Share via

Azure Application Gateway client certificate passthrough

Dev S 91 Reputation points
2022-05-27T14:57:39.16+00:00

In a set up where an Azure App Service has two paths, for example /api and /auth, and Client Certificate Mode is set to Require with Path Exclusion set to /api, meaning the App Service will require mutual TLS authentication for the /auth route, can the Application Gateway which is fronting this App service with end-to-end TLS, passthrough the client certificate from the incoming request when the path is /auth?

One possible way to do this is by enabling Mutual Authentication in Application Gateway and using HTTP rewrite Headers to set some new custom Header like X-Client-Cert to the variable {var_client_certificate), however, it seems this is done with an SSL Profile and it has to be associated with a particular Listener which makes it enforceable for the whole Listene ?. In this case, is it required that we set up two listeners pointing to the same App Service backend pool, one with the SSL Profile and the other with no SSL Profile and use two different CNAMEs for the listeners? Something like api[dot]domain[dot]com and auth[dot]domain[com]?

Is it possible to set up an SSL Profile with an exclusion Path or enforce the SSL Profile on a Listener only for a specific Path, like /auth in this example?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,936 questions
0 comments
Accepted answer
  1. Lynn Niu 236 Reputation points
    2022-05-30T09:31:59.36+00:00
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.