Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,102 questions
Facing Issues with Mutual TLS Configuration for Specific Routes in Azure Application Gateway
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 95%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
Ganesh Chowdhary
0
Reputation points
We need to support two APIs accessible through the domain device-api-server.com using Azure Application Gateway:
Bootstrap API
Path: /api/bootStrap Request Method: POST Authentication: No authentication required.
Handshake API
Path: /api/v2/handshake Request Method: POST Authentication: Requires mutual TLS (SSL validation). Current Setup:
We created two listeners in the API Gateway configuration:
Bootstrap-Listener: Listens on device-api-server.com. No certificate validation is required. Path Forwarding Rules: Requests to /api/bootStrap are forwarded to the backend pool onboarding-service. Requests to /api/v2/handshake are routed to the Handshake Listener.
BootStrap-Listener
bootStrap Rule
handshake listener
handshake rule
Issue: When a request is sent to the Handshake API via the Handshake Listener, the response is:
<h2>Length Required</h2>
<hr>
<p>HTTP Error 411. The request must be chunked or have a content length.</p>
It looks like Content-length header is getting dropped when Path Rule "/api/v2/handshake" is forwarding the request to Handshake-Listener"
Requirement:
How can we configure Azure Application Gateway to ensure:
The Bootstrap API remains accessible without authentication?
The Handshake API performs mutual TLS validation while avoiding the HTTP 411 "Length Required" error
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Ganesh Patapati 2,665 Reputation points Microsoft Vendor2024-12-31T12:58:29.58+00:00 Greetings!
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
To resolve the issues with your Azure Application Gateway configuration, ensure that the Bootstrap API remains accessible without authentication and that the Handshake API performs mutual TLS validation while avoiding the HTTP 411 "Length Required" error.- Azure Application Gateway HTTP settings configuration
- TLS policy overview for Azure Application Gateway
Bootstrap API Configuration
For the Bootstrap API, you have already set up a listener that does not require certificate validation. This setup should work as intended since no authentication is needed.
Handshake API Configuration
For the Handshake API, the issue appears to be related to the Content-Length header being dropped when the request is forwarded to the Handshake Listener. Follow these steps to configure Azure Application Gateway to avoid the HTTP 411 error:
- Ensure Content-Length Header is Preserved:
- In the HTTP settings of your Application Gateway, ensure that the "Override backend path" option is not enabled, as this can sometimes cause headers to be dropped.
- Verify that the "Request timeout" and "Response timeout" settings are appropriately configured.
- Configure Mutual TLS:
- Ensure that the Handshake Listener is configured to require client certificates for mutual TLS, which involves setting up the appropriate SSL policy and uploading the client certificate to the Application Gateway.
- HTTP Settings Configuration:
- For BootStrap-Listener, you need to select the HTTP protocol since you are proceeding without authentication. However, your configuration currently has HTTPS please try to change the protocol to HTTP.
- In the HTTP settings for the Handshake Listener, ensure that the "Use custom probe" option is enabled and configured correctly to help maintain the connection and avoid the 411 error.
- Ensure that the "Enable HTTP2" option is disabled if your backend does not support HTTP2.
- Backend Pool Configuration:
- Ensure that the backend pool for the Handshake API is correctly configured with the appropriate backend servers and that the health probes are set up to check the availability of the backend servers.
Additional Resources
For more detailed guidance, refer to the following resources:
Listener TLS certificate management in Application Gateway | Microsoft Learn
Enabling end to end TLS on Azure Application Gateway | Microsoft Learn
If above is unclear and/or you are unsure about something add a comment below.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Regards,
Ganesh
-
Ganesh Patapati 2,665 Reputation points Microsoft Vendor
2025-01-02T10:40:48.32+00:00 Good day!
I wanted to follow up to see if you had a chance to review my response to your question about resolving the issue.
If you are still encountering any further issues, please feel free to reach out to us. We are happy to assist you.
I look forward to your response and appreciate your time on this matter.
If your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.
Regards,
Ganesh
Sign in to comment
Sign in to answer