Preventing original host name from gateway to backend target

Alpee Jain 96

HI All,

I've set a DNS for my application gateway and in my http settings I 've set "Override with new host name" as No, when i access the url with application gateway's DNS, browser automatically navigates to the app service default .azurewebsites.net url. How do i prevent this?

KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-04T12:34:39.6833333+00:00
@Alpee Jain

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I believe you have went though Preserve the original HTTP host name between a reverse proxy and its back-end web application and Configure App Service with Application Gateway as you have mentioned you had disabled "Override with new host name".

Can you let me know the below

Is the issue happening with HTTPS traffic only or also with HTTP traffic?

Is this working for the base URL (i.e, base URL with no Path in it) ?

Or base URL also has the problem?

Is it possible you can configure the backend to some other 3rd party service such as "www.bing.com" and see if the issue is reproducible?

Just for testing purposes.

Cheers,

Kapil
Alpee Jain 96 Reputation points

2023-05-04T14:36:15.31+00:00
No luck Kapil,

i followed the link Preserve the original HTTP host name between a reverse proxy and its back-end web application, under "Application Gateway" section it says we need to disable the Override with new host name for my httpsetting, which I did.

It happens for both http as well https

Baseurl itself has the problem

if i change the backedn target to www.bing.com, it says bad gateway
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-04T15:19:33.93+00:00
@Alpee Jain

Thanks for the info.

First, let's focus on HTTP traffic.

In the AppService,

Make sure HTTP is supported

WebApp --> Configuration -->General Settings --> HTTPS only as OFF

Validate this by accessing the HTTP version of the appservice

In the BackendHTTPSettings,

Enable "Override with new host name"

Check "Override with specific domain name"

And fill it with the host name of the App service

After doing so, please make sure the Backend Health is healthy

Post this, try to access the app gateway using it's custom domain and make sure you use HTTP.

Let us know the outcome.

Cheers,

Kapil
Alpee Jain 96 Reputation points

2023-05-05T07:31:30.22+00:00

Hi Kapil,

I just did that and the outcome is same, i can see browser navigates to my .azurewebites.net url. Can we get on a call and discuss this?
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-05T09:23:31.69+00:00
@Alpee Jain

I am not able to reproduce your issue.

For me, the setup is working as expected.

The document, Preserve the original HTTP host name between a reverse proxy and its back-end web application, says we need to disable the Override with new host name for my httpsetting in case you want to preserve the host name.

But you should not preserve the hostname, instead, you should replace it with the backend app service's hostname - Only then will app service accept the requests.

If you preserve,

appgw.contoso.com ---------> App Gw --------> appgw.contso.com ------> AppService | This is wrong

If you overwrite,

which is correct.

To have different domains is not a recommended approach.

I would suggest you to see if you could use the same domain in AppGw and in App Services.

One of the notable problems with having different domains is, absolute path links will fail.

Only relative paths would work.

Best example for this would be

App services default 80--->443 Redirection.

Client ---> http://appgw.contoso.com ----> AppGw ----> http://contoso.azurewebsites.net

AppService sends a 301 and redirects to https://contoso.azurewebsites.net

So Client now makes all the requests to https://contoso.azurewebsites.net bypassing the AppGW.

Can you share the configuration screenshot of your AppGateway

Listener (Port 80 - HTTP)

BackendSettings (Port 80 and Host name set as Override with new host name)

And also,

HTTPS Redirection disabled at AppService general configuration?

Cheers,

Kapil.
Alpee Jain 96 Reputation points

2023-05-05T09:55:14.2266667+00:00
Alpee Jain 96 Reputation points

2023-05-05T09:55:38.18+00:00
Alpee Jain 96 Reputation points

2023-05-05T09:59:08.4666667+00:00

I want my users to stay on the domain of the gateway, i cannot redirect them to azurewebsites.net or a different domain
Alpee Jain 96 Reputation points

2023-05-05T11:00:27.5666667+00:00

Hi Kapil, I had my app services configuration which was redirecting to https, i turned it off and then it is retaining the domain now..Thanks for your help, i'll set up https now and check
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-05T11:04:42.0233333+00:00

@Alpee Jain

You do not have to expose the App Service URL.

