question

AdrienMichaud-8047 avatar image
0 Votes"
AdrienMichaud-8047 asked gaur-5993 commented

Azure Application Gateway: Client Certificates headers?

Hello,

I've been troubleshooting a really strange issue on my Application Gateway and my Azure Web Application behind.

A month ago, I've set up my application gateway with an web application and all seemed to work well, passing the header I need correctly. But now I have a problem fetching the header "X-ARR-ClientCert" which shall be (and was) present in each request that authenticated successfully. The header is not present in the requests anymore...

The Application Gateway is receiving HTTPS and route it in HTTP to my web app. The listener is configured to use my SSL Profile, as an example of access log I have:

{ "timeStamp": "2021-09-13T13:42:53+00:00", "resourceId": "/SUBSCRIPTIONS/D33C8661-DE39-4265-8526-6C2B32160154/RESOURCEGROUPS/MHS-AG/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/MHS-AG", "listenerName": "gw-dev", "ruleName": "gw-dev", "backendPoolName": "dev", "backendSettingName": "http-dev", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", "properties": {"instanceId":"appgw_0","clientIP":"77.205.111.223","clientPort":57595,"httpMethod":"GET","originalRequestUriWithArgs":"\/v1\/transactions\/?acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","requestUri":"\/v1\/transactions\/","requestQuery":"acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","userAgent":"Python\/3.8 aiohttp\/3.7.4.post0","httpStatus":403,"httpVersion":"HTTP\/1.1","receivedBytes":1506,"sentBytes":542,"timeTaken":0.915,"transactionId":"ba23f8606b2718e7d132a27e6bf0df2a","sslEnabled":"on","sslCipher":"ECDHE-RSA-AES256-GCM-SHA384","sslProtocol":"TLSv1.2","sslClientVerify":"SUCCESS","sslClientCertificateFingerprint":"d35719cfe802e02b90b3fa2f48d2f96c605f774c","sslClientCertificateIssuerName":"DC=https:\/\/bridge-dev.snhtest.online,O=Sentinhealth,L=Grenoble,ST=Is\\\\C3\\\\A8re,C=FR","serverRouted":"40.89.141.103:80","serverStatus":"403","serverResponseLatency":"0.916","originalHost":"bridge-dev.snhtest.online","host":"bridge-dev.snhtest.online"}}

So it look likes the validation is successfull, but I do not receive an header with the certificate.

Is there any documentation on the headers created by application gateway on successfull verification ?

Did something changed lastly ?

Thanks for your help !

azure-webappsazure-application-gateway
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AdrienMichaud-8047, Thank you for reaching out. I am currently working on the issue faced and will make an update here shortly. Thank you!

0 Votes 0 ·
ChaitanyaNaykodiMSFT-9638 avatar image
1 Vote"
ChaitanyaNaykodiMSFT-9638 answered

Hello @AdrienMichaud-8047, apologies about the delayed response here. From the question I understood that your flow is Client --(HTTPS)--> AppGW --(HTTP)--> Web App. . You are using Mutual Authentication and have set your SSL profile to mutually validate client request. Which is successful but the request sent to the Web-App does not consists of "X-ARR-ClientCert" header. Please let me know if my understanding is not correct.

Based on above understanding. From the documentation I do see that client_certificate server variable is supported. Have you done a request header rewrite with a Custom Header name X-ARR-ClientCert with value {var_client_certificate}? If not can you try and set it up and see if the header is received at the backend?
If you have already set this header up and still it does not show up at you backend. Can you set the name to X-ARR-anyvalue and see if this helps? As the Mutual Authentication is still in preview some features might not work as expected and it is currently not recommended for production environments.

Please let me know if there are any additional concerns. I will glad to continue with our discussion. Thank you!





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AdrienMichaud-8047 avatar image
0 Votes"
AdrienMichaud-8047 answered gaur-5993 commented

Thanks for your answer @ChaitanyaNaykodiMSFT-9638, I found the problem and fixed it:
- Your understanding was correct !
- I was not using rewrite rules with the server variables, so I added one rewrite rule as you said and I have now the certificate in the header (I used mitmproxy to debug) !
- The second problem was that the web application had the parameter "Client Certificate" on "Ignore". It seems to drops the header "X-ARR-Client-Cert", so I needed to change the header name to "X-Client-Cert".

I think there was a change a little ago that removed the X-ARR-Client-Cert on application gateway to use only the rewrite headers or something like that since I never used the rewrite rules before.

Thanks a lot for your help !

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Happy to hear the issue is resolved, Glad I could help! :-)

0 Votes 0 ·

hi @AdrienMichaud-8047 @ChaitanyaNaykodiMSFT-9638 @AndriyBilous - Can you please share the screenshot how the rewrite rule has been defined in application gateway. also if my backend is APIM , Do i need to make any changes in APIM policies also ?

or just updating X-ARR-ClientCert with value {var_client_certificate ) will work so that an the Application Gateway passthrough a client certificate and it can be recognized by APIM.

0 Votes 0 ·