Azure App Gateway:502 / SNI/SSL 问题?使用应用服务配置
Azure App Gateway: 502 / SNI/SSL issue? Configuration with App Service
我有点发疯了,因为我无法让它正常工作。
环境:
- 应用程序网关 v2 (WAF)
- 具有自定义域的应用服务
- 结束 2 结束 SSL
目标:
- 仅在 App Gateway 上管理外部 SSL 证书
- 应用服务上的自签名 SSL
- End2End SSL
设置:
- 后端池设置为应用服务 (*.azurewebsites.net)
- 外部配置的FronendIP
- 设置了外部主机名的自定义探测器,Https
- 具有 FrontendIp/Port(443)、主机名和外部有效证书的 SSL 侦听器
- 将自签名证书 (cer) 导入 App Gateway (powershell) 中的受信任的根颁发机构
- HTTP 设置 -> Https,端口 443,超时 30,自定义探测,主机名设置为外部地址,已分配 TrustedRootCertificate (powershell)
- 应用 SSL 侦听器、后端池、Http 设置的基本规则(powershell!)
- 现在这可能是让我失望的一点,因为:
- Powershell 说后端 http 设置已应用
- 门户网站在规则的 "overview" 页面上也是这样说的
- 但是在编辑规则时,"Http setting" 字段为空,并且有一个红色感叹号:
"There are no http settings with pick host name from backend address
set. Create a new http setting with pick host name from backend
address set and then try again."
但是,我不想要这个设置,因为那样会以“*.azurewebsites.net”访问后端,对吗?我需要通过外部主机名 (*.mydomain.com).
访问后端
症状:
- 门户中的后端运行状况"Healthy"
- 正在访问外部主机名 -> 502 Bad Gateway
我通过使用 "pick host name from backend" 并使用 azure 主机名 (*.azurewebsites.net) 进行内部访问,不幸的是我们的应用程序确实需要外部名称(对于上下文:完成后,将有多个外部名称指向同一个应用程序,应用程序会根据使用的主机名更改行为)
更多注释:
- App Service 配置了 SSL,自签名证书仅分配给具有 "SNI"
的自定义主机名
When editing the rule however, the "Http setting" field is empty, and
there is a red exclamation mark:
Githubhere. It seems WAF_v2 won't accept .cer files when setting HTTPS Settings. When you whitelist the CER cert with Http settings using PowerShell, it is not reflected in the portal. A possible reason is that application Gateway does not support Authentication Certificates for the WAF_v2 tier. You can read the known-issues-and-limitations in Application Gateway with WAF_v2 and End to end SSL with the v2 SKU中的类似场景。
If the certificate is self-signed, or signed by unknown
intermediaries, then to enable end to end SSL in v2 SKU a trusted root
certificate must be defined. Application Gateway will only communicate
with backends whose Server certificate’s root certificate matches one
of the list of trusted root certificates in the backend http setting
associated with the pool.
In addition to root certificate match, Application Gateway also
validates if the Host setting specified in the backend http setting
matches that of the common name (CN) presented by the backend server’s
SSL certificate. When trying to establish an SSL connection to the
backend, Application Gateway sets the Server Name Indication (SNI)
extension to the Host specified in the backend http setting.
If pick hostname from backend address is chosen instead of the Host
field in the backend http setting, then the SNI header is always set
to the backend pool FQDN and the CN on the backend server SSL
certificate must match its FQDN. Backend pool members with IPs are not
supported in this scenario.
关于 502 Bad Gateway 错误,后端运行状况良好。如果没有防火墙阻止来自后端的请求或响应,我可能建议检查 Web 服务器端的错误并确保后端在 30 秒(默认值)内响应应用程序网关发送的请求。
您可以从 troubleshooting steps and diagnostic logs, and metrics for Application Gateway and here 获得更多参考资料。
希望这会有所帮助。
事实证明这是 "V2" 在 "Preview" 中的副作用(截至 2018-12-13)。 "Preview" 标签不是很明显。 Azure 门户没有提到它处于预览状态,所有文档都在谈论 "Autoscaling" 处于预览状态。
事实证明,"V2" 意味着 "Autoscaling" 功能,所以整个 "V2" 都在预览中。
我们已经使用 "V1" 应用网关类型重新完成了完全相同的设置,它按预期工作。
我希望他们也能在 Portal 中清楚地标记预览内容...
