Nginx and Certificates behind Azure App Gateway

After a lot of investigating I have found there are a few issues getting a certificate set up behind an Azure App Gateway firewall. The majority of the time this does work but the issues I have run in to are related to trying to use multiple certificates on a single Nginx webserver behind an Azure App Gateway.

The setup of the App Gateway needs to follow the following order:

azure app gateway setup
  1. Create the Frontend IP. This generally needs to only be done once when using SNI or a shared IP setup.
  2. Create the Listener. Usually this will be a multisite setup for a shared infrastructure. You’ll need to create a separate entry per domain (or even subdomain) and also a separate one for www and non www.
  3. Create the backend pool. This section will require a separate backend pool per site or Web App. You can have more than one Backend Pool per VM or site on each VM. I find correlating the domain listener to each backend pool was the way to keep organised on this.
  4. Custom Health Probe. You need a Health Probe to ensure the App Gateway front end knows the backend server is alive. This has to either have:

A certificate per domain with each https site having a separate certificate

Or

All sites use the Azure App Service certificate.

The second option above is useful if you are just using the Web App service however should you require to add a new VM at a later date, all these certificates will need to be replaced.

To add the certificate you’ll need to export the certificate to *.cer DER format and upload to the App Gateway. This certificate must be exported from the same PFX file which the front end certificate uploaded to in the HTTP Settings. You will do this in step 5.

  • Set the domain in HTTP Settings and add the certificate (PFX this time) and the custom probe. You may choose to auto select the probe instead of using a custom one.
  • Create the rule. This rule will mean the listener links to the back end pool. You can set a rule to also forward www to non www and also force http to https.

Once all in place, the backend health should be healthy.

The issue I was suffering when using NginX was the error message stating things like Unhealthy instances in BackendAddressPool and bad gateway (502) errors received when using Azure Application Gateway to access the sites in question.

This was down to the Nginx server not listening beyond the first site in the config of the Nginx config file. The HTTPS certificate being listened to was either the default server or the first instance.

Unfortunately using the App Gateway and the Nginx server was not a successful combination when using separate domains under different certificates. The only work around of this was either to:

Purchase a wildcard certificate covering all subdomains under my domain.

Add a SAN (Subject Alterative Name) to the certificate in use. This way all subdomains would be listened too and the certificate would be valid.