0

I've been troubleshooting a really strange issue on my Application Gateway and my Azure Web Application behind.

A month ago, I've set up my application gateway with an web application and all seemed to work well, passing the header I need correctly. But now I have a problem fetching the header "X-ARR-ClientCert" which shall be (and was) present in each request that authenticated successfully. The header is not present in the requests anymore...

The Application Gateway is receiving HTTPS and route it in HTTP to my web app. The listener is configured to use my SSL Profile, as an example of access log I have:

{ "timeStamp": "2021-09-13T13:42:53+00:00", "resourceId": "/SUBSCRIPTIONS/D33C8661-DE39-4265-8526-6C2B32160154/RESOURCEGROUPS/MHS-AG/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/MHS-AG", "listenerName": "gw-dev", "ruleName": "gw-dev", "backendPoolName": "dev", "backendSettingName": "http-dev", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", "properties": {"instanceId":"appgw_0","clientIP":"77.205.111.223","clientPort":57595,"httpMethod":"GET","originalRequestUriWithArgs":"\/v1\/transactions\/?acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","requestUri":"\/v1\/transactions\/","requestQuery":"acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","userAgent":"Python\/3.8 aiohttp\/3.7.4.post0","httpStatus":403,"httpVersion":"HTTP\/1.1","receivedBytes":1506,"sentBytes":542,"timeTaken":0.915,"transactionId":"ba23f8606b2718e7d132a27e6bf0df2a","sslEnabled":"on","sslCipher":"ECDHE-RSA-AES256-GCM-SHA384","sslProtocol":"TLSv1.2","sslClientVerify":"SUCCESS","sslClientCertificateFingerprint":"d35719cfe802e02b90b3fa2f48d2f96c605f774c","sslClientCertificateIssuerName":"DC=https:\/\/bridge-dev.snhtest.online,O=Sentinhealth,L=Grenoble,ST=Is\\\\C3\\\\A8re,C=FR","serverRouted":"40.89.141.103:80","serverStatus":"403","serverResponseLatency":"0.916","originalHost":"bridge-dev.snhtest.online","host":"bridge-dev.snhtest.online"}}

So it look likes the validation is successfull, but I do not receive an header with the certificate.

Is there any documentation on the headers created by application gateway on successfull verification ?

Did something changed lastly ?

Thanks for your help !

MrVhek
  • 124
  • 12
  • Hi @MrVhek, please have a look [here](https://learn.microsoft.com/en-us/answers/questions/306221/azure-api-management-not-getting-client-certificat.html) – Delliganesh Sevanesan Sep 15 '21 at 10:47
  • It isn't the same issue, since I tried also to deactivate even the integrated firewall of application gateway et connected from different places. I tried also recreating the resource, but nothing changed... – MrVhek Sep 16 '21 at 08:13

1 Answers1

0

I found the problem and fixed it finally with the help of Microsoft forums:

  • I was not using rewrite rules with the server variables, so I added one rewrite rule and I have now the certificate in the header (I used mitmproxy to debug) !
  • The second problem was that the web application had the parameter "Client Certificate" on "Ignore". It seems to drops the header "X-ARR-Client-Cert", so I needed to change the header name to "X-Client-Cert".

I think there was a change a little ago that removed the X-ARR-Client-Cert on application gateway to use only the rewrite headers or something like that since I never used the rewrite rules before.

MrVhek
  • 124
  • 12
  • I have the same problem, but I can't see where to apply the rewrite headeres. I'm using App Gateway V1. Is this a V2 thing? – Damo Dec 05 '21 at 01:30