我有点发疯了,因为我无法让它正常工作。
环境:
- 应用程序网关 v2 (WAF)
- 具有自定义域的应用服务
- 结束 2 结束 SSL
目标:
- 仅在 App Gateway 上管理外部 SSL 证书
- 应用服务上的自签名 SSL
- End2End SSL
设置:
- 后端池设置为应用服务 (*.azurewebsites.net)
- 外部配置的FronendIP
- 设置了外部主机名的自定义探测器,Https
- 具有 FrontendIp/Port(443)、主机名和外部有效证书的 SSL 侦听器
- 将自签名证书 (cer) 导入 App Gateway (powershell) 中的受信任的根颁发机构
- HTTP 设置 -> Https,端口 443,超时 30,自定义探测,主机名设置为外部地址,已分配 TrustedRootCertificate (powershell)
- 应用 SSL 侦听器、后端池、Http 设置的基本规则(powershell!)
- 现在这可能是让我失望的一点,因为:
- Powershell 说后端 http 设置已应用
- 门户网站在规则的 "overview" 页面上也是这样说的
- 但是在编辑规则时,"Http setting" 字段为空,并且有一个红色感叹号:
- 现在这可能是让我失望的一点,因为:
"There are no http settings with pick host name from backend address set. Create a new http setting with pick host name from backend address set and then try again."
但是,我不想要这个设置,因为那样会以“*.azurewebsites.net”访问后端,对吗?我需要通过外部主机名 (*.mydomain.com).
访问后端症状:
- 门户中的后端运行状况"Healthy"
- 正在访问外部主机名 -> 502 Bad Gateway
我通过使用 "pick host name from backend" 并使用 azure 主机名 (*.azurewebsites.net) 进行内部访问,不幸的是我们的应用程序确实需要外部名称(对于上下文:完成后,将有多个外部名称指向同一个应用程序,应用程序会根据使用的主机名更改行为)
更多注释:
- App Service 配置了 SSL,自签名证书仅分配给具有 "SNI" 的自定义主机名
When editing the rule however, the "Http setting" field is empty, and there is a red exclamation mark:
Githubhere. It seems WAF_v2 won't accept .cer files when setting HTTPS Settings. When you whitelist the CER cert with Http settings using PowerShell, it is not reflected in the portal. A possible reason is that application Gateway does not support Authentication Certificates for the WAF_v2 tier. You can read the known-issues-and-limitations in Application Gateway with WAF_v2 and End to end SSL with the v2 SKU中的类似场景。
If the certificate is self-signed, or signed by unknown intermediaries, then to enable end to end SSL in v2 SKU a trusted root certificate must be defined. Application Gateway will only communicate with backends whose Server certificate’s root certificate matches one of the list of trusted root certificates in the backend http setting associated with the pool.
In addition to root certificate match, Application Gateway also validates if the Host setting specified in the backend http setting matches that of the common name (CN) presented by the backend server’s SSL certificate. When trying to establish an SSL connection to the backend, Application Gateway sets the Server Name Indication (SNI) extension to the Host specified in the backend http setting.
If pick hostname from backend address is chosen instead of the Host field in the backend http setting, then the SNI header is always set to the backend pool FQDN and the CN on the backend server SSL certificate must match its FQDN. Backend pool members with IPs are not supported in this scenario.
关于 502 Bad Gateway 错误,后端运行状况良好。如果没有防火墙阻止来自后端的请求或响应,我可能建议检查 Web 服务器端的错误并确保后端在 30 秒(默认值)内响应应用程序网关发送的请求。
您可以从 troubleshooting steps and diagnostic logs, and metrics for Application Gateway and here 获得更多参考资料。
希望这会有所帮助。
事实证明这是 "V2" 在 "Preview" 中的副作用(截至 2018-12-13)。 "Preview" 标签不是很明显。 Azure 门户没有提到它处于预览状态,所有文档都在谈论 "Autoscaling" 处于预览状态。
事实证明,"V2" 意味着 "Autoscaling" 功能,所以整个 "V2" 都在预览中。
我们已经使用 "V1" 应用网关类型重新完成了完全相同的设置,它按预期工作。
我希望他们也能在 Portal 中清楚地标记预览内容...