1

I am having trouble with getting SSL/HTTPS working on a Azure WAF (ApplicationGateway) (http / port:80 is working fine)

I will explain the scenario as basic as possible:

The developer has made two websites (for this example: let’s say X.com and Y.com) both on a Linux Front End server in AZURE which sit behind a NSG as well as a Azure Application Gateway WAF

The developer points DNS records of X.com and Y.com to the WAF's single IP (appGatewayFrontendIP)

Users can browse through to both websites http / port:80 with no problem.

The trouble now lies with how to get SSL working, so far:

The developer has applied SSL certificates to both websites on the Linux Web Server in Azure

How does one get SSL working on the WAF?
I have been looking through MS Docs all day but not really sure how to get this to work (https://learn.microsoft.com/en-us/azure/application-gateway/create-ssl-portal)

I see we need to put a PFX certificate inside - I am assuming a selfsigned one is NOT the way to go. However I am non the wiser as to what I do in this scenario -

How do I get a PFX certificate and how does this work when you have 2 websites on a single Front End Linux Server -

Do I need to take off the SSL Certs on the Front End Linux server and instead of .cert get a .PFX cert and upload via Azure Portal?

Any help truly welcome! :)

Thanks

neuro
  • 14,948
  • 3
  • 36
  • 59
Awsming
  • 29
  • 1
  • 6

2 Answers2

2

If you want the front-end (ie public IP) to serve up HTTPS you'll need the PFX certificate assigned to the listener of the appropriate back-end site.

For example: XPfxCert should be assigned to the listener that directs traffic to the X.com app YPfxCert should be assigned to the listener that directs traffic to the Y.com app

This will encrypt traffic between your customers and the WAF. You'll need to obtain one from a certificate authority (eg. comodoca.com) to ensure your end user does not get one of those errors like you'd see here if you used self-signed: https://self-signed.badssl.com/

In addition you'll need different certs for the back-end. This will encrypt traffic between the WAF and your apps (even though they're all in Azure you'll still need this). It gets assigned in the HTTPSettings. You may be able to get away with self-signed here; however, at our work we use CA provided certs for both.

Lastly, if the goal is to host both X.com and Y.com on the same VM you should be able to configure path based rules that would direct traffic appropriately. As an alternative you could have multiple NICs on your VM and configure multiple back-end pools to direct traffic to the appropriate site.

References:

mgfink
  • 36
  • 3
0

Assuming you have two different certificates for X.com and Y.com, then you should associate these certificates with the corresponding multi-site listeners which you would have created listening on port 443. The you should create two new rules which associate these listeners to corresponding backend pools using HTTP setting. Please remember to delete any other rules apart from the 4 rules (2 for HTTPS listener and 2 for HTTP listener).

At this point you should be able to send traffic to these listeners which would terminate SSL and run WAF rules. Since your backend is already configured to listen on port 80, it should work as is with existing HTTP Settings. The backend communication is over HTTP.

If you want to enable end to end SSL - ie rencrypt the traffic to backend then you should follow documentation on enabling end to end SSL on the above setup.

amsriva-msft
  • 319
  • 1
  • 5