应用服务环境的自定义配置设置Custom configuration settings for App Service Environments

概述Overview

由于应用服务环境 (ASE) 对单个客户是隔离的,因此有一些可专门应用于应用服务环境的配置设置。Because App Service Environments (ASEs) are isolated to a single customer, there are certain configuration settings that can be applied exclusively to App Service Environments. 本文介绍各种可用于应用服务环境的特定自定义设置。This article documents the various specific customizations that are available for App Service Environments.

如果没有应用服务环境,请参阅 How to Create an App Service Environment(如何创建应用服务环境)。If you do not have an App Service Environment, see How to Create an App Service Environment.

可以在新的 clusterSettings 属性中使用数组存储应用服务环境自定义设置。You can store App Service Environment customizations by using an array in the new clusterSettings attribute. 可以在 hostingEnvironments Azure 资源管理器实体的“Properties”字典中找到此属性。This attribute is found in the "Properties" dictionary of the hostingEnvironments Azure Resource Manager entity.

以下简略的 Resource Manager 模板代码片段显示了 clusterSettings 属性:The following abbreviated Resource Manager template snippet shows the clusterSettings attribute:

"resources": [
{
   "apiVersion": "2015-08-01",
   "type": "Microsoft.Web/hostingEnvironments",
   "name": ...,
   "location": ...,
   "properties": {
      "clusterSettings": [
         {
             "name": "nameOfCustomSetting",
             "value": "valueOfCustomSetting"
         }
      ],
      "workerPools": [ ...],
      etc...
   }
}

clusterSettings 属性可以包含在 Resource Manager 模板中,以更新应用服务环境。The clusterSettings attribute can be included in a Resource Manager template to update the App Service Environment.

启用内部加密Enable Internal Encryption

应用服务环境作为一个黑框系统运行,你将看不到系统中的内部组件或通信。The App Service Environment operates as a black box system where you cannot see the internal components or the communication within the system. 为了实现更高的吞吐量,默认情况下,在内部组件之间不启用加密。To enable higher throughput, encryption is not enabled by default between internal components. 系统很安全,因为流量完全无法访问,不管你是要监视流量还是要访问流量。The system is secure as the traffic is completely inaccessible to being monitored or accessed. 如果你的符合性要求必须从端到端对数据路径进行完全加密,则可通过一种方法使用 clusterSetting 实现此要求。If you have a compliance requirement though that requires complete encryption of the data path from end to end, there is a way to enable this with a clusterSetting.

    "clusterSettings": [
        {
            "name": "InternalEncryption",
            "value": "1"
        }
    ],

启用 InternalEncryption clusterSetting 后,可能会影响系统性能。After the InternalEncryption clusterSetting is enabled, there can be an impact to your system performance. 进行更改以启用 InternalEncryption 后,ASE 会处于不稳定状态,直到更改传播完毕。When you make the change to enable InternalEncryption, your ASE will be in an unstable state until the change is fully propagated. 更改的传播可能需要几个小时才能完成,具体取决于 ASE 中有多少实例。Complete propagation of the change can take a few hours to complete, depending on how many instances you have in your ASE. 强烈建议不要在它仍处于使用状态的情况下在 ASE 上启用它。We highly recommend that you do not enable this on an ASE while it is in use. 如果需要对主动使用的 ASE 启用此操作,强烈建议将流量转移到备份环境,直到操作完成。If you need to enable this on an actively used ASE, we highly recommend that you divert traffic to a backup environment until the operation completes.

禁用 TLS 1.0 和 TLS 1.1Disable TLS 1.0 and TLS 1.1

若要逐个应用地管理 TLS 设置,则可按实施 TLS 设置文档提供的指南进行操作。If you want to manage TLS settings on an app by app basis, then you can use the guidance provided with the Enforce TLS settings documentation.

对于 ASE 中的所有应用,若要禁用所有入站 TLS 1.0 和 TLS 1.1 流量,可以设置以下 clusterSettings 条目:If you want to disable all inbound TLS 1.0 and TLS 1.1 traffic for all of the apps in an ASE, you can set the following clusterSettings entry:

    "clusterSettings": [
        {
            "name": "DisableTls1.0",
            "value": "1"
        }
    ],

设置的名称显示 1.0,但在配置以后,却禁用了 TLS 1.0 和 TLS 1.1。The name of the setting says 1.0 but when configured, it disables both TLS 1.0 and TLS 1.1.

更改 TLS 密码套件顺序Change TLS cipher suite order

来自客户的另一个问题是,他们是否可以修改由其服务器协商的密码列表,而这可以通过修改 clusterSettings 来实现,如下所示。Another question from customers is if they can modify the list of ciphers negotiated by their server and this can be achieved by modifying the clusterSettings as shown below.

    "clusterSettings": [
        {
            "name": "FrontEndSSLCipherSuiteOrder",
            "value": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256"
        }
    ],

Warning

如果对 SChannel 无法理解的密码套件设置不正确的值,与服务器的所有 TLS 通信可能会停止运行。If incorrect values are set for the cipher suite that SChannel cannot understand, all TLS communication to your server might stop functioning. 在这种情况下,必须从 clusterSettings 中删除 FrontEndSSLCipherSuiteOrder 条目,并提交更新的 Resource Manager 模板以还原回默认的密码套件设置。In such a case, you will need to remove the FrontEndSSLCipherSuiteOrder entry from clusterSettings and submit the updated Resource Manager template to revert back to the default cipher suite settings. 请谨慎使用此功能。Please use this functionality with caution.

入门Get started

Azure 快速入门 Resource Manager 模板站点包含具有创建应用服务环境基本定义的模板。The Azure Quickstart Resource Manager template site includes a template with the base definition for creating an App Service Environment.