在 Azure 应用服务中使用 TLS/SSL 绑定保护自定义 DNS 名称Secure a custom DNS name with a TLS/SSL binding in Azure App Service
本文介绍如何通过创建证书绑定来确保应用服务应用或函数应用中自定义域的安全。This article shows you how to secure the custom domain in your App Service app or function app by creating a certificate binding. 完成后,可访问自定义 DNS 名称(例如,https://www.contoso.com)的 https:// 终结点处的应用服务应用。When you're finished, you can access your App Service app at the https:// endpoint for your custom DNS name (for example, https://www.contoso.com).
使用证书来确保自定义域的安全涉及两个步骤:Securing a custom domain with a certificate involves two steps:
- 将专用证书添加到应用服务,以满足所有专用证书要求。Add a private certificate to App Service that satisfies all the private certificate requirements.
- 创建相应自定义域的 TLS 绑定。Create a TLS binding to the corresponding custom domain. 本文介绍第二步。This second step is covered by this article.
本教程介绍如何执行下列操作:In this tutorial, you learn how to:
- 升级应用的定价层Upgrade your app's pricing tier
- 使用证书确保自定义域的安全Secure a custom domain with a certificate
- 实施 HTTPSEnforce HTTPS
- 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
- 使用脚本自动完成 TLS 管理Automate TLS management with scripts
先决条件Prerequisites
按照本操作方法指南操作:To follow this how-to guide:
- 创建应用服务应用Create an App Service app
- 将域名映射到应用Map a domain name to your app
- 将专用证书添加到应用Add a private certificate to your app
准备 Web 应用Prepare your web app
若要为应用服务应用创建自定义安全绑定或启用客户端证书,应用服务计划必须位于“基本” 、“标准” 、“高级” 或“独立” 层级。To create custom security bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步骤中,请确保 Web 应用位于受支持的定价层。In this step, you make sure that your web app is in the supported pricing tier.
登录 AzureSign in to Azure
打开 Azure 门户。Open the Azure portal.
导航到 Web 应用Navigate to your web app
搜索并选择“应用服务”。 Search for and select App Services.
在“应用服务”页上,选择 Web 应用的名称 。On the App Services page, select the name of your web app.
你已登录到 Web 应用的管理页。You have landed on the management page of your web app.
检查定价层Check the pricing tier
在 Web 应用页的左侧导航窗格中,滚动到“设置” 部分,然后选择“增加(应用服务计划)” 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).
检查以确保 Web 应用不在 F1 或 D1 层中。Check to make sure that your web app is not in the F1 or D1 tier. 深蓝色的框突出显示了 Web 应用的当前层。Your web app's current tier is highlighted by a dark blue box.
F1 或 D1 层不支持自定义 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果需要增加,请按照下一部分中的步骤进行操作。If you need to scale up, follow the steps in the next section. 否则,请关闭“纵向扩展” 页,并跳过纵向扩展应用服务计划部分。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.
纵向扩展应用服务计划Scale up your App Service plan
选择任何非免费层(B1、B2、B3,或“生产” 类别中的任何层)。Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 有关其他选项,请单击“查看其他选项” 。For additional options, click See additional options.
单击“应用” 。Click Apply.
看到以下通知时,说明缩放操作已完成。When you see the following notification, the scale operation is complete.
确保自定义域的安全Secure a custom domain
执行以下步骤:Do the following steps:
在 Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.
在应用的左侧导航窗格中,通过以下方式启动“TLS/SSL 绑定”对话框:From the left navigation of your app, start the TLS/SSL Binding dialog by:
- 选择“自定义域” > “添加绑定” Selecting Custom domains > Add binding
- 选择“TLS/SSL 设置” > “添加 TLS/SSL 绑定” Selecting TLS/SSL settings > Add TLS/SSL binding
在“自定义域”中,选择要添加绑定的自定义域。In Custom Domain, select the custom domain you want to add a binding for.
如果应用已具有所选自定义域的证书,请直接转到创建绑定。If your app already has a certificate for the selected custom domain, go to Create binding directly. 反之,请继续操作。Otherwise, keep going.
为自定义域添加证书Add a certificate for custom domain
如果应用不具有所选自定义域的证书,则有以下两种选择:If your app has no certificate for the selected custom domain, then you have two options:
- 上传 PFX 证书 - 遵循上传专用证书中的工作流,然后在此处选择此选项。Upload PFX Certificate - Follow the workflow at Upload a private certificate, then select this option here.
创建绑定Create binding
根据下表的要求在“TLS/SSL 绑定”对话框中配置 TLS 绑定,然后单击“添加绑定” 。Use the following table to help you configure the TLS binding in the TLS/SSL Binding dialog, then click Add Binding.
| 设置Setting | 说明Description |
|---|---|
| 自定义域Custom domain | 要为其添加 TLS/SSL 绑定的域名。The domain name to add the TLS/SSL binding for. |
| 私有证书指纹Private Certificate Thumbprint | 要绑定的证书。The certificate to bind. |
| TLS/SSL 类型TLS/SSL Type |
|
操作完成之后,自定义域的 TLS/SSL 状态会更改为“安全” 。Once the operation is complete, the custom domain's TLS/SSL state is changed to Secure.
备注
“自定义域”中的状态为“安全”意味着已使用证书保护该域,但应用服务并未检查该证书是自签名证书还是已过期证书,这可能也会导致浏览器异常,例如显示错误或警告。 A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.
