1

I have IIS ARR set up as a reverse proxy with a web app sitting behind it. If I send a HTTPS request to the proxy with a value in the X-ARR-ClientCert header then that value won't reach the web app. How can this be fixed?

I've set SSL Settings to accept client certificates. As per this guide I also changed the system.webServer/proxy configuration field to be something else then X-ARR-ClientCert without success.

The proxy passes any other header through properly.

Piedone
  • 385
  • 1
  • 6
  • 18

1 Answers1

2

X-ARR-ClientCert is sent if there was a mutual SSL handshake with ARR. Sending a request via https with the X-ARR-ClientCert header won't be enough as there really wasn't a mutual SSL handshake in that scenario. By a mutual SSL handshake, It means that the browser or client gets prompted for a client certificate and the client provides one.

If you want your setup to work with the X-ARR-ClientCert header, I'd recommend to install ARR Helper. One of its features is that it reads the X-ARR-ClientCert header (configurable to be any arbitrary header with a base64 encoded certificate) and it emulates the requests to have the client certificate.

milope
  • 441
  • 2
  • 5
  • Thank you for the explanation and also for the link. So if I understand correctly the X-ARR-ClientCert header (or whatever is configured) will contain the client certificate in the app behind the proxy if the proxy completed the mutual SSL handshake. Right? – Piedone Sep 02 '16 at 00:17
  • Basically: yes. Sending the X-ARR-ClientCert header does not constitute a mutual SSL Handshake. A mutual SSL handshake takes place when at the SSL handshake level a certreq is sent to the client, usually resulting in a prompt for a certificate when the client is a browser. However, since ARR Helper is capable of reading and parsing the X-ARR-ClientCert header and reinsert it back on the HttpRequest class, it may be worth trying to install ARR Helper to see if it successfully receives the X-ARR-ClientCert header and forward it from there to your backend servers using the same header. – milope Sep 02 '16 at 02:50