1

I tried to implement a very basic Health Check on one of my App Services on Azure. This is a WebApp written in C# Backend + Angular front end.

I followed the documentation from MS: Monitor Instances...

I added a new variable in the "Configuration" Section of the App Service, called "WEBSITE_AUTH_ENCRYPTION_KEY" and added the method "HeaderMatchesEnvVar" as in the documentation.

/// <summary>
/// Method <c>HeaderMatchesEnvVar</c> returns true if <c>headerValue</c> matches WEBSITE_AUTH_ENCRYPTION_KEY.
/// </summary>
public Boolean HeaderMatchesEnvVar(string headerValue) {
    var sha = System.Security.Cryptography.SHA256.Create();
    String envVar = Environment.GetEnvironmentVariable("WEBSITE_AUTH_ENCRYPTION_KEY");
    String hash = System.Convert.ToBase64String(sha.ComputeHash(Encoding.UTF8.GetBytes(envVar)));
    return hash == headerValue;
}

The healthcheck endpoint has the route "api/healthcheck" which is also set on the App Service. The controller method looks like this:

[HttpGet]
        [Route("")]
        public async Task<IActionResult> HealthCheck()
        {
            Request.Headers.TryGetValue("x-ms-auth-internal-token", out StringValues stringValues);
            var headerValue = stringValues.FirstOrDefault();
            if (!HeaderMatchesEnvVar(headerValue))
                return new StatusCodeResult(401);

            // checks databases
            await _repository.HealthCheck();

            return new StatusCodeResult(200);
        }

If I understand the documentation correctly, then this should already be sufficient for the HealthCheck to work. But of course, the health check tells me that the Application is unhealthy and every single healthcheck request returned a 401. When I check the endpoint with postman without the header value, I also get 401, but with the header value I get the expected 200.

What am I missing? Why is the header value not sent? Or why is a wrong header value sent? Am I correct in assuming I can overwrite the value for the header by setting the Configuration setting (WEBSITE_AUTH_ENCRYPTION_KEY)? Or did I misunderstand the documentation?

I also found this piece of information: GitHub: Header Value not matching

and tried the proposed solution to no avail.

I also tried to just compare to the raw configuration value, without hashing it.

Domey
  • 11
  • 3
  • I've only done this headercheck with a function app http trigger. I did not need to populate WEBSITE_AUTH_ENCRYPTION_KEY, I think Azure does that for you. If your API is secured with some authentication, then you need to add [AllowAnonymous] on the Controller action. – Knut Erik Lødding Apr 13 '23 at 08:07
  • And according to the documentation: x-ms-auth-internal-token is only available on Windows App Service, so if you're using Linux, then it won't work. – Knut Erik Lødding Apr 13 '23 at 08:12
  • yes I know, it is a Windows App Service – Domey Apr 17 '23 at 08:05
  • Follow up: I did not find out what I was doing wrong or understanding wrong, so I inspected the given value and used that in the configuration instead of trying to change the value to what I have. – Domey May 17 '23 at 11:45

0 Answers0