Umbraco 15 behind Azure Front Door

Questions
1

Has anyone here setup Umbraco 15 yet on an Azure app service hosted behind a an Azure Front Door implementation?

Our infrastructure terminates the SSL / DNS on the front door route, and routes the traffic to the correct app service over a private link, so no public access is permitted to the app service, and nor does it know about the public facing URL.

This setup works fine for Umbraco 13, but on 15 (And we noticed it on 14 as well), when you access the back office login page it performs a redirect, but this redirects to the azurewebsites.net URL rather than the actual URL (Or the azurefd.net domain on non production environments), and then the request fails as the azurewebsites.net URL isn’t publically available as all traffic is expected to be routed through the front door.

We’ve tried updating the config to set

CMS": {
      "WebRouting": {
        "UmbracoApplicationUrl": "<<url>>"
      }

and

"Security": {
        "AllowConcurrentLogins": false,
        "BackOfficeHost": "<<URL>>",
}

But these changes have made no difference.

We also intermittently see the below error as well when accessing the login page.

error:invalid_request

error_description:The specified 'redirect_uri' is not valid for this client application.

error_uri:https://documentation.openiddict.com/errors/ID2043

Which I assume is also due to the missmatch of the AzureFD URL and the Azurewebsites URL.

Has anyone got Umbraco to play nicely on such a setup, or got any advice on any way we can achieve this?

Thanks
Andrew

1 Like
2

Have you configured Umbraco to use forwarded headers?

I had the same problem, but after changing my configuration according to this article by Luke Fisher, I was able to get the headers forwarded.

I am not too happy about having to add applicationHost.xdt and adjust my web.config every time I deploy new app services (using Pulumi), but I have not been able to find another way that works.

If anyone knows a nicer way, please let us know :nerd_face:

3 
error:invalid_request

error_description:The specified 'redirect_uri' is not valid for this client application.

error_uri:https://documentation.openiddict.com/errors/ID2043

That error is really annoying. When Umbraco boots the first time, it registers the ‘current’ request URL in the database as being the redirect_uri for the authentication. It’s an array, so you could theoretically write a script that adds additions domains to the record.

But when using deployment slots for Umbraco when you have only one database, this is also an issue. You cannot log into Umbraco from the non-primary slot, because it would give the above error.

4

This seems to have worked a treat! Thank you for this.

It’s a bit fiddly with the xdt, but I’m sure we can find a way to deploy this somehow via Powershell maybe to avoid having to manually create on each environment