在应用程序网关上配置 SSL 策略版本和密码套件Configure SSL policy versions and cipher suites on Application Gateway

了解如何在应用程序网关上配置 SSL 策略版本和密码套件。Learn how to configure SSL policy versions and cipher suites on Application Gateway. 预定义策略列表中包含各种 SSL 策略版本配置和启用的密码套件,你可从中进行选择。You can select from a list of predefined policies that contain different configurations of SSL policy versions and enabled cipher suites. 此外,还可基于自身需求定义自定义 SSL 策略You also have the ability to define a custom SSL policy based on your requirements.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

获取可用的 SSL 选项Get available SSL options

Get-AzApplicationGatewayAvailableSslOptions cmdlet 提供了一列可用的预定义策略、可用的密码套件和可配置的协议版本。The Get-AzApplicationGatewayAvailableSslOptions cmdlet provides a listing of available pre-defined policies, available cipher suites, and protocol versions that can be configured. 以下示例显示运行此 cmdlet 的示例输出。The following example shows an example output from running the cmdlet.

DefaultPolicy: AppGwSslPolicy20150501
PredefinedPolicies:
    /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic
ationGatewaySslPredefinedPolicy/AppGwSslPolicy20150501
    /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic
ationGatewaySslPredefinedPolicy/AppGwSslPolicy20170401
    /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic
ationGatewaySslPredefinedPolicy/AppGwSslPolicy20170401S

AvailableCipherSuites:
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

AvailableProtocols:
    TLSv1_0
    TLSv1_1
    TLSv1_2

列出预定义 SSL 策略List pre-defined SSL Policies

应用程序网关包含 3 个可使用的预定义策略。Application gateway comes with three pre-defined policies that can be used. Get-AzApplicationGatewaySslPredefinedPolicy cmdlet 会检索这些策略。The Get-AzApplicationGatewaySslPredefinedPolicy cmdlet retrieves these policies. 每个策略启用不同的协议版本和密码套件。Each policy has different protocol versions and cipher suites enabled. 这些预定义策略可用于在应用程序网关上快速配置 SSL 策略。These pre-defined policies can be used to quickly configure an SSL policy on your application gateway. 如果未定义特定 SSL 策略,则默认选择 AppGwSslPolicy20150501 。By default AppGwSslPolicy20150501 is selected if no specific SSL policy is defined.

以下输出为运行 Get-AzApplicationGatewaySslPredefinedPolicy 的示例。The following output is an example of running Get-AzApplicationGatewaySslPredefinedPolicy.

Name: AppGwSslPolicy20150501
MinProtocolVersion: TLSv1_0
CipherSuites:
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_GCM_SHA384
 ...
Name: AppGwSslPolicy20170401
MinProtocolVersion: TLSv1_1
CipherSuites:
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
...

配置自定义 SSL 策略Configure a custom SSL policy

在配置自定义 SSL 策略时,将传递以下参数:PolicyType、MinProtocolVersion、CipherSuite 和 ApplicationGateway。When configuring a custom SSL policy, you pass the following parameters: PolicyType, MinProtocolVersion, CipherSuite, and ApplicationGateway. 如果尝试传递其他参数,则在创建或更新应用程序网关时会出错。If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.

如下示例将在应用程序网关上设置自定义 SSL 策略。The following example sets a custom SSL policy on an application gateway. 它将最低协议版本设置为 TLSv1_1,并启用以下密码套件:It sets the minimum protocol version to TLSv1_1 and enables the following cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Important

配置自定义 SSL 策略时,必须选择“TLS_RSA_WITH_AES_256_CBC_SHA256”。TLS_RSA_WITH_AES_256_CBC_SHA256 must be selected when configuring a custom SSL policy. 应用程序网关使用此密码套件进行后端管理。Application gateway uses this cipher suite for backend management. 可以将此密码套件与任何其他套件结合使用,但也必须选择此选项。You can use this in combination with any other suites, but this one must be selected as well.

# get an application gateway resource
$gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroup AdatumAppGatewayRG

# set the SSL policy on the application gateway
Set-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_1 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"

# validate the SSL policy locally
Get-AzApplicationGatewaySslPolicy -ApplicationGateway $gw

# update the gateway with validated SSL policy
Set-AzApplicationGateway -ApplicationGateway $gw

使用预定义 SSL 策略创建应用程序网关Create an application gateway with a pre-defined SSL policy

配置预定义 SSL 策略时,将传递以下参数:PolicyType、PolicyName 和 ApplicationGateway。When configuring a Predefined SSL policy, you pass the following parameters: PolicyType, PolicyName, and ApplicationGateway. 如果尝试传递其他参数,则在创建或更新应用程序网关时会出错。If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.

