我正在Azure上设置一个应用程序网关,该网关希望与我的apache httpd服务器建立端到端SSL连接,该服务器从vm服务我的页面
我已经设置了侦听器和HTTP设置,它似乎可以与简单的http一起用于前端和后端
我的服务器通过“ .crt”证书为https服务
为了使端到端https在应用程序网关上工作,您需要将后端证书列入白名单。为此,您需要在HTTP设置中添加“ .cer”文件。
当我请求页面时,出现以下错误:
502 Bad Gateway
Microsoft-Azure-Application-Gateway/v2
我已经遵循了Microsoft提供的以下指南
如第一个参考文献中所述,后端池的FQDN应该与证书的CN相同。
此外,我尝试生成一个“ .pfx”,然后导出“ .cer”和“ .crt”文件,但没有任何运气。
后端运行状况探测器返回后端服务器运行状况良好 这样appgateway可以到达后端主机。 我正在使用V2并添加以64为底的编码的“ .cer” FQDN与后端节点的dns名称相同
我使用以下命令来生成证书
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 \
-days 1024 -out rootCA.crt
openssl genrsa -out my.domain.com.key 2048
openssl req -new -sha256 -key my.domain.com.key \
-subj "/C=GR/ST=Attica/O=mycompany/CN=my.domain.com" \
-out my.domain.com.csr
openssl x509 -req -in my.domain.com.csr \
-CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
-out my.domain.com.crt -days 500 -sha256
之后,我将“ rootCA.crt”文件导入Windows认证管理器,并导出为base64“ .cer” 我在应用程序网关的“受信任的根证书”部分中使用了导出的证书
部署模板如下:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverapplicationGateways_name_app_gateway_name": {
"defaultValue": "name-app-gateway",
"type": "String"
},
"virtualNetworks_name_app_gateway_externalid": {
"defaultValue": "/subscriptions/[subscription-id]/resourceGroups/name-app-gateway-rg/providers/Microsoft.Network/virtualNetworks/name-app-gateway",
"type": "String"
},
"publicIPAddresses_name_app_gateway_pip_externalid": {
"defaultValue": "/subscriptions/[subscription-id]/resourceGroups/name-app-gateway-rg/providers/Microsoft.Network/publicIPAddresses/name-app-gateway-pip",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2019-04-01",
"name": "[parameters('serverapplicationGateways_name_app_gateway_name')]",
"location": "westeurope",
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "20beed4d-2ff5-440b-918f-5772d6c91ad2",
"sku": {
"name": "Standard_v2",
"tier": "Standard_v2"
},
"gatewayIPConfigurations": [
{
"name": "appGatewayIpConfig",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"subnet": {
"id": "[concat(parameters('virtualNetworks_name_app_gateway_externalid'), '/subnets/default')]"
}
},
"type": "Microsoft.Network/applicationGateways/gatewayIPConfigurations"
}
],
"sslCertificates": [
{
"name": "company",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"publicCertData": "MIIDvgYJKoZIhvcNAQcCoIIDrzCCA6sCAQExADALBgkqhkiG9w0BBwGgggOTMIIDjzCCAnegAwIBAgIUCgwbAVCKmec/OdsO1bwmpDX/6/UwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR1IxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHZmxleGZpbjAeFw0xOTA3MDMxNTI5MDlaFw0yMDA3MDIxNTI5MDlaMFcxCzAJBgNVBAYTAkdSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMMB2ZsZXhmaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDfOIiBjcolw2GI+ZO1KYLR/En/2CQ8sQ+rBgocSFybHOsIbdm+nFvFSQLtdQf5lVjYFqhhBfhOP9otIa1UdEq0Mb+k0sZptJgW/ZziqLBsK5SwJxdwSxZgsfm4wKedS1bpYgVBBayKraKYCeUwUsUEoV/e5tjqRqC6i3Z3ZYAVdm4pf2vYJxjwKG1U0X3qyvjtv9nkJ2U3R3O1KILB1HPPdEe5nHHjkDravcghBxMjaI0YKgKcw2PyNiVcrcDZ3mrMoAvAzpLcbLIGvwfISjIMcI1wNYBfIC4qiLhlUASbudWGL8GFJ5/KZbsFNzq9ontwbjgeT8OLUJ47m+at3BN9AgMBAAGjUzBRMB0GA1UdDgQWBBSB4kKSMWZQ+Lxn1yiXdEvaT/H1BTAfBgNVHSMEGDAWgBSB4kKSMWZQ+Lxn1yiXdEvaT/H1BTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAEeaAMSAZWqlPGmM+Rzrxuj1joD514pxuSEmJfiDUf8TczNjh1g6sLC0eGqzI+Om4APz/mn2z8t5ziWnxDD+jtzLM4CjWGxOR1873fsAPjz/PdBfaNCpXBeXvS4LMrAYnZocFel1ypIAfty+KGWWkE7z6hbQr8OCrlnpmHnU/+OdtjuEPKqQVFVmJUHDzwiOSQgqCDIq0CYDKii1+1OCIVdce7VmWFMiGucqujM2Q8QbWZILVb82Yee6AnnyenmvWsO6pJawrOtg0IYYnGJPILqjFU1yk1ox7OBZHjoxz9U43JL2FnwVdMphU1vIU5huW22tRigHnvjuSUPRhXL0ejMQA="
},
"type": "Microsoft.Network/applicationGateways/sslCertificates"
}
],
"trustedRootCertificates": [
{
"name": "server-uat",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"data": "sertificate data"
},
"type": "Microsoft.Network/applicationGateways/trustedRootCertificates"
}
],
"frontendIPConfigurations": [
{
"name": "appGwPublicFrontendIp",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"type": "Microsoft.Network/applicationGateways/frontendIPConfigurations",
"properties": {
"provisioningState": "Succeeded",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[parameters('publicIPAddresses_name_app_gateway_pip_externalid')]"
}
}
}
],
"frontendPorts": [
{
"name": "port_443",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 443
},
"type": "Microsoft.Network/applicationGateways/frontendPorts"
},
{
"name": "http-port",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 80
