Aspnetcore: Handle the X-ARR-ClientCert header on Azure

Created on 28 Feb 2018 · 14Comments · Source: dotnet/aspnetcore

Based on the discussion in https://github.com/aspnet/mvc/issues/7366 it looks like Azure App Service will pass client certificates using the X-ARR-ClientCert header. We should investigate if we should add special handling for this header to surface the client certificate appropriately.

@blowdart @shirhatti

Done area-middleware

Source

danroth27

Most helpful comment

Assigning to @shirhatti

muratg on 29 Aug 2018

👍2

All 14 comments

Note that I already wrote middleware for this https://github.com/blowdart/idunno.Authentication/commit/b8b6cecb5f351d9e718a6a8daceea928de383036 - if we do it, it should be flexible enough to cope with other proxies, not just ARR.

blowdart on 1 Mar 2018

@pakrym thinks we may be doing something similar (with a different header) in IISIntegration. He'll verify.

cc @Tratcher

muratg on 2 Mar 2018

ANCM forwards the client cert in a similar way, but that would be different from ARR. Didn't Azure's ARR do magic to unpack forwarded values like this before we observed them?

Tratcher on 2 Mar 2018

Apparently not, because users had to hack their own bits to get the cert. We ought to go ask azure for a list of every possible header from ARR

blowdart on 2 Mar 2018

@davidebbo is the list of all possible ARR headers captured somewhere?

muratg on 3 Mar 2018

@muratg sorry, not my area. Would need to find some IIS experts.

davidebbo on 3 Mar 2018

👍1

@pan-wang, do you know if such a list exists?

muratg on 3 Mar 2018

i am sure about X-ARR-SSL, X-ARR-ClientCert, X-ARR-LOG-ID, X-Forwarded-For and X-Forwarded-By, but not sure about X-ARR-CACHE-HIT which seems to be used as ServerVariable instead of forwarded header. Antares may add different headers.