如下示例会使用预定义 SSL 策略创建一个新的应用程序网关。The following example creates a new application gateway with a pre-defined SSL policy.

# Create a resource group
$rg = New-AzResourceGroup -Name ContosoRG -Location "China North"

# Create a subnet for the application gateway
$subnet = New-AzVirtualNetworkSubnetConfig -Name subnet01 -AddressPrefix 10.0.0.0/24

# Create a virtual network with a 10.0.0.0/16 address space
$vnet = New-AzVirtualNetwork -Name appgwvnet -ResourceGroupName $rg.ResourceGroupName -Location "China North" -AddressPrefix 10.0.0.0/16 -Subnet $subnet

# Retrieve the subnet object for later use
$subnet = $vnet.Subnets[0]

# Create a public IP address
$publicip = New-AzPublicIpAddress -ResourceGroupName $rg.ResourceGroupName -name publicIP01 -location "China North" -AllocationMethod Dynamic

# Create an ip configuration object
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $subnet

# Create a backend pool for backend web servers
$pool = New-AzApplicationGatewayBackendAddressPool -Name pool01 -BackendIPAddresses 134.170.185.46, 134.170.188.221,134.170.185.50

# Define the backend http settings to be used.
$poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name poolsetting01 -Port 80 -Protocol Http -CookieBasedAffinity Enabled

# Create a new port for SSL
$fp = New-AzApplicationGatewayFrontendPort -Name frontendport01  -Port 443

# Upload an existing pfx certificate for SSL offload
$password = ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force
$cert = New-AzApplicationGatewaySslCertificate -Name cert01 -CertificateFile C:\folder\contoso.pfx -Password $password

# Create a frontend IP configuration for the public IP address
$fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name fipconfig01 -PublicIPAddress $publicip

# Create a new listener with the certificate, port, and frontend ip.
$listener = New-AzApplicationGatewayHttpListener -Name listener01  -Protocol Https -FrontendIPConfiguration $fipconfig -FrontendPort $fp -SslCertificate $cert

# Create a new rule for backend traffic routing
$rule = New-AzApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

# Define the size of the application gateway
$sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

# Configure the SSL policy to use a different pre-defined policy
$policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S

# Create the application gateway.
$appgw = New-AzApplicationGateway -Name appgwtest -ResourceGroupName $rg.ResourceGroupName -Location "China North" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku -SslCertificates $cert -SslPolicy $policy

使用预定义 SSL 策略更新现有应用程序网关Update an existing application gateway with a pre-defined SSL policy

若要设置自定义 SSL 策略,请传递以下参数:PolicyType、MinProtocolVersion、CipherSuite 和 ApplicationGateway 。To set a custom SSL policy, pass the following parameters: PolicyType, MinProtocolVersion, CipherSuite, and ApplicationGateway. 若要设置预定义 SSL 策略,请传递以下参数:PolicyType、PolicyName 和 ApplicationGateway 。To set a Predefined SSL policy, pass the following parameters: PolicyType, PolicyName, and ApplicationGateway. 如果尝试传递其他参数,则在创建或更新应用程序网关时会出错。If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.

下面的示例同时提供了自定义策略和预定义策略的代码示例。In the following example, there are code samples for both Custom Policy and Predefined Policy. 取消注释要使用的策略。Uncomment the policy you want to use.

# You have to change these parameters to match your environment.
$AppGWname = "YourAppGwName"
$RG = "YourResourceGroupName"

$AppGw = get-Azapplicationgateway -Name $AppGWname -ResourceGroupName $RG

# Choose either custom policy or predefined policy and uncomment the one you want to use.

# SSL Custom Policy
# Set-AzApplicationGatewaySslPolicy -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256" -ApplicationGateway $AppGw

# SSL Predefined Policy
# Set-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName "AppGwSslPolicy20170401S" -ApplicationGateway $AppGW

# Update AppGW
# The SSL policy options are not validated or updated on the Application Gateway until this cmdlet is executed.
$SetGW = Set-AzApplicationGateway -ApplicationGateway $AppGW

后续步骤Next steps

请访问应用程序网关重定向概述,了解如何将 HTTP 流量重定向至 HTTPS 终结点。Visit Application Gateway redirect overview to learn how to redirect HTTP traffic to an HTTPS endpoint.