使用经典部署模型配置应用程序网关以进行 SSL 卸载Configure an application gateway for SSL offload by using the classic deployment model

可将 Azure 应用程序网关配置为在网关上终止安全套接字层 (SSL) 会话,以避免 Web 场中出现开销较高的 SSL 解密任务。Azure Application Gateway can be configured to terminate the Secure Sockets Layer (SSL) session at the gateway to avoid costly SSL decryption tasks to happen at the web farm. SSL 卸载还简化了 Web 应用程序的前端服务器设置与管理。SSL offload also simplifies the front-end server setup and management of the web application.

准备阶段Before you begin

  1. 使用 Web 平台安装程序安装最新版本的 Azure PowerShell cmdlet。Install the latest version of the Azure PowerShell cmdlets by using the Web Platform Installer. 可以从下载页的“Windows PowerShell” 部分下载并安装最新版本。You can download and install the latest version from the Windows PowerShell section of the Downloads page.
  2. 请确认已创建包含有效子网、可正常运行的虚拟网络。Verify that you have a working virtual network with a valid subnet. 请确保没有虚拟机或云部署正在使用子网。Make sure that no virtual machines or cloud deployments are using the subnet. 应用程序网关必须单独位于虚拟网络子网中。The application gateway must be by itself in a virtual network subnet.
  3. 必须存在配置为使用应用程序网关的服务器,或者必须在虚拟网络中为其创建终结点,或者必须为其分配公共 IP 地址或虚拟 IP 地址 (VIP)。The servers that you configure to use the application gateway must exist or have their endpoints that are created either in the virtual network or with a public IP address or virtual IP address (VIP) assigned.

若要在应用程序网关上配置 SSL 卸载,请按所列顺序完成以下步骤:To configure SSL offload on an application gateway, complete the following steps in the order listed:

  1. 创建应用程序网关Create an application gateway
  2. 上传 SSL 证书Upload SSL certificates
  3. 配置网关Configure the gateway
  4. 设置网关配置Set the gateway configuration
  5. 启动网关Start the gateway
  6. 验证网关状态Verify the gateway status

创建应用程序网关Create an application gateway

若要创建网关,请输入 New-AzureApplicationGateway cmdlet,并将值替换成自己的值。To create the gateway, enter the New-AzureApplicationGateway cmdlet, replacing the values with your own. 此时不会开始计收网关的费用。Billing for the gateway does not start at this point. 计费会在后面已成功启动网关时开始。Billing begins in a later step, when the gateway is successfully started.

New-AzureApplicationGateway -Name AppGwTest -VnetName testvnet1 -Subnets @("Subnet-1")

若要验证是否已创建网关,可以输入 Get-AzureApplicationGateway cmdlet。To validate that the gateway was created, you can enter the Get-AzureApplicationGateway cmdlet.

在此示例中,Description、InstanceCount 和 GatewaySize 是可选参数 。In the sample, Description, InstanceCount, and GatewaySize are optional parameters. InstanceCount 的默认值为 2 ,最大值为 10 。The default value for InstanceCount is 2, with a maximum value of 10. GatewaySize 的默认值为 Medium 。The default value for GatewaySize is Medium. 其他可用值为 Small 和 Large。Small and Large are other available values. VirtualIPs 和 DnsName 显示为空白,因为网关尚未启动。VirtualIPs and DnsName are shown as blank, because the gateway has not started yet. 这些值在网关进入运行状态后创建。These values are created after the gateway is in the running state.

Get-AzureApplicationGateway AppGwTest

上传 SSL 证书Upload SSL certificates

输入 Add-AzureApplicationGatewaySslCertificate 将 PFX 格式的服务器证书上传到应用程序网关。Enter Add-AzureApplicationGatewaySslCertificate to upload the server certificate in PFX format to the application gateway. 证书名称是用户选择的名称,在应用程序网关中必须唯一。The certificate name is a user-chosen name and must be unique within the application gateway. 在应用程序网关上执行所有证书管理操作时,按此名称引用此证书。This certificate is referred to by this name in all certificate management operations on the application gateway.

以下示例显示 cmdlet。The following sample shows the cmdlet. 将示例中的值替换成自己的值。Replace the values in the sample with your own.

