在 Azure 应用服务中使用 TLS/SSL 绑定保护自定义 DNS 名称Secure a custom DNS name with a TLS/SSL binding in Azure App Service

本文介绍如何通过创建证书绑定来确保应用服务应用函数应用自定义域的安全。This article shows you how to secure the custom domain in your App Service app or function app by creating a certificate binding. 完成后,可访问自定义 DNS 名称(例如,https://www.contoso.com)的 https:// 终结点处的应用服务应用。When you're finished, you can access your App Service app at the https:// endpoint for your custom DNS name (for example, https://www.contoso.com).

带有自定义 TLS/SSL 证书的 Web 应用

使用证书来确保自定义域的安全涉及两个步骤:Securing a custom domain with a certificate involves two steps:

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 升级应用的定价层Upgrade your app's pricing tier
  • 使用证书确保自定义域的安全Secure a custom domain with a certificate
  • 实施 HTTPSEnforce HTTPS
  • 强制实施 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用脚本自动完成 TLS 管理Automate TLS management with scripts

先决条件Prerequisites

按照本操作方法指南操作:To follow this how-to guide:

准备 Web 应用Prepare your web app

若要为应用服务应用创建自定义安全绑定或启用客户端证书,应用服务计划必须位于“基本” 、“标准” 、“高级” 或“独立” 层级。To create custom security bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier. 在此步骤中,请确保 Web 应用位于受支持的定价层。In this step, you make sure that your web app is in the supported pricing tier.

登录 AzureSign in to Azure

打开 Azure 门户Open the Azure portal.

搜索并选择“应用服务”。 Search for and select App Services.

选择应用服务

在“应用服务”页上,选择 Web 应用的名称 。On the App Services page, select the name of your web app.

在门户中导航到 Azure 应用

你已登录到 Web 应用的管理页。You have landed on the management page of your web app.

检查定价层Check the pricing tier

在 Web 应用页的左侧导航窗格中,滚动到“设置” 部分,然后选择“增加(应用服务计划)” 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan).

扩展菜单

检查以确保 Web 应用不在 F1D1 层中。Check to make sure that your web app is not in the F1 or D1 tier. 深蓝色的框突出显示了 Web 应用的当前层。Your web app's current tier is highlighted by a dark blue box.

检查定价层

F1D1 层不支持自定义 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果需要增加,请按照下一部分中的步骤进行操作。If you need to scale up, follow the steps in the next section. 否则,请关闭“纵向扩展” 页,并跳过纵向扩展应用服务计划部分。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

纵向扩展应用服务计划Scale up your App Service plan

选择任何非免费层(B1B2B3,或“生产” 类别中的任何层)。Select any of the non-free tiers (B1, B2, B3, or any tier in the Production category). 有关其他选项,请单击“查看其他选项” 。For additional options, click See additional options.

单击“应用” 。Click Apply.

选择定价层

看到以下通知时,说明缩放操作已完成。When you see the following notification, the scale operation is complete.

扩展通知

确保自定义域的安全Secure a custom domain

执行以下步骤:Do the following steps:

Azure 门户的左侧菜单中,选择“应用程序服务” > “<app-name>” 。In the Azure portal, from the left menu, select App Services > <app-name>.

在应用的左侧导航窗格中,通过以下方式启动“TLS/SSL 绑定”对话框:From the left navigation of your app, start the TLS/SSL Binding dialog by:

  • 选择“自定义域” > “添加绑定” Selecting Custom domains > Add binding
  • 选择“TLS/SSL 设置” > “添加 TLS/SSL 绑定” Selecting TLS/SSL settings > Add TLS/SSL binding

为域添加绑定

在“自定义域”中,选择要添加绑定的自定义域。In Custom Domain, select the custom domain you want to add a binding for.

如果应用已具有所选自定义域的证书,请直接转到创建绑定If your app already has a certificate for the selected custom domain, go to Create binding directly. 反之,请继续操作。Otherwise, keep going.

为自定义域添加证书Add a certificate for custom domain

如果应用不具有所选自定义域的证书,则有以下两种选择:If your app has no certificate for the selected custom domain, then you have two options:

创建绑定Create binding

根据下表的要求在“TLS/SSL 绑定”对话框中配置 TLS 绑定,然后单击“添加绑定” 。Use the following table to help you configure the TLS binding in the TLS/SSL Binding dialog, then click Add Binding.

设置Setting 说明Description
自定义域Custom domain 要为其添加 TLS/SSL 绑定的域名。The domain name to add the TLS/SSL binding for.
私有证书指纹Private Certificate Thumbprint 要绑定的证书。The certificate to bind.
TLS/SSL 类型TLS/SSL Type
  • SNI SSL - 可添加多个 SNI SSL 绑定。SNI SSL - Multiple SNI SSL bindings may be added. 选择此选项可以使用多个 TLS/SSL 证书来保护同一 IP 地址上的多个域。This option allows multiple TLS/SSL certificates to secure multiple domains on the same IP address. 大多数新式浏览器(包括 Internet Explorer、Chrome、Firefox 和 Opera)都支持 SNI。Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI.
  • IP SSL - 只能添加一个 IP SSL 绑定。IP SSL - Only one IP SSL binding may be added. 选择此选项只能使用一个 TLS/SSL 证书来保护专用公共 IP 地址。This option allows only one TLS/SSL certificate to secure a dedicated public IP address. 配置绑定后,请按照重新映射 IP SSL 的记录中的步骤进行操作。After you configure the binding, follow the steps in Remap records for IP SSL.
    IP SSL 仅在“标准” 层或更高层中受支持。IP SSL is supported only in Standard tier or above.

操作完成之后,自定义域的 TLS/SSL 状态会更改为“安全” 。Once the operation is complete, the custom domain's TLS/SSL state is changed to Secure.

TLS/SSL 绑定成功

备注

“自定义域”中的状态为“安全”意味着已使用证书保护该域,但应用服务并未检查该证书是自签名证书还是已过期证书,这可能也会导致浏览器异常,例如显示错误或警告。 A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.

重新映射 IP SSL 的记录Remap records for IP SSL

如果不在应用中使用 IP SSL,请跳到针对自定义域测试 HTTPSIf you don't use IP SSL in your app, skip to Test HTTPS for your custom domain.

可能需要进行两项更改:There are two changes you need to make, potentially:

  • 默认情况下,应用使用共享的公共 IP 地址。By default, your app uses a shared public IP address. 将证书与 IP SSL 绑定时,应用服务会为应用创建新的专用 IP 地址。When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. 如果已将 A 记录映射到应用,请使用这个新的专用 IP 地址更新域注册表。If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.

    将使用新的专用 IP 地址更新应用的“自定义域”页。Your app's Custom domain page is updated with the new, dedicated IP address. 复制此 IP 地址,然后将 A 记录重新映射到此新 IP 地址。Copy this IP address, then remap the A record to this new IP address.

  • 如果已有到 <app-name>.chinacloudsites.cn 的 SNI SSL 绑定,请重新映射任何 CNAME 映射,让其改为指向 sni.<app-name>.chinacloudsites.cn(添加 sni 前缀)。If you have an SNI SSL binding to <app-name>.chinacloudsites.cn, remap any CNAME mapping to point to sni.<app-name>.chinacloudsites.cn instead (add the sni prefix).

测试 HTTPSTest HTTPS

在不同的浏览器中,导航到 https://<your.custom.domain> 以核实其是否适合应用。In various browsers, browse to https://<your.custom.domain> to verify that it serves up your app.

屏幕截图显示浏览到自定义域的示例,其中突出显示了 contoso.com URL。

应用程序代码可以通过“x-appservice-proto”标头检查协议。Your application code can inspect the protocol via the "x-appservice-proto" header. 该标头的值将为 httphttpsThe header will have a value of http or https.

备注

如果应用显示证书验证错误,可能是因为使用自签名证书。If your app gives you certificate validation errors, you're probably using a self-signed certificate.

如果不是这样,可能是在将证书导出为 PFX 文件时遗漏了中间证书。If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.

防止 IP 更改Prevent IP changes

在删除某个绑定时,即使该绑定是 IP SSL,入站 IP 地址也可能会更改。Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. 在续订已进行 IP SSL 绑定的证书时,了解这一点尤为重要。This is especially important when you renew a certificate that's already in an IP SSL binding. 若要避免应用的 IP 地址更改,请按顺序执行以下步骤:To avoid a change in your app's IP address, follow these steps in order:

  1. 上传新证书。Upload the new certificate.
  2. 将新证书绑定到所需的自定义域,不要删除旧证书。Bind the new certificate to the custom domain you want without deleting the old one. 此操作替换而不是删除旧的绑定。This action replaces the binding instead of removing the old one.
  3. 删除旧证书。Delete the old certificate.

实施 HTTPSEnforce HTTPS

默认情况下,任何人都仍可使用 HTTP 访问应用。By default, anyone can still access your app using HTTP. 可以将所有 HTTP 请求都重定向到 HTTPS 端口。You can redirect all HTTP requests to the HTTPS port.

在应用页的左侧导航窗格中,选择“SSL 设置”。In your app page, in the left navigation, select SSL settings. 然后,在“仅 HTTPS”中,选择“启用”。Then, in HTTPS Only, select On.

实施 HTTPS

该操作完成后,将导航到指向应用的任一 HTTP URL。When the operation is complete, navigate to any of the HTTP URLs that point to your app. 例如:For example:

  • http://<app_name>.chinacloudsites.cn
  • http://contoso.com
  • http://www.contoso.com

强制实施 TLS 版本Enforce TLS versions

应用默认情况下允许 TLS 1.2,这是行业标准(例如 PCI DSS)建议的 TLS 级别。Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. 若要强制实施不同的 TLS 版本,请按照下列步骤操作:To enforce different TLS versions, follow these steps:

在应用页的左侧导航窗格中,选择“SSL 设置”。In your app page, in the left navigation, select SSL settings. 然后,在“TLS 版本”中,选择所需的最低 TLS 版本。Then, in TLS version, select the minimum TLS version you want. 此设置仅控制入站调用。This setting controls the inbound calls only.

强制实施 TLS 1.1 或 1.2

该操作完成后,你的应用将拒绝使用更低 TLS 版本的所有连接。When the operation is complete, your app rejects all connections with lower TLS versions.

处理 TLS 终止Handle TLS termination

在应用服务中,TLS 终止在网络负载均衡器上发生,因此,所有 HTTPS 请求将以未加密的 HTTP 请求形式访问你的应用。In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. 如果应用逻辑需要检查用户请求是否已加密,可以检查 X-Forwarded-Proto 标头。If your app logic needs to check if the user requests are encrypted or not, inspect the X-Forwarded-Proto header.

特定于语言的配置指南,如 Linux Node.js 配置指南,介绍如何在应用程序代码中检测 HTTPS 会话。Language specific configuration guides, such as the Linux Node.js configuration guide, shows you how to detect an HTTPS session in your application code.

使用脚本自动化Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location chinaeast --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="China East"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.chinacloudsites.cn")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

更多资源More resources