question

SteveWithey-0461 avatar image
2 Votes"
SteveWithey-0461 asked Laurence-9808 commented

Azure Application Proxy - Not passing X-Forwarded-Host or X-Original-Host headers

I have a .NET Core 3.1, Linux Hosted Azure App Service, which uses AAD Authentication and IP Restriction rules configured and working, however when I put it behind an Application Proxy in AAD, the requests to the service don't include X-Forwarded-Host or X-Original-Host headers. The resulting action is that when a user browses to the site through the Proxy URL, the OIDC authentication kicks in and redirects to AAD Login. The redirect_uri in the login page contains the internal host name, not the Proxy's host name. When the user logs in, they are redirected to the internal host and can't proceed to use the system (unless they're coming from an IP that is valid). The Proxy IPs are on the allow list for the service.

I have enabled the Forwarding Middleware and got it to set the host based on the headers when they're passed in, which works perfectly, however this only works if the Proxy were to pass the header on to the service. When I browse to the Proxy URL and forcibly append the X-Original-Host header, the application and redirects behave as expected.

From what I can see, the only option is to lookup the IP address from the X-Forwarded-For header that does get passed through, map that to a host name at runtime and append that host to the Request object. This feels very hacky for what should be a fairly standard behaviour of a proxy.

azure-ad-application-proxy
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SteveWithey-0461
Thank you for the post!

We've passed this feedback on to the product team and will comment on this thread if they have an update.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

2 Votes 2 ·

PG response: We don't have any short term plans to add these headers - but perhaps the customer can hardcode the external URL as the reply URL.

0 Votes 0 ·

Hardcode shudder

0 Votes 0 ·
Show more comments

The Esri software requires this functionality to work correctly: https://enterprise.arcgis.com/en/server/latest/deploy/windows/using-a-reverse-proxy-server-with-arcgis-server.htm#ESRI_SECTION1_7C21416FDBFA440191ADF803B70C7DA5

Are you saying that Azure will not be implementing the ability to set an X-Forwarded-Host Header within Azure Application Proxy?

0 Votes 0 ·

Hi @SteveWithey-0461,

I agree with you that it's not an ideal experience. There is a feedback item open for this from January 2019, and I noticed you also commented on it. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36500158-enable-x-forwarded-host-in-response

I have also passed this feedback on to the product team and will comment on this thread if they have an update.

1 Vote 1 ·
Laurence-9808 avatar image Laurence-9808 MarileeTurscak-MSFT ·

Hello @MarileeTurscak-MSFT is there any news on this issue?

0 Votes 0 ·

0 Answers