Proxy Configuration Warning help
-
@mark-robustelli So you would need to either set the four environmental variables in Azure, or set the four properties in the .properties file. I chose the latter in the end.
-
@mark-robustelli Seems I didn't restart my container properly the first time. I did that again and I'm seeing some new errors in the docker logs regarding SSL.
So I think now the container is indeed listening on 443 since adding the new environmental variable WEBSITES_PORT, but something else is going wrong now. I need to look into what this error means:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
-
@ronn316 I think I may have some bad news going down this route.
It seems like it may be possible but is not recommended to so this.
I'm going to take another route now and see if there is anything we can do with App Services and redirecting the port.
BTW, have you tried the Kubernettes route (https://fusionauth.io/docs/get-started/download-and-install/kubernetes/aks) to run FusionAuth in Azure or just use a regular container and Postgres db? I have not myself, but seems like that may be a route to go too.
-
@mark-robustelli that thread is from 2020, and my understanding is that the new https properties were added in early 2023. So indeed using a proxy was the only way before but I don't see why using the new https properties shouldn't be a good route now.
In any case I also tried going the reverse proxy route by following some of the sample nginx configurations on the fusionauth github and I feel I was really close to getting it to work but not quite. I was getting some redirect errors. I may put more time into getting that to work instead of this route we've been trying.
I did not try kubernetes. I think it may be overkill. I may try using an apache server for the proxy and copying that code from your link. I struggled with nginx.
-
@mark-robustelli After a bit more research, it looks like Fusionauth with HTTPS enabled won't be able to work in Azure:
I think I have no choice but to use a reverse proxy. I'll focus my attention on that now.
-
@ronn316 Yeah, I thought there might be some odd behavior with the App Service, that is why I recommended trying the typical container or K8s route.
-
@mark-robustelli Just an FYI I opened a ticket with Azure support so I'll post back here when I have some updates.
-
@ronn316 Cool. I'll be very interested in what they have to say. Seems as if they'd open up port forwarding on the App Service, it would be easy to implement, but they probably won't do that. Thanks for keeping the community updated on the progress and look forward to the response.
-
@mark-robustelli So I managed to solve it finally. I ended up setting a reverse proxy in Azure App service. This is my Nginx server config:
server { listen 0.0.0.0:80; # this is the proxy host server_name auth.mydomain.com; location / { proxy_set_header Host $proxy_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port '443'; proxy_set_header X-Forwarded-Host auth.mydomain.com; # this is the server FusionAuth is hosted on proxy_pass https://mydomain.azurewebsites.net/; } }
So there's two points to keep in mind.
-
Azure App Service HTTPS requests don't enter the container. They are terminated at the front end. So we need to configure Nginx to listen on port 80 and not 443. Also seems like we don't need to setup any of our own certificates.
-
All the sample FusionAuth reverse proxy configurations posted on the FusionAuth github seem to be for reverse proxies hosted on the same server as the FusionAuth instance. In my case I am proxying to a different server so I needed to set a proxy header "Host $proxy_host;" instead of "Host $host;".
I hope this will be helpful for somebody else trying to set this up in Azure.
-
-
@ronn316 Thank you so much for sharing with the community and I'm glad you got it working for you!
-