Azure application gateway is not passing requests which contain x-forwarded-client-cert header

Medan, Ninoslav 1 Reputation point
2023-02-28T11:49:18.1866667+00:00

Hello,

Here is the context to better understand the issue. I have a NVA deployed in Azure which does mTLS to authenticate the users. In addition this NVA needs to inject the x-forwarded-client-cert header into request so that backend server can use it to validate some data signed by client cert. As NVA does not support SSL offload I use Azure Application gateway to offload SSL. However it seems that every request which contains this header is discarded by AAG. If I do not set the header the request is forwarded to the backend. If the header is present after SSL handshake AAG returns some error (SSL socket hang up). Is this some kind of security violation which can be resolved or ..?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
954 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,916 Reputation points
    2023-02-28T13:39:10.2333333+00:00

    Hi Medan,

    Just curious why didn't you use Azure App GW for all these requirements? Instead of NVA you can utilise Azure APP GW for SSL/TLS Offload, rewrite headers and other L7 features. SKU v2 of App GW will cover all these requirements.

    Also not clear how is your SSL encryption is set, is it End to end or just from the NVA to Backend? Check the end to end encryption process here for App GW. https://learn.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal

    For this you will need to load Certs and configure the listener.

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Medan, Ninoslav 1 Reputation point
    2023-02-28T13:49:32.5833333+00:00

    I am not sure I know what is the catch here as I received an email there is an answer to my question but when I click on "see answer" I just end up on my question and there is no response to it

    0 comments No comments

  3. Medan, Ninoslav 1 Reputation point
    2023-02-28T13:53:08.1133333+00:00

    Hi Marshaljs,

    NVA is doing much more than just this task and we wish to do anything it can do. The issue with your proposal is that when I try to configure mTLS on AAG I am not able to upload root CA which are signing client certs. I get an error, I can only assume this is because AAG supports only certs from well known CAs. As already mentioned in my question we are doing SSL offload here with AAG.

    Regards

    Nino

    0 comments No comments