Problems to implement client certificate FNMT in a Web app for container

Michelle Gabriela Lopez Rodriguez 0 Reputation points
2023-06-20T13:36:58.0733333+00:00

We have a multicontainer application deployed in an Azure web app for container with a docker compose.

It is a website that uses a client certificate to log in, within the containers we have the service nginx Performs the certificate check. In azure it has been enabled to require the client certificate but for some reason when entering the certificate the client service is not able to validate the Nginx service and the Azure self-signed certificate is enforced.

I have also configured the configuration variables WEBSITE_ROOT_CERTS_PATH with the internal path where the certificates. The variable WEBSITE_LOAD_CERTIFICATES is also configured.

I've looked at the documentation in Azure but it doesn't address this particular topic.

Can you help me!

Thanks!

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
328 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,289 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
833 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 24,396 Reputation points Microsoft Employee
    2023-06-23T06:30:39.58+00:00

    Apologies for the delayed response. I'm checking on this internally and will get back to you shorty.

    edited:
    In the interim, requesting you to share more details on the issue.

    Does this work locally? Are you referring to these doc?

    Tutorial: Create a multi-container (preview) app in Web App for Containers
    Multi-container using Docker Compose in Azure Web App for Containers

    You mentioned that you have enabled Azure to require the client certificate, but it is not able to validate the Nginx service. Have you checked if the certificate is valid and not expired? Also, have you checked if the certificate is in the correct format?

    If you have checked all of the above and are still having issues, please provide more information about the error message you are receiving.

    Just to highlight, In App Service (doc), TLS termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled, App Service injects an X-ARR-ClientCert request header with the client certificate. App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.

    Reference:

    Checkout this discussion thread-answer

    Refer Root CA on App Service

  2. Michelle Gabriela Lopez Rodriguez 0 Reputation points
    2023-07-01T23:02:56.3533333+00:00

    Hello Ajkuma,

    First thank you for your answer.

    Yes, the application works locally and the verification of the certificate is performed by the NGINX service through the variable ssl-client-verify.

    We are in a project for this application to mount it in Azure, currently we already have it deployed as a web app for container with Docker Compose. But we did not manage to operate the part of the client certificate that we have implemented, we suspected what you tell us that It is Azure that injects the certificate to the application with the header X-ARR-ClientCert.

    The problem is that we do not know how or what variables to request in the code. The examples that exist are not for applications developed in PHP.

    There is an example in PHP of how to deal with this validation.

    Thanks for the help.