We've been running this in Azure for a long time. Until recently, we were using the managed DNS option with DynaTrace managed certs and had a public IP for our server going through the Azure App Gateway to port 443 only for agent traffic.
This has been a dissatisfying solution because it takes a few extra steps to get a new agent deployed and uses two different sets of certificates, so we finally took the plunge and started to figure out how to get this working with our own certificates, our domain name and eliminated the dynatrace-managed.com elements.
When I'm not on our corporate VPN/network, I can get to the login page through the App Gateway but cannot login; the login page just keeps showing over and over. No errors, nothing in the logs, etc.
When I am on our VPN, going to the managed server URL redirects to the Azure internal IP address in Azure https://10.206.xxx.xxx/ and everything works.
The Azure App Gateway listens on port 443 for the URL and redirects to 443 on the internal IP. It reports healthy, which just means that 443 is accepting connections.
The App Gateway hosts multiple other services, configured nearly exactly the same and none of them show this behavior. If I go to any of these URLs they show correctly in the browser address bar and I can do everything there without a VPN connection. DynaTrace is the only service that shows the internal IP address in the browser after using the public IP URL when on VPN/corporate network and the only service that doesn't load outside our private network using the public URL (past the login page).
It feels like a configuration issue with NginX, but I'm not sure what to change. Any suggestions to help address this are welcome!
Solved! Go to Solution.
Some new information:
I just tried logging in again (without VPN) while tailing the Server-Debug.0.0.log file and saw these two events:
021-05-18 20:40:17 UTC INFO [<server,0x1,node0fd2il>] [RuxitSessionIdChangedListener] Session id changed from node0fd2il8b5bxd11vhflwkzfb5la6264 to node0132mobn0cu3pn1jagl43cedsb16266.
2021-05-18 20:40:21 UTC INFO [<server,0x1,node0132mo-internal>] [CSPViolationServlet] [userId: admin] [version: 18.104.22.16810517-133639] [mismatch: false] CSP rules were violated. The resource that violated policy (FALSE POSITIVE): https://10.x.x.x . The violated directive: form-action.
So perhaps we should enable cookie-based affinity (see https://docs.microsoft.com/en-us/answers/questions/170268/ip-based-sessions-are-not-maintained-by-the-load-b.html )
For future reference, we managed to fix this issue. Enabling cookie-based affinity didn't help. Instead, on the Azure Application Gateway's HTTP settings for Dynatrace, we changed the host name override option to yes with sub-option "Override with specific domain name" and set the domain name to match our URL's domain.