Add-AzureApplicationGatewaySslCertificate  -Name AppGwTest -CertificateName GWCert -Password <password> -CertificateFile <full path to pfx file>

接下来,验证证书上传。Next, validate the certificate upload. 输入 Get-AzureApplicationGatewayCertificate cmdlet。Enter the Get-AzureApplicationGatewayCertificate cmdlet.

以下示例在第一行显示 cmdlet,后面为输出:The following sample shows the cmdlet on the first line, followed by the output:

Get-AzureApplicationGatewaySslCertificate AppGwTest
VERBOSE: 5:07:54 PM - Begin Operation: Get-AzureApplicationGatewaySslCertificate
VERBOSE: 5:07:55 PM - Completed Operation: Get-AzureApplicationGatewaySslCertificate
Name           : SslCert
SubjectName    : CN=gwcert.app.test.contoso.com
Thumbprint     : AF5ADD77E160A01A6......EE48D1A
ThumbprintAlgo : sha1RSA
State..........: Provisioned

Note

证书密码的长度必须介于 4 到 12 个字符之间,可包含字母或数字。The certificate password must be between 4 to 12 characters made up of letters or numbers. 不接受特殊字符。Special characters are not accepted.

配置网关Configure the gateway

应用程序网关配置由多个值组成。An application gateway configuration consists of multiple values. 这些值可将绑定在一起以构造配置。The values can be tied together to construct the configuration.

有效值为:The values are:

  • 后端服务器池:后端服务器的 IP 地址列表。Back-end server pool: The list of IP addresses of the back-end servers. 列出的 IP 地址应属于虚拟网络子网,或者是公共 IP 或 VIP 地址。The IP addresses listed should belong to the virtual network subnet or should be a public IP or VIP address.
  • 后端服务器池设置:每个池具有端口、协议和基于 Cookie 的相关性等设置。Back-end server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. 这些设置绑定到池,并会应用到池中的所有服务器。These settings are tied to a pool and are applied to all servers within the pool.
  • 前端端口:此端口是应用程序网关上打开的公共端口。Front-end port: This port is the public port that is opened on the application gateway. 流量将抵达此端口,并重定向到后端服务器之一。Traffic hits this port, and then gets redirected to one of the back-end servers.
  • 侦听器:侦听器具有前端端口、协议(Http 或 Https;这些值区分大小写)和 SSL 证书名称(如果要配置 SSL 卸载)。Listener: The listener has a front-end port, a protocol (Http or Https; these values are case-sensitive), and the SSL certificate name (if configuring an SSL offload).
  • 规则:规则会绑定侦听器和后端服务器池,并定义当流量抵达特定侦听器时要将流量定向到的后端服务器池。Rule: The rule binds the listener and the back-end server pool and defines which back-end server pool to direct the traffic to when it hits a particular listener. 目前仅支持 基本 规则。Currently, only the basic rule is supported. 基本 规则是一种轮循负载分发模式。The basic rule is round-robin load distribution.

其他配置说明Additional configuration notes

对于 SSL 证书配置,HttpListener 中的协议应更改为 Https(区分大小写) 。For SSL certificates configuration, the protocol in HttpListener should change to Https (case sensitive). 需要将“SslCert” 元素添加到“HttpListener” ,其值设置为上传 SSL 证书部分中使用的名称。Add the SslCert element to HttpListener with the value set to the same name used in the Upload SSL certificates section. 前端端口应更新为 443 。The front-end port should be updated to 443.

启用基于 Cookie 的相关性:可以配置应用程序网关,以确保来自客户端会话的请求始终被定向到 Web 场中的同一 VM。To enable cookie-based affinity: You can configure an application gateway to ensure that a request from a client session is always directed to the same VM in the web farm. 这种情况可通过插入允许网关适当定向流量的会话 Cookie 实现。To accomplish this, insert a session cookie that allows the gateway to direct traffic appropriately. 若要启用基于 Cookie 的相关性,请在 BackendHttpSettings 元素中将 CookieBasedAffinity 设置为 Enabled 。To enable cookie-based affinity, set CookieBasedAffinity to Enabled in the BackendHttpSettings element.