重新映射 IP SSL 的记录Remap records for IP SSL
如果不在应用中使用 IP SSL,请跳到针对自定义域测试 HTTPS。If you don't use IP SSL in your app, skip to Test HTTPS for your custom domain.
可能需要进行两项更改:There are two changes you need to make, potentially:
默认情况下,应用使用共享的公共 IP 地址。By default, your app uses a shared public IP address. 将证书与 IP SSL 绑定时,应用服务会为应用创建新的专用 IP 地址。When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. 如果已将 A 记录映射到应用,请使用这个新的专用 IP 地址更新域注册表。If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.
将使用新的专用 IP 地址更新应用的“自定义域”页。Your app's Custom domain page is updated with the new, dedicated IP address. 复制此 IP 地址,然后将 A 记录重新映射到此新 IP 地址。Copy this IP address, then remap the A record to this new IP address.
如果已有到
<app-name>.chinacloudsites.cn的 SNI SSL 绑定,请重新映射任何 CNAME 映射,让其改为指向sni.<app-name>.chinacloudsites.cn(添加sni前缀)。If you have an SNI SSL binding to<app-name>.chinacloudsites.cn, remap any CNAME mapping to point tosni.<app-name>.chinacloudsites.cninstead (add thesniprefix).
测试 HTTPSTest HTTPS
在不同的浏览器中,导航到 https://<your.custom.domain> 以核实其是否适合应用。In various browsers, browse to https://<your.custom.domain> to verify that it serves up your app.
应用程序代码可以通过“x-appservice-proto”标头检查协议。Your application code can inspect the protocol via the "x-appservice-proto" header. 该标头的值将为 http 或 https。The header will have a value of http or https.
备注
如果应用显示证书验证错误,可能是因为使用自签名证书。If your app gives you certificate validation errors, you're probably using a self-signed certificate.
如果不是这样,可能是在将证书导出为 PFX 文件时遗漏了中间证书。If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.
防止 IP 更改Prevent IP changes
在删除某个绑定时,即使该绑定是 IP SSL,入站 IP 地址也可能会更改。Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. 在续订已进行 IP SSL 绑定的证书时,了解这一点尤为重要。This is especially important when you renew a certificate that's already in an IP SSL binding. 若要避免应用的 IP 地址更改,请按顺序执行以下步骤:To avoid a change in your app's IP address, follow these steps in order:
- 上传新证书。Upload the new certificate.
- 将新证书绑定到所需的自定义域,不要删除旧证书。Bind the new certificate to the custom domain you want without deleting the old one. 此操作替换而不是删除旧的绑定。This action replaces the binding instead of removing the old one.
- 删除旧证书。Delete the old certificate.
实施 HTTPSEnforce HTTPS
默认情况下,任何人都仍可使用 HTTP 访问应用。By default, anyone can still access your app using HTTP. 可以将所有 HTTP 请求都重定向到 HTTPS 端口。You can redirect all HTTP requests to the HTTPS port.
在应用页的左侧导航窗格中,选择“SSL 设置”。In your app page, in the left navigation, select SSL settings. 然后,在“仅 HTTPS”中,选择“启用”。Then, in HTTPS Only, select On.
该操作完成后,将导航到指向应用的任一 HTTP URL。When the operation is complete, navigate to any of the HTTP URLs that point to your app. 例如:For example:
http://<app_name>.chinacloudsites.cnhttp://contoso.comhttp://www.contoso.com
强制实施 TLS 版本Enforce TLS versions
应用默认情况下允许 TLS 1.2,这是行业标准(例如 PCI DSS)建议的 TLS 级别。Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. 若要强制实施不同的 TLS 版本,请按照下列步骤操作:To enforce different TLS versions, follow these steps:
在应用页的左侧导航窗格中,选择“SSL 设置”。In your app page, in the left navigation, select SSL settings. 然后,在“TLS 版本”中,选择所需的最低 TLS 版本。Then, in TLS version, select the minimum TLS version you want. 此设置仅控制入站调用。This setting controls the inbound calls only.
该操作完成后,你的应用将拒绝使用更低 TLS 版本的所有连接。When the operation is complete, your app rejects all connections with lower TLS versions.
处理 TLS 终止Handle TLS termination
在应用服务中,TLS 终止在网络负载均衡器上发生,因此,所有 HTTPS 请求将以未加密的 HTTP 请求形式访问你的应用。In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. 如果应用逻辑需要检查用户请求是否已加密,可以检查 X-Forwarded-Proto 标头。If your app logic needs to check if the user requests are encrypted or not, inspect the X-Forwarded-Proto header.
特定于语言的配置指南,如 Linux Node.js 配置指南,介绍如何在应用程序代码中检测 HTTPS 会话。Language specific configuration guides, such as the Linux Node.js configuration guide, shows you how to detect an HTTPS session in your application code.
使用脚本自动化Automate with scripts
Azure CLIAzure CLI
#!/bin/bash
fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM
# Create a resource group.
az group create --location chinaeast --name $resourceGroup
# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1
# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname
echo "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
read -p "Press [Enter] key when ready ..."
# Before continuing, go to your DNS configuration UI for your custom domain and follow the
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the
# hostname "www" and point it your web app's default domain name.
# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn
# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)
# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup
echo "You can now browse to https://$fqdn"
PowerShellPowerShell
$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="China East"
# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location
# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free
# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname
Write-Host "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
Read-Host "Press [Enter] key when ready ..."
# Before continuing, go to your DNS configuration UI for your custom domain and follow the
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the
# hostname "www" and point it your web app's default domain name.
# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic
# Add a custom domain name to the web app.
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.chinacloudsites.cn")
# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled