Azure 应用程序网关未传递客户端证书
Client Certificate is not being passed on by Azure Application Gateway
我选择了别人设置的东西。
我们有一个 API 管理实例,位于应用程序网关后面,它有一个关于 API:
的策略
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Client certificate required..d1PD" />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Request.Certificate.Verify())">
<return-response>
<set-status code="403" reason="Client certificate cannot be verified..d2PD " />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Client certificate is untrusted or invalid..d3PD" />
</return-response>
</when>
</choose>
<base />
</inbound>
在 Postman 中,我正在传递证书和密钥。 Postman 控制台显示
Client Certificate:
keyPath:"C:\selfsigned\internalscm.X.com.key"
pemPath:"C:\selfsigned\internalscm.X.com.crt"
pfxPath:""
我在请求的 header 中传递了 Ocp-Apim-Trace,所以我得到了一个回溯,其中包含:
traceEntries {2}
inbound [10]
..
6 {4}
source : authentication-certificate
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0006857
data {2}
message : Certificate was attached to request per configuration.
certificate {...}
7 {4}
source : choose
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0007011
data {3}
message : Expression was successfully evaluated.
expression : context.Request.Certificate == null
value : true
更新:
authentication-certificate 评估是后端证书,与 Postman 声称包含在请求中的客户端证书(.key 和 .crt)无关(如果我传递 pfx 和密码而不是 .key 和 .crt,则会返回相同的结果。
当我点击网关正在保护的 API 时,我可以在跟踪中看到它正在处理客户端证书(并返回 200):
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.3825928Z",
"elapsed": "00:00:00.0005974",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225172",
"data": "Client certificate thumbprint '6C03F4E7999999999999999999999999' received."
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225288",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5849700",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Request.Certificate.Verify()",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5850060",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)",
"value": false
}
}
看来 AppGateway 正在删除客户端证书。
跟踪不足以让我开始推断为什么客户端证书(假设 Postman 像 API 一样将其传输到网关)被丢弃。我应该从哪里开始?
作为参考,当我删除政策时,请求会按预期处理。
我不确定您是否可以让 AppGateway 通过证书 - 您需要查看他们的文档。我持怀疑态度的原因是因为 AppGateway 的整个想法是调查流量并通过这样做提供保护。唯一的方法是在 AppGateway 级别终止 SSL 连接。有关更多信息,请参见此处:https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview AppGateway 有两种模式:当 AppGAteway 对后端进行 HTTP(而非 HTTPS)调用时的 SSL 终止,以及当 AppGateway 使用自己的 SSL 证书连接到 bakend 时的端到端 SSL。
我选择了别人设置的东西。 我们有一个 API 管理实例,位于应用程序网关后面,它有一个关于 API:
的策略<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Client certificate required..d1PD" />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Request.Certificate.Verify())">
<return-response>
<set-status code="403" reason="Client certificate cannot be verified..d2PD " />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Client certificate is untrusted or invalid..d3PD" />
</return-response>
</when>
</choose>
<base />
</inbound>
在 Postman 中,我正在传递证书和密钥。 Postman 控制台显示
Client Certificate:
keyPath:"C:\selfsigned\internalscm.X.com.key"
pemPath:"C:\selfsigned\internalscm.X.com.crt"
pfxPath:""
我在请求的 header 中传递了 Ocp-Apim-Trace,所以我得到了一个回溯,其中包含:
traceEntries {2}
inbound [10]
..
6 {4}
source : authentication-certificate
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0006857
data {2}
message : Certificate was attached to request per configuration.
certificate {...}
7 {4}
source : choose
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0007011
data {3}
message : Expression was successfully evaluated.
expression : context.Request.Certificate == null
value : true
更新:
authentication-certificate 评估是后端证书,与 Postman 声称包含在请求中的客户端证书(.key 和 .crt)无关(如果我传递 pfx 和密码而不是 .key 和 .crt,则会返回相同的结果。
当我点击网关正在保护的 API 时,我可以在跟踪中看到它正在处理客户端证书(并返回 200):
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.3825928Z",
"elapsed": "00:00:00.0005974",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225172",
"data": "Client certificate thumbprint '6C03F4E7999999999999999999999999' received."
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225288",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5849700",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Request.Certificate.Verify()",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5850060",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)",
"value": false
}
}
看来 AppGateway 正在删除客户端证书。
跟踪不足以让我开始推断为什么客户端证书(假设 Postman 像 API 一样将其传输到网关)被丢弃。我应该从哪里开始?
作为参考,当我删除政策时,请求会按预期处理。
我不确定您是否可以让 AppGateway 通过证书 - 您需要查看他们的文档。我持怀疑态度的原因是因为 AppGateway 的整个想法是调查流量并通过这样做提供保护。唯一的方法是在 AppGateway 级别终止 SSL 连接。有关更多信息,请参见此处:https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview AppGateway 有两种模式:当 AppGAteway 对后端进行 HTTP(而非 HTTPS)调用时的 SSL 终止,以及当 AppGateway 使用自己的 SSL 证书连接到 bakend 时的端到端 SSL。