Error "ERR_SSL_PROTOCOL_ERROR" while accessing Azure web app configured behind App gateway

Question

Hello,

I have an application gateway which has an azure app service(web app) as one of the backend pools.

The app gateway is configured as: the listener which listens on port 80 for a specific host name. The HTTP setting is also enabled with the port 80. When the site is accessed, it throws an error as below.

"This site can’t provide a secure connection

<app service URL> sent an invalid response.

ERR_SSL_PROTOCOL_ERROR"

The URL gets changed to "<app_service_url>:80"

Before this gateway was configured, the custom domain and TLS/SSL binding were been done on the app service.

HTTPS only is turned off.

Can anyone spare your knowledge in helping me understand and resolve this situation?

Thank you for your time & concerns in advance.

Answer 1

Hello Prasanth,

This forum is specifically for Azure App Configuration questions.

Moving the thread to the Azure Networking Forum so you can get assistance from the community.

Answer 2

Can you clarify your setup? It seems that the App gateway is trying to use HTTPS, but your web app cannot receive it. Are you trying to set up SSL with your App Gateway?

Also, have you enabled the 'pick host name from backend address' on your HTTP setting?

Answer 3

Thank you for the response Travis.

"We have an application gateway which has web app as a backend pool. The Listener is configured with HTTP.  When the HTTP setting is also configured with HTTP, I'm getting the mentioned error. When I change the HTTP setting from HTTP to HTTPS(Using CA Certificate option), the application is loading"

Just for a condition, I like to configure the HTTP setting with port 80.

"Pick hostname from backend target" was enabled in the HTTP Setting

Note: Before this gateway was created, the custom domain & SSL has been configured on the web app and they are still there.

Thanks.

Answer 4

To enable End to End SSL on the App Gateway, you will need your backend health probe to be HTTPS. If you are using the App Gateway V1 SKU, you might also need to remove the custom domain on your web app, as it is known to cause issues. 

If you are only trying to do SSL termination and want the backend to connect via HTTP, this should work just fine as long as your web app can receive http connections. 

Answer 5

Thank you very much for the response.

We are using application gateway of Standard V2 SKU.

We are trying to do SSL termination only. Maybe I'm missing something or some other issue.

Answer 6

I am quite confused, you say that you are trying to setup SSL termination, but you are trying to connect to port 80 on the front end, and also port 80 on the backend. This is not SSL termination, and using port 80 on both ends means that there will be no SSL involved. 

If you want to do SSL termination, your listener will need to be on port 443, and you will need the certificate for your DNS name. 

Next, for your web app backend, are you using the custom domain suffix or the azure provided DNS suffix for your web app?