可以通过创建配置对象或使用配置 XML 文件来构造配置。You can construct your configuration either by creating a configuration object or by using a configuration XML file. 若要使用配置 XML 文件构造配置,请输入以下示例:To construct your configuration by using a configuration XML file, enter the following sample:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationGatewayConfiguration xmlns:i="https://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">
    <FrontendIPConfigurations />
    <FrontendPorts>
        <FrontendPort>
            <Name>FrontendPort1</Name>
            <Port>443</Port>
        </FrontendPort>
    </FrontendPorts>
    <BackendAddressPools>
        <BackendAddressPool>
            <Name>BackendPool1</Name>
            <IPAddresses>
                <IPAddress>10.0.0.1</IPAddress>
                <IPAddress>10.0.0.2</IPAddress>
            </IPAddresses>
        </BackendAddressPool>
    </BackendAddressPools>
    <BackendHttpSettingsList>
        <BackendHttpSettings>
            <Name>BackendSetting1</Name>
            <Port>80</Port>
            <Protocol>Http</Protocol>
            <CookieBasedAffinity>Enabled</CookieBasedAffinity>
        </BackendHttpSettings>
    </BackendHttpSettingsList>
    <HttpListeners>
        <HttpListener>
            <Name>HTTPListener1</Name>
            <FrontendPort>FrontendPort1</FrontendPort>
            <Protocol>Https</Protocol>
            <SslCert>GWCert</SslCert>
        </HttpListener>
    </HttpListeners>
    <HttpLoadBalancingRules>
        <HttpLoadBalancingRule>
            <Name>HttpLBRule1</Name>
            <Type>basic</Type>
            <BackendHttpSettings>BackendSetting1</BackendHttpSettings>
            <Listener>HTTPListener1</Listener>
            <BackendAddressPool>BackendPool1</BackendAddressPool>
        </HttpLoadBalancingRule>
    </HttpLoadBalancingRules>
</ApplicationGatewayConfiguration>

设置网关配置Set the gateway configuration

下一步,设置应用程序网关。Next, set the application gateway. 可将 Set-AzureApplicationGatewayConfig cmdlet 与配置对象或配置 XML 文件一同输入。You can enter the Set-AzureApplicationGatewayConfig cmdlet with either a configuration object or a configuration XML file.

Set-AzureApplicationGatewayConfig -Name AppGwTest -ConfigFile D:\config.xml

启动网关Start the gateway

配置网关后,输入 Start-AzureApplicationGateway cmdlet 来启动网关。After the gateway has been configured, enter the Start-AzureApplicationGateway cmdlet to start the gateway. 成功启动网关后,开始计收应用程序网关的费用。Billing for an application gateway begins after the gateway has been successfully started.

Note

Start-AzureApplicationGateway cmdlet 可能需要 15 到 20 分钟才能完成。The Start-AzureApplicationGateway cmdlet can take 15-20 minutes to finish.

Start-AzureApplicationGateway AppGwTest

验证网关状态Verify the gateway status

输入 Get-AzureApplicationGateway cmdlet 检查网关状态。Enter the Get-AzureApplicationGateway cmdlet to check the status of the gateway. 如果前一步骤中的 Start-AzureApplicationGateway 成功,则“状态” 应为“正在运行” ,VirtualIPs 和 DnsName 应包含有效的条目。If Start-AzureApplicationGateway succeeded in the previous step, the State should be Running, and the VirtualIPs and DnsName should have valid entries.

此示例演示了一个正常运行并已准备好接收流量的应用程序网关:This sample shows an application gateway that is up, running, and ready to take traffic:

Get-AzureApplicationGateway AppGwTest
Name          : AppGwTest2
Description   :
VnetName      : testvnet1
Subnets       : {Subnet-1}
InstanceCount : 2
GatewaySize   : Medium
State         : Running
VirtualIPs    : {23.96.22.241}
DnsName       : appgw-4c960426-d1e6-4aae-8670-81fd7a519a43.chinacloudapp.cn

后续步骤Next steps

有关负载均衡选项的其他常规信息,请参阅:For more information about load-balancing options in general, see: