4

The error I see when accessing https://www.example.com regardless of whether I have a listener (443) and rule is:

403 - Forbidden

You don't have permission to access / on this server.

If I add a listener on port 443, attach a valid certificate and rule, I get the same error message. If I dig www.example.com, I can see it's resolving to the public IP of the application gateway.

http://www.example.com works as expected with a listener on port 80 and rules directing traffic to backend virtual machines hosting Apache.

I should add that this has been set using the Azure Portal. Should I be using PowerShell? Some forums suggest the portal is flaky.

Confounder
  • 469
  • 1
  • 8
  • 23

2 Answers2

4

The issue was resolved and ties in with a redirection problem we were experiencing.

The problem appears to be a combination of the following:

  • We had a listener on port 443 without a hostname.

  • It appears the order of path-based rules is important when there's a listener without a hostname.

As a rule of thumb, path-based rules should be below basic rules. Also, if the app gateway is used for multiple sites, ensure hostnames are defined for listeners.

Confounder
  • 469
  • 1
  • 8
  • 23
1

My Application Gateway is configured with a multisite listener. For me, I had selected Enable SSL Profile on the listener. I am not using path-based rules and WAF is turned off.

Although I had configured an SSL profile, I guess there is an error in the certificate. It is (currently) under preview, but I don't think I fully understand what it's supposed to do - needs more reading.

Instead of using SSL Profile on the listener, I was able to use Use well known CA certificate option under HTTP settings. This resolved the 403 error.

woter324
  • 2,608
  • 5
  • 27
  • 47