应用程序网关 HTTP 设置配置Application Gateway HTTP settings configuration

应用程序网关使用此处指定的配置将流量路由到后端服务器。The application gateway routes traffic to the back-end servers by using the configuration that you specify here. 创建 HTTP 设置后,必须将其关联到一个或多个请求路由规则。After you create an HTTP setting, you must associate it with one or more request-routing rules.

Azure 应用程序网关使用网关托管 Cookie 来维护用户会话。Azure Application Gateway uses gateway-managed cookies for maintaining user sessions. 当用户将第一个请求发送到应用程序网关时,它会在响应中使用包含会话详细信息的哈希值来设置关联 Cookie,将具有关联 Cookie 的后续请求路由到同一后端服务器,以便保持粘性。When a user sends the first request to Application Gateway, it sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie will be routed to the same backend server for maintaining stickiness.

当要在同一台服务器上保存用户会话时,以及在服务器上以本地方式为用户会话保存会话状态时,可以使用此功能。This feature is useful when you want to keep a user session on the same server and when session state is saved locally on the server for a user session. 如果应用程序无法处理基于 Cookie 的相关性,则你无法使用此功能。If the application can't handle cookie-based affinity, you can't use this feature. 若要使用此功能,请确保客户端支持 Cookie。To use it, make sure that the clients support cookies.

Chromium 浏览器 v80 更新带来了一项强制性要求:必须将不包含 SameSite 属性的 HTTP Cookie 视为 SameSite=Lax。The Chromium browser v80 update brought a mandate where HTTP cookies without SameSite attribute has to be treated as SameSite=Lax. 对于 CORS(跨源资源共享)请求,如果必须在第三方上下文中发送 Cookie,它必须使用 SameSite=None; Secure 属性,并且只应通过 HTTPS 发送它。In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use SameSite=None; Secure attributes and it should be sent over HTTPS only. 否则,在仅限 HTTP 的方案中,浏览器不会在第三方上下文中发送 Cookie。Otherwise, in a HTTP only scenario, the browser doesn't send the cookies in the third-party context. Chrome 的此更新的目标是增强安全性,避免跨站点请求伪造 (CSRF) 攻击。The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.

为了支持此更改,从 2020 年 2 月 17 日开始,除了现有的 ApplicationGatewayAffinity Cookie 外,应用程序网关(所有 SKU 类型)还会注入另一个名为 ApplicationGatewayAffinityCORS 的 Cookie。To support this change, starting February 17 2020, Application Gateway (all the SKU types) will inject another cookie called ApplicationGatewayAffinityCORS in addition to the existing ApplicationGatewayAffinity cookie. ApplicationGatewayAffinityCORS Cookie 又添加了两个属性 ( "SameSite=None; Secure" ),这样即使对于跨域请求也可以保持粘性会话。The ApplicationGatewayAffinityCORS cookie has two more attributes added to it ("SameSite=None; Secure") so that sticky session are maintained even for cross-origin requests.

请注意,默认关联 Cookie 名称是 ApplicationGatewayAffinity,可以对其进行更改。Note that the default affinity cookie name is ApplicationGatewayAffinity and you can change it. 如果使用自定义相关性 Cookie 名称,则会添加一个以 CORS 为后缀的附加 Cookie。In case you're using a custom affinity cookie name, an additional cookie is added with CORS as suffix. 例如,CustomCookieNameCORSFor example, CustomCookieNameCORS.

备注

如果设置了属性 SameSite = None,则 Cookie 还必须包含 Secure 标志,并且必须通过 HTTPS 发送。If the attribute SameSite=None is set, it is mandatory that the cookie also contains the Secure flag, and must be sent over HTTPS. 如果需要基于 CORS 的会话相关性,则必须将工作负载迁移到 HTTPS。If session affinity is required over CORS, you must migrate your workload to HTTPS. 请参阅此处提供的适用于应用程序网关的 TLS 卸载和端到端 TLS 文档 - 概述使用 Azure 门户配置支持 TLS 终止的应用程序网关在门户中使用应用程序网关配置端到端 TLSPlease refer to TLS offload and End-to-End TLS documentation for Application Gateway here - Overview, Configure an application gateway with TLS termination using the Azure portal, Configure end-to-end TLS by using Application Gateway with the portal.

连接清空Connection draining

连接清空可帮助你在计划内服务更新期间正常删除后端池成员。Connection draining helps you gracefully remove back-end pool members during planned service updates. 可以通过在 HTTP 设置上启用连接排出来将此设置应用于后端池的所有成员。You can apply this setting to all members of a back-end pool by enabling connection draining on the HTTP setting. 它确保后端池的所有注销实例继续维护现有连接,并在可配置的超时时间内处理正在进行的请求,并且不会接收任何新请求或连接。It ensures that all deregistering instances of a back-end pool continue to maintain existing connections and serve on-going requests for a configurable timeout and don't receive any new requests or connections. 此情况的唯一例外是由于网关托管会话相关性而绑定到注销实例的请求,这些请求将继续被转发到注销实例。The only exception to this are requests bound for deregistering instances because of gateway-managed session affinity and will continue to be forwarded to the deregistering instances. 连接清空将应用到已从后端池中显式删除的后端实例。Connection draining applies to back-end instances that are explicitly removed from the back-end pool.

协议Protocol

应用程序网关支持使用 HTTP 和 HTTPS 将请求路由到后端服务器。Application Gateway supports both HTTP and HTTPS for routing requests to the back-end servers. 如果选择了 HTTP 协议,则流量将以未加密的形式传送到后端服务器。If you choose HTTP, traffic to the back-end servers is unencrypted. 如果不能接受未加密的通信,请选择 HTTPS。If unencrypted communication isn't acceptable, choose HTTPS.

在侦听器中结合 HTTPS 使用此设置将有助于实现端到端的 TLSThis setting combined with HTTPS in the listener supports end-to-end TLS. 这样,就可以安全地将敏感数据以加密的形式传输到后端。This allows you to securely transmit sensitive data encrypted to the back end. 后端池中每个已启用端到端 TLS 的后端服务器都必须配置证书,以便能够进行安全的通信。Each back-end server in the back-end pool that has end-to-end TLS enabled must be configured with a certificate to allow secure communication.

端口Port

此设置指定后端服务器要在哪个端口上侦听来自应用程序网关的流量。This setting specifies the port where the back-end servers listen to traffic from the application gateway. 可以配置 1 到 65535 的端口号。You can configure ports ranging from 1 to 65535.

请求超时Request timeout

此设置表示应用程序网关在接收后端服务器的响应时会等待多少秒。This setting is the number of seconds that the application gateway waits to receive a response from the back-end server.

替代后端路径Override back-end path

使用此设置可以配置可选的自定义转发路径,以便在将请求转发到后端时使用。This setting lets you configure an optional custom forwarding path to use when the request is forwarded to the back end. 与“替代后端路径”字段中的自定义路径匹配的任意传入路径部分将复制到转发的路径。Any part of the incoming path that matches the custom path in the override backend path field is copied to the forwarded path. 下表描述了此功能的工作原理:The following table shows how this feature works:

  • 将 HTTP 设置附加到基本请求路由规则时:When the HTTP setting is attached to a basic request-routing rule:

    原始请求Original request 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /home//home/ /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /override//override/ /override/home/secondhome//override/home/secondhome/
  • 将 HTTP 设置附加到基于路径的请求路由规则时:When the HTTP setting is attached to a path-based request-routing rule:

    原始请求Original request 路径规则Path rule 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /pathrule/home//pathrule/home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /home//home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /pathrule/home//pathrule/home/ /pathrule/home*/pathrule/home* /override//override/ /override//override/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule/home*/pathrule/home* /override//override/ /override/secondhome//override/secondhome/
    /pathrule//pathrule/ /pathrule//pathrule/ /override//override/ /override//override/

用于应用服务Use for app service

这是一个仅限 UI 的快捷方式,用于选择 Azure 应用服务后端的两个所需设置。This is a UI only shortcut that selects the two required settings for the Azure App Service back end. 它会启用“从后端地址中选取主机名”,并创建新的自定义探测(如果你还没有该探测)。It enables pick host name from back-end address, and it creates a new custom probe if you don't have one already. (有关详细信息,请参阅本文的从后端地址中选取主机名设置部分。)将创建新的探测,并从后端成员的地址中选取探测标头。(For more information, see the Pick host name from back-end addresssetting section of this article.) A new probe is created, and the probe header is picked from the back-end member's address.

使用自定义探测Use custom probe

此设置用于将自定义探测与某个 HTTP 设置相关联。This setting associates a custom probe with an HTTP setting. 只能将一个自定义探测关联到某个 HTTP 设置。You can associate only one custom probe with an HTTP setting. 如果未显式关联自定义探测,则会使用默认探测来监视后端的运行状况。If you don't explicitly associate a custom probe, the default probe is used to monitor the health of the back end. 我们建议创建自定义探测,以便更好地控制后端的运行状况监视。We recommend that you create a custom probe for greater control over the health monitoring of your back ends.

备注

只有在将相应的 HTTP 设置显式关联到某个侦听器之后,自定义探测才会监视后端池的运行状况。The custom probe doesn't monitor the health of the back-end pool unless the corresponding HTTP setting is explicitly associated with a listener.

从后端地址中选取主机名Pick host name from back-end address

此功能将请求中的 host 标头动态设置为后端池的主机名。This capability dynamically sets the host header in the request to the host name of the back-end pool. 主机名使用 IP 地址或 FQDN。It uses an IP address or FQDN.

如果后端的域名不同于应用程序网关的 DNS 名称,并且后端必须使用特定的 host 标头才能解析为正确的终结点,则此功能会很有帮助。This feature helps when the domain name of the back end is different from the DNS name of the application gateway, and the back end relies on a specific host header to resolve to the correct endpoint.

例如,使用多租户服务作为后端时。An example case is multi-tenant services as the back end. 应用服务是使用共享空间和单个 IP 地址的多租户服务。An app service is a multi-tenant service that uses a shared space with a single IP address. 因此,只能通过自定义域设置中配置的主机名访问应用服务。So, an app service can only be accessed through the hostnames that are configured in the custom domain settings.

自定义域名默认为 example.chinacloudsites.cnBy default, the custom domain name is example.chinacloudsites.cn. 若要通过未显式注册到应用服务中的主机名或者通过应用程序网关的 FQDN 使用应用程序网关访问应用服务,请将原始请求中的主机名替代为应用服务的主机名。To access your app service by using an application gateway through a hostname that's not explicitly registered in the app service or through the application gateway's FQDN, you override the hostname in the original request to the app service's hostname. 为此,请启用“从后端地址中选取主机名”设置。To do this, enable the pick host name from backend address setting.

对于其现有自定义 DNS 名称已映射到应用服务的自定义域,不需要启用此设置。For a custom domain whose existing custom DNS name is mapped to the app service, you don't have to enable this setting.

备注

应用服务环境不需要此设置,因为它属于专用部署。This setting is not required for App