You just have to add the custom domain to your AppService. Post which, you can access the AppService as well as the App Gateway with the same domain.

Thanks for sharing the screenshots.

As I stated, HTTPS redirection was the issue.

You can consider Map an existing custom DNS name to Azure App Service

I believe custom domain would be mandatory for HTTPS, so consider using the above.

Cheers,

Kapil.
Alpee Jain 96 Reputation points

2023-05-06T15:15:49.0266667+00:00

Hi Kapil, with your help i 've been able to put my web application (hosted inside the app service) behind the application gateway. Now I am facing issue while putting the apis (another app service) behind the same application gateway. I created another backend pool/settings for the api and under the Rule, i created a path based rule which as "/api" as shown below. However when I try to access the apis as http(s)://<gatewayurl>/api, it does not navigate to the api app service. Please help.

**Backend Settings

**
Alpee Jain 96 Reputation points

2023-05-06T15:22:23.2366667+00:00

Hi Kapil, with your help i 've been able to put my web application (hosted inside the app service) behind the application gateway. Now I am facing issue while putting the apis (another app service) behind the same application gateway. I created another backend pool/settings for the api and under the Rule, i created a path based rule which as "/api" as shown below. However when I try to access the apis as http(s)://<gatewayurl>/api, it does not navigate to the api app service. Please help.

Back end Settings
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-08T07:11:45.01+00:00
@Alpee Jain

Glad we could be of help!

Wrt URL Path based routing,

Can you please make sure the backend health is healthy? (From App Gateway)

Can you try using "/api/*" instead of "/api" ?

What exactly is the error message/behavior you are facing when you try to access "http(s)://<gatewayurl>/api"?

Refer Path-based routing rules

Cheers,

Kapil
Alpee Jain 96 Reputation points

2023-05-08T10:20:03.44+00:00

Hi Kapil,

No luck.

Yes, my backend is healthy.

I changed the path to /api/*

If i access the path: http(s)://<gatewayurl>/api, it says "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.". This means the it is not routing to my api appservice, it is trying to access directory/path within my web application
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-15T09:56:36.12+00:00
@Alpee Jain

I do not think so this should be the case.

Can you check the logs of the backend pool (2nd One) and see if the traffic hit this or not?

Also, you can use the Access logs and see to which backend pool the traffic http(s)://<gatewayurl>/api is flowing

Whether the first pool or the expected backend pool.

Cheers,

Kapil
KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-17T04:31:02.3966667+00:00

@Alpee Jain

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 45,451 Reputation points Microsoft Employee

2023-05-17T04:38:58.53+00:00
@Alpee Jain

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I believe you have went though Preserve the original HTTP host name between a reverse proxy and its back-end web application and Configure App Service with Application Gateway as you have mentioned you had disabled "Override with new host name".

You should not preserve the hostname, instead, you should replace it with the backend app service's hostname - Only then will app service accept the requests.

If you preserve,

appgw.contoso.com ---------> App Gw --------> appgw.contso.com ------> AppService | This is wrong

If you overwrite,

which is correct.

To have different domains is not a recommended approach.

I would suggest you to see if you could use the same domain in AppGw and in App Services.

One of the notable problems with having different domains is, absolute path links will fail.

Only relative paths would work.

Best example for this would be

App services default 80--->443 Redirection.

Client ---> http://appgw.contoso.com ----> AppGw ----> http://contoso.azurewebsites.net

AppService sends a 301 and redirects to https://contoso.azurewebsites.net

So Client now makes all the requests to https://contoso.azurewebsites.net bypassing the AppGW.

To avoid the above, we can disable HTTPS redirection in AppService.

Make sure HTTP is supported

WebApp --> Configuration -->General Settings --> HTTPS only as OFF

Validate this by accessing the HTTP version of the appservice

You confirmed that the issue has been resolved post this.

For the path based rules,

I would recommend you to check the logs of the backend pool (2nd One) and see if the traffic hit this or not?

Also, you can use the Access logs and see to which backend pool the traffic http(s)://<gatewayurl>/api is flowing

Whether the first pool or the expected backend pool.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Preventing original host name from gateway to backend target

1 answer

Your answer