What to do, given mTLS with HTTP Version 2 is not available in Azure App Service?
At the time of writing, the Azure documentation clearly shows a screenshot where client certificates are required on an App Service and the HTTP version is set to 2.0. However, this no longer appears to be possible - the Azure console now states that client certificates can only be evaluated if HTTP 1.1 is selected.
Here is the screenshot from the Azure documentation:
Here is a screenshot from the actual Azure console:
As the majority of our clients are already connecting using HTTP 2.0, I'm wondering, in order to introduce optional mTLS support, do I have to create a new subdomain and new proxy App Service with HTTP 1.1 configured, then ask/redirect our clients to use the proxy subdomain? Why exactly is 2.0 with mTLS not supported? What is the best approach from here?
- HTTP/2 protocol negotiation happens before the TLS handshake completes
- This means client certificates cannot be properly evaluated when using HTTP/2
- This is a protocol-level constraint, not just an Azure limitation
Create a TLS-terminating Proxy.
nginx.conf:
http {
upstream backend {
server your-main-app.azurewebsites.net:443;
keepalive 32;
}
server {
listen 443 ssl;
server_name mtls.yourdomain.com;
# SSL configuration
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Client certificate verification
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client optional; # or 'on' for required
# Proxy to main application
location / {
proxy_pass https://backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Pass client certificate information
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
}
}
}
Split Traffic approach: create a new HTTP/1.1 endpoint specifically for clients requiring mTLS, Keep the existing HTTP/2 endpoint for regular traffic.
Use Azure Front Door or load balancer to route based on hostname
Reference:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?