azure Application Gateway responce 502 Bad Gateway

Question

My Application Gateway responced 502 Bad Gateway

System configuration.

Browser <- https-> Application Gateway <- https -> Apache2 ( azure VM centos7)

for example
Front Website
https://front.example.com/

BackendWebsite
backend.example.com/

Success if the backend protocol is http.
Failed (502 Bad Gateway) if the backend protocol is https

probe https://backend.example.com/ <- Health check was successful from application gateway.

This system uses only TLS1.2

Application Gateway 502 error diagnostics
responce

Bad Gateway Error (502)
We ran several diagnostics on your resource My-AppGateway and have found the below issues that could be the cause of your Bad Gateway Error (502).

Issues Identified
No issues detected.

I hope how to investigate

Answer 1

Hi, @Hiroki Muraba

I understand that you want to do end-to-end TLS encryption with Application Gateway and Backend VMs, the health check is successful but it fails when accessed from the outside.

You should check the following first.
https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-tls-encryption

• The way TLS policies are applied differs between v1 SKUs and v2 SKUs
• Is the backend server certificate the same as or different from the certificate added to the listener at the application gateway?

Depending on how the FQDN and Host header when accessed from the front are transferred to the Backend, there may be cases where the health check succeeds and fails from the outside.

Answer 2

I tried the following method
First, the server certificate and root certificate embedded in the Web server were embedded as CER.
The procedure followed the following URL
https://learn.microsoft.com/ja-jp/azure/application-gateway/end-to-end-ssl-portal

Backend health was healthy at this time

However, the URL https://front.example.com/ that was set in front of ApplicationGateWay returns 502 Bad Gateway.

Next, I set Use well known CA certificate of Trusted root certificate to Yes and tried it. This is because the backend server uRL https://backend.example.com is a URL that can be accessed from the Internet and has a certificate with that name.

Again, backend health was healthy

However, the URL https://front.example.com/ that was set in front of ApplicationGateWay returns 502 Bad Gateway.

Then I changed the rule to make the backend an http connection.
At this time, https://front.example.com/ will display the normal backend site.

The backend server allows the following Cipher Suites

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Depending on how the FQDN and Host header when accessed from the front are transferred to the Backend, there may be cases where the health check succeeds and fails from the outside.

Where can I find out which cases fail?

Thank you.