Reputation: 2932
Does Azure Front Door support TLS Client Authentication
I am trying to put an existing application which utilizes TLS Client Authentication behind Front Door. While other X-ARR headers are present X-ARR-ClientCert is not. Is there a setting to control this behavior or does Front Door not support Client Authentication as this time?
Upvotes: 4
Views: 4849
Answers (3)
Reputation: 41
As of 2019-08-29 this is currently not supported by Azure Front Door.
Edit (2024-02-28):
Although Azure Front Door supports TLS 1.2, which introduced client/mutual authentication in RFC 5246, currently, Azure Front Door doesn't support client/mutual authentication (mTLS) yet.
See the feedback below:
- New Link (10/28/2021): https://feedback.azure.com/d365community/idea/3341a020-f925-ec11-b6e6-000d3a4f06a4
- Old link (404): https://feedback.azure.com/forums/217313-networking/suggestions/37546810-frontdooor-tls-mutual-authentication-x-arr-cli
Upvotes: 3
Reputation: 2932
Through other channels we got official word that TLS Client Authentication is currently not supported via Front Door. This will likely change in the future but as of 4/30/2019 other avenues must be used.
Upvotes: 1
Reputation: 28244
Front Door Service doesn't certify any HTTP headers that aren't documented here. Front Door Service accepts most headers from the incoming request without modifying them. Learn more about the Front Door supported HTTP headers.
Azure Front Door Service supports the X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto headers. For X-Forwarded-For if the header was already present then Front Door appends the client socket IP to it. Else, it adds the header with the client socket IP as the value. For X-Forwarded-Host and X-Forwarded-Proto, the value is overridden.
I would like to suggest to verify if the TLS Client Authentication works without Azure front door first, then add the front door service in front of the application again.
To set up your app to require client certificates, you need to set the clientCertEnabled setting for your app to true in Azure CLI or cloud shell.
az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>
You also could enable client authentication following this path: app service---settings---configuration---Incoming client certificates---Require incoming certificate---Certificate exclusion paths in the Azure portal.
Note: App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.
For ASP.NET, the client certificate is available through the HttpRequest.ClientCertificate property.
For other application stacks (Node.js, PHP, etc.), the client cert is available in your app through a base64 encoded value in the X-ARR-ClientCert request header.
Ref: Configure TLS mutual authentication for Azure App Service.
Upvotes: 0
Related Questions
- Is TLS 1.3 available on Azure App Services?
- Front Door + App Service with built-in authentication not working
- Azure Front Door in the front of Application Gateway
- Azure Front Door and custom domain
- How to use Azure Frontdoor with gRPC?
- Azure FrontDoor Priority
- Use Azure Front Door to serve a SPA
- Do I need TLS encryption between Azure Front Door and another Azure service?
- Cannot set a minimum TLS version for FrontDoor in terraform
- Is Azure Front Door PCI-DSS Compliant?