},
"type": "Microsoft.Network/applicationGateways/frontendPorts"
}
],
"backendAddressPools": [
{
"name": "server",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"backendAddresses": [
{
"fqdn": "server-prod.internal.company.com"
}
]
},
"type": "Microsoft.Network/applicationGateways/backendAddressPools"
}
],
"backendHttpSettingsCollection": [
{
"name": "server-http-setting",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 443,
"protocol": "Https",
"cookieBasedAffinity": "Disabled",
"pickHostNameFromBackendAddress": true,
"requestTimeout": 20,
"trustedRootCertificates": [
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/httpd')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server-http-settingeeab8427-4514-4ef4-8e94-7d155a76f037')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/httpd-root')]"
},
{
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/trustedRootCertificates/server-uat')]"
}
]
},
"type": "Microsoft.Network/applicationGateways/backendHttpSettingsCollection"
},
{
"name": "server-http-80-setting",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"port": 80,
"protocol": "Http",
"cookieBasedAffinity": "Disabled",
"pickHostNameFromBackendAddress": false,
"affinityCookieName": "ApplicationGatewayAffinity",
"requestTimeout": 20
},
"type": "Microsoft.Network/applicationGateways/backendHttpSettingsCollection"
}
],
"httpListeners": [
{
"name": "server-l",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendIPConfigurations/appGwPublicFrontendIp')]"
},
"frontendPort": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendPorts/port_443')]"
},
"protocol": "Https",
"sslCertificate": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/sslCertificates/company')]"
},
"requireServerNameIndication": false
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
},
{
"name": "server-http-l",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendIPConfigurations/appGwPublicFrontendIp')]"
},
"frontendPort": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/frontendPorts/http-port')]"
},
"protocol": "Http",
"requireServerNameIndication": false
},
"type": "Microsoft.Network/applicationGateways/httpListeners"
}
],
"urlPathMaps": [],
"requestRoutingRules": [
{
"name": "server-rr",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"ruleType": "Basic",
"httpListener": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/httpListeners/server-l')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendAddressPools/server')]"
},
"backendHttpSettings": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendHttpSettingsCollection/server-http-setting')]"
}
},
"type": "Microsoft.Network/applicationGateways/requestRoutingRules"
},
{
"name": "redirect-to-https",
"etag": "W/\"be033d5e-9b23-400a-b6ca-f5cbede2a4e5\"",
"properties": {
"provisioningState": "Succeeded",
"ruleType": "Basic",
"httpListener": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/httpListeners/server-http-l')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendAddressPools/server')]"
},
"backendHttpSettings": {
"id": "[concat(resourceId('Microsoft.Network/applicationGateways', parameters('serverapplicationGateways_name_app_gateway_name')), '/backendHttpSettingsCollection/server-http-80-setting')]"
}
},
"type": "Microsoft.Network/applicationGateways/requestRoutingRules"
}
],
"probes": [],
"rewriteRuleSets": [],
"redirectConfigurations": [],
"enableHttp2": false,
"autoscaleConfiguration": {
"minCapacity": 2,
"maxCapacity": 10
}
}
}
]
}
答案 0 :(得分:0)
首先,您可以在监视应用程序网关时检查backend health。找到有关502错误的错误详细信息,然后按照this link中的逐步操作进行故障排除。也许,如果在使用HTTP协议设置常规设置时可行,您还可以缩小方案的范围。
身份验证证书已被弃用,并由受信任的根证书代替。看来您需要确保使用根证书将 HTTP设置中的后端列入白名单。
对于V2 SKU,您应该注意以下参考文献here。
- 由CN匹配HTTP后端设置中的主机名的著名CA当局签名的证书不需要任何 端到端SSL起作用的附加步骤。
- 例如,如果后端证书是由众所周知的CA颁发的,并且具有contoso.com的CN,则后端http设置的主机 字段也设置为contoso.com,则无需执行其他步骤 需要。您可以将后端http设置协议设置为HTTPS和 健康状况探针和数据路径都将启用SSL。如果你是 使用Azure应用服务或其他Azure Web服务作为后端, 那么这些也是隐式信任的,没有其他步骤 端到端SSL是必需的。
- 如果证书是自签名的,或由未知中介签名,则要在v2 SKU中启用端到端SSL,请使用受信任的根 必须定义证书。应用程序网关将仅通信 后端的服务器证书的根证书匹配一个 后端http设置中的受信任根证书列表的列表 与泳池相关联。
- 除了根证书匹配之外,Application Gateway还将验证后端http设置中指定的Host设置是否有效 与后端服务器的通用名称(CN)匹配 SSL证书。尝试建立与 后端,应用程序网关设置服务器名称指示(SNI) 后端http设置中指定的主机的扩展名。
- 如果选择了从后端地址中选择主机名,而不是后端http设置中的 Host 字段,则SNI标头始终为 设置为后端服务器SSL上的后端池FQDN和 CN 证书必须匹配其FQDN 。具有IP的后端池成员不是 在这种情况下受支持。
- 根证书是来自后端服务器证书的base64编码的根证书。
如果上述所有操作均无效,则可以上传设置并隐藏一些敏感数据以获取进一步的帮助。