https://login.mydomain.com.
I can browse directly to this url and the login page is served fine. Due to having strict data sovereignty requirements, another service provides is a regional authentication service eg https://login-region.mydomain.com
We use an OIDC back channel flow to redirect the user from the global service to the relevant region to enter their user credentials. This also works correctly to authenticate the user.
The issue arises when the regional identity server redirects back to the core identity service with the authentication token.
A nginx 502 Bad Gateway message is displayed.
As a side note, we have test environment configured that does not use Application Gateway, rather Kubernetes nginx Ingress controller for SSL Termination. During the configuration of this environment we had a similar issue and increasing the nginx proxy-buffer-size be increased 16k resolved the issue.
There is no limit set in the docs for Application Gateway: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/application-gateway-limits.md
I'm not sure If I'm looking in the correct place or if this is completely unrelated.
Related
I am using a V1 WAF application gateway (dynamic IP) in front of a web app.
When i configure the web app access restrictions to Allow the application gateway i received a when i tryu to access the web app url (expected behavior). However, i also received a 403 when accessing throught the app gateway url (not expected !). i have try a rule to allow the app gateway ip and also a rule allowing the app gateway vnet (service endpoint) with both same result. Any idea why its not working ? Thx!
I suggest you to know about this topic. you are probably getting a VPC error.
https://azure.microsoft.com/en-us/services/virtual-network/#overview
In my ASP.Net Core application, I am using the OpenId Connect authentication scheme with the Azure AD.
The application is hosted on to Azure app service and it is running behind the application gateway of the Azure.
I have configured Application gateway's and app service URL in the Azure AD's reply URL configurations where I registered my application.
When I hit the application gateway's URL it redirects me for the authentication, then I log in using Azure AD Microsft credentials then after successful login it redirects me to Application gateway URL, then I get 500 internal server error, when I check the response header I can see that SetCookie header's domain is the App service URL which is running behind the application gateway and it shows me warning as "This Set-Cookie was blocked because its Domain attribute is invalid with regards to the current host URL"
Any idea how to resolve this issue
Many thanks
I have configured an application behind my application gateway V2 and it is providing multiple logins prompts. I Have enabled cookie-based affinity on my HTTP settings as outlined in the Azure Application Gateway Documentation, Application Gateway supports cookie-based affinity enabling which it can direct subsequent traffic from a user session to the same server for processing. Also I have moved out 1 server from the backend pool leaving only 1 server behind. We are still facing same issues.
Please use Application Gateway V1. I have seen this issue where the server sends negotiate and NTLM and with AppGW V2 the auth fallsback to NTLM where it promts for login for each and every request(CSS file loading).
NTLM / Kerberos is not supported on V2 gateways. No idea why.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#does-application-gateway-v2-support-proxying-requests-with-ntlm-authentication
What am I trying to do
I have to azure apps deployed as App services. To make rest post easy let's call them "blog" and "landing_page". Both of them are hosted, so they URL are blog.azurewebsites.net and landing_page.azurewebsites.net.
I want to configure "something" in Azure with following rules:
if user access http://mydomain/ - content of landing_page.azurewebsites.net
if user access http://mydomain/blog - content of blog.azurewebsites.net
What I tried
After reading documentation, I have to reject Traffic Manager because it works on DNS level. From the other two I decided to use Application Gateway, because it should work on eny Endpoint (Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service).
I configured my Application Gateway setting backend to: landing_page.azurewebsites.net. But in "Backend health" the app status is unhealthy. I tried also:
blog.azurewebsites.net - unhealthy
www.wp.pl (polish news portal) - is working
gazeta.pl (polish news portal) - is working
stapp.space (my blog) - this is same as piotrstapp.azurewebsites.net and status is unhealthy
Question :)
What did I wrong? Maybe should I use something else on Azure? Or am I missing something?
Make sure that custom probes is turned on and configured in the HTTP settings of the WAF for your site. If you don't the Application Gateway will try to go to the IP of the App Service Environment without passing a Host header, which won't work and will throw the probe into an unhealthy state resulting in a "502 Gateway Proxy" error.
There is a great article here
You may want to check out Azure's application gateway path-based rules function:
Create a path-based rule for an application gateway by using the Azure portal
I have two VMs with IIS that host my application with Azure Application Gateway distributing the traffic. The gateway is configured to offload SSL and everything is working fine.
However, I'd like to use client certificate authentication on one of the paths of the application - on NetScaler (or some other load balancer) I'd simply put serialized client certificate into HTTP Header (X-Client-Cert).
Can I do something similar with Application Gateway?
At the moment thats not possible, but is in the pipeline of product development of the azure product team.