You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-apps/waf-app-gateway.md
+31-3Lines changed: 31 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: container-apps
5
5
author: craigshoemaker
6
6
ms.service: azure-container-apps
7
7
ms.topic: how-to
8
-
ms.date: 04/28/2025
8
+
ms.date: 07/07/2025
9
9
ms.author: cshoe
10
10
---
11
11
@@ -190,7 +190,7 @@ The backend pool is used to route requests to the appropriate backend servers. B
190
190
- Internal IP addresses
191
191
- Virtual Machine Scale Sets
192
192
- Fully qualified domain names (FQDN)
193
-
-Multi-tenant back-ends like Azure App Service and Container Apps
193
+
-Multitenant back-ends like Azure App Service and Container Apps
194
194
195
195
In this example, you create a backend pool that targets your container app.
196
196
@@ -278,6 +278,15 @@ To connect the frontend and backend pool, perform the following steps:
278
278
| Host name override | Select **Pick host name from backend target**. |
279
279
| Create custom probes | Select **No**. |
280
280
281
+
1. Under **Request Header Rewrite**, configure the following:
282
+
283
+
- Enable Request Header Rewrite: Select **Yes**.
284
+
- Add a request header:
285
+
- Header name: `X-Forwarded-Host`
286
+
- Value: `{host}`
287
+
288
+
This action ensures that the original `Host` header from the client request is preserved and accessible by the backend application.
289
+
281
290
1. Select **Add**, to add the backend settings.
282
291
283
292
1. In the *Add a routing rule* window, select **Add** again.
@@ -302,10 +311,29 @@ You can establish a secured connection to internal-only container app environmen
302
311
| Private link subnet | Select the subnet you wish to create the private link with. |
303
312
| Frontend IP Configuration | Select the frontend IP for your Application Gateway. |
304
313
305
-
1. Under **Private IP address settings** select **Add**.
314
+
1. Under **Private IP address settings**, select **Add**.
306
315
307
316
1. Select **Add** at the bottom of the window.
308
317
318
+
## Preserve original host header for redirects and SSO
319
+
320
+
When Azure Application Gateway is configured as a reverse proxy and the *Override with new host name* setting is enabled, the `Host` header is modified. Modifying the header can interfere with applications that rely on the original host value to generate redirect URLs, absolute links, or support OpenID Connect (OIDC) authentication flows.
321
+
322
+
To forward the original host header, you can inject it into the `X-Forwarded-Host` header using Application Gateway's request header rewrite feature.
323
+
324
+
### Configure X-Forwarded-Host injection
325
+
326
+
To enable `X-Forwarded-Host` injection:
327
+
328
+
1. Under the **Configuration** tab, select **Backend settings** section of your Application Gateway routing rule:
329
+
330
+
- Enable **Request Header Rewrite**.
331
+
- Add a new request header with the following values:
332
+
- Header name: `X-Forwarded-Host`
333
+
- Value: `{host}`
334
+
335
+
Your backend app can now read the original request host using the `X-Forwarded-Host` header.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments