我捡到了别人设置的东西。 我们有一个位于应用程序网关后面的API管理实例,该实例具有关于API的政策:
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Client certificate required..d1PD" />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Request.Certificate.Verify())">
<return-response>
<set-status code="403" reason="Client certificate cannot be verified..d2PD " />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Client certificate is untrusted or invalid..d3PD" />
</return-response>
</when>
</choose>
<base />
</inbound>
在邮递员中,我正在传递证书和密钥。邮递员控制台显示
Client Certificate:
keyPath:"C:\selfsigned\internalscm.X.com.key"
pemPath:"C:\selfsigned\internalscm.X.com.crt"
pfxPath:""
我在请求的标头中传递了Ocp-Apim-Trace,所以我得到了一个包含以下内容的追溯:
traceEntries {2}
inbound [10]
..
6 {4}
source : authentication-certificate
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0006857
data {2}
message : Certificate was attached to request per configuration.
certificate {...}
7 {4}
source : choose
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0007011
data {3}
message : Expression was successfully evaluated.
expression : context.Request.Certificate == null
value : true
更新:
authentication-certificate评估是对后端证书的评估,与Postman声称要包含在请求中的客户证书(.key和.crt)无关(相同的结果)如果我通过pfx和密码而不是.key和.crt,则返回)。
当我点击网关保护的API时,在跟踪中可以看到它正在处理客户端证书(并返回200):
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.3825928Z",
"elapsed": "00:00:00.0005974",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225172",
"data": "Client certificate thumbprint '6C03F4E7999999999999999999999999' received."
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225288",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5849700",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Request.Certificate.Verify()",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5850060",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)",
"value": false
}
}
所以看来AppGateway正在删除客户端证书。
该跟踪信息不足以让我开始推断为什么删除客户端证书(假设Postman像API一样将其传输到网关)。我应该从哪里开始?
对于裁判,当我删除该政策时,请求已按预期处理。
答案 0 :(得分:0)
我不确定您是否可以使AppGateway通过证书-您需要检查其文档。我对此表示怀疑的原因是,AppGateway的整个想法是调查流量并通过这样做来提供保护。唯一的解决方法是在AppGateway级别终止SSL连接。请参阅此处,以了解更多信息:https://docs.microsoft.com/en-us/azure/application-gateway/ssl-overview适用于AppGateway的两种模式:当AppGAteway对后端进行HTTP(而非HTTPS)调用时,SSL终止;当AppGateway使用自己的SSL证书连接至bakend时,SSL端到端。