question

HirokiMuraba-2785 avatar image
0 Votes"
HirokiMuraba-2785 asked HirokiMuraba-2785 commented

azure Application Gateway responce 502 Bad Gateway

My Application Gateway responced 502 Bad Gateway

System configuration.

Browser <- https-> Application Gateway <- https -> Apache2 ( azure VM centos7)

for example
Front Website
https://front.example.com/

BackendWebsite
backend.example.com/

Success if the backend protocol is http.
Failed (502 Bad Gateway) if the backend protocol is https

probe https://backend.example.com/ <- Health check was successful from application gateway.

This system uses only TLS1.2

Application Gateway 502 error diagnostics
responce

Bad Gateway Error (502)
We ran several diagnostics on your resource My-AppGateway and have found the below issues that could be the cause of your Bad Gateway Error (502).

Issues Identified
No issues detected.

I hope how to investigate

azure-application-gateway
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

TakahitoIwasa avatar image
0 Votes"
TakahitoIwasa answered HirokiMuraba-2785 commented

Hi, @HirokiMuraba-2785

I understand that you want to do end-to-end TLS encryption with Application Gateway and Backend VMs, the health check is successful but it fails when accessed from the outside.

You should check the following first.
https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-tls-encryption

  • The way TLS policies are applied differs between v1 SKUs and v2 SKUs

  • Is the backend server certificate the same as or different from the certificate added to the listener at the application gateway?

Depending on how the FQDN and Host header when accessed from the front are transferred to the Backend, there may be cases where the health check succeeds and fails from the outside.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HirokiMuraba-2785 avatar image HirokiMuraba-2785 ·

Hi TakahitoIwasa

Certificates signed by well known CA authorities whose CN matches the host name in the HTTP backend settings do not require any additional step for end to end TLS to work.

Yes

I tried with the following steps

First, I confirmed that https://backend.example.com can be accessed from a normal browser.
Next, I confirmed that the status of backend health is Healthy.

Is the backend server certificate the same as or different from the certificate added to the listener at the application gateway?

Yes
https://docs.microsoft.com/ja-jp/azure/application-gateway/end-to-end-ssl-portal

0 Votes 0 ·
HirokiMuraba-2785 avatar image HirokiMuraba-2785 ·

Hello @TakahitoIwasa

Thank you for responce

The way TLS policies are applied differs between v1 SKUs and v2 SKUs

Yes
I'm using v2 SKU.

Is the backend server certificate the same as or different from the certificate added to the listener at the application gateway?

Yes

I wrote the details in the following comment
0 Votes 0 ·
HirokiMuraba-2785 avatar image
0 Votes"
HirokiMuraba-2785 answered

I tried the following method
First, the server certificate and root certificate embedded in the Web server were embedded as CER.
The procedure followed the following URL
https://docs.microsoft.com/ja-jp/azure/application-gateway/end-to-end-ssl-portal

Backend health was healthy at this time

However, the URL https://front.example.com/ that was set in front of ApplicationGateWay returns 502 Bad Gateway.

Next, I set Use well known CA certificate of Trusted root certificate to Yes and tried it. This is because the backend server uRL https://backend.example.com is a URL that can be accessed from the Internet and has a certificate with that name.

Again, backend health was healthy

However, the URL https://front.example.com/ that was set in front of ApplicationGateWay returns 502 Bad Gateway.

Then I changed the rule to make the backend an http connection.
At this time, https://front.example.com/ will display the normal backend site.


The backend server allows the following Cipher Suites

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA


Depending on how the FQDN and Host header when accessed from the front are transferred to the Backend, there may be cases where the health check succeeds and fails from the outside.

Where can I find out which cases fail?

Thank you.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.