CODEWITHSUNDEEP
azureazure-web-app-servicemtls
cbp
cbp

Reputation: 25628

What to do, given mTLS with HTTP Version 2 is not available in Azure App Service?

At the time of writing, the Azure documentation clearly shows a screenshot where client certificates are required on an App Service and the HTTP version is set to 2.0. However, this no longer appears to be possible - the Azure console now states that client certificates can only be evaluated if HTTP 1.1 is selected.

Here is the screenshot from the Azure documentation: enter image description here

Here is a screenshot from the actual Azure console: enter image description here

As the majority of our clients are already connecting using HTTP 2.0, I'm wondering, in order to introduce optional mTLS support, do I have to create a new subdomain and new proxy App Service with HTTP 1.1 configured, then ask/redirect our clients to use the proxy subdomain? Why exactly is 2.0 with mTLS not supported? What is the best approach from here?

Upvotes: 0

Views: 97

Answers (1)

Suresh Chikkam
Suresh Chikkam

Reputation: 3242

  • HTTP/2 protocol negotiation happens before the TLS handshake completes
  • This means client certificates cannot be properly evaluated when using HTTP/2
  • This is a protocol-level constraint, not just an Azure limitation

Create a TLS-terminating Proxy.

nginx.conf:

http {
    upstream backend {
        server your-main-app.azurewebsites.net:443;
        keepalive 32;
    }

    server {
        listen 443 ssl;
        server_name mtls.yourdomain.com;

        # SSL configuration
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        # Client certificate verification
        ssl_client_certificate /etc/nginx/ssl/ca.crt;
        ssl_verify_client optional; # or 'on' for required

        # Proxy to main application
        location / {
            proxy_pass https://backend;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Pass client certificate information
            proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
            proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
            proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
        }
    }
}

Split Traffic approach: create a new HTTP/1.1 endpoint specifically for clients requiring mTLS, Keep the existing HTTP/2 endpoint for regular traffic.

Use Azure Front Door or load balancer to route based on hostname

Reference:

Upvotes: 1

Related Questions