3

I have configured an Azure Web Application Firewall in-front of my App Service and it is successfully passing requests through. I have followed the instructions a the following microsoft docs.

I have the following configuration:

Custom domain: test.[customdomain].com the DNS records points to the public IP configured against the WAF. The custom domain is also configured on the Web App.

The WAF has a backendpool which is configured to use "IP Address or FQDN" with the following record: [customwebsite].azurewebsites.net

When I navigate to test.[customdomain].com I am successfully receiving the website, however it appears as though the WAF is rewriting the request when forwarding to the App Service. As such, my App Service receives the request and it has the URL [customwebsite].azurewebsites.net, instead of test.[customdomain].com.

Is this intended? Reviewing the multi-tenant documentation it should not be rewriting the host by default?

Rahatur
  • 3,147
  • 3
  • 33
  • 49
j_r
  • 83
  • 6

2 Answers2

2

The solution was to ensure you do not use the option -PickHostNameFromBackendAddress when specifying the New-AzureRmApplicationGatewayBackendHttpSettings. I should have noticed, but this setting tells the WAF to rewrite using the addresses specified in the BackendHttpSettings.

You also then need to reconfigure your probe to specify manual hostnames. e.g. do not specify -PickHostNameFromBackendHttpSettings when setting AzureRmApplicationGatewayProbeConfig.

j_r
  • 83
  • 6
  • I tried changing the HTTP Settings from PickHostFromBackendAddress in the Portal and specifying the Host Name explicitly.... Just get "Update Failed"....no reason given. I can however set the Host Name in the Probe, but I am still getting a 502 error. If I tick the default PickHostFromBackendAddressm the site works again but with a post login redirection to mysite.azurewebsites.net..... Proving a frustration ! – SamJolly Sep 23 '18 at 02:01
0

For me what has worked is in the HTTP Settings to make sure -PickHostNameFromBackendAddress is NOT selected. Also the interface doesn't let you set the -HostName so drop to PowerShell and set the -HostName and the probe like this:

$GW = Get-AzureRmApplicationGateway -ResourceGroupName "MY-APP-WAF-RG" -Name "APP-WAF"

$PROBE = Get-AzureRmApplicationGatewayProbeConfig -ApplicationGateway $GW -Name "my-api-https-probe"

Set-AzureRmApplicationGatewayBackendHttpSettings -ApplicationGateway $GW -Probe $PROBE -HostName "my-api.example.org" -CookieBasedAffinity "enabled" -AffinityCookieName "AGAffinity" -Protocol "HTTPS" -Port 443 -Name "my-api-https-settings"

Set-AzureRmApplicationGateway -ApplicationGateway $GW

Also on the probe I have the -PickHostNameFromBackendHttpSettings selected.

Using the above way I have two web apps with custom domain and SSL configured behind the WAF.

Terrible experience setting this up.

GeoDev
  • 33
  • 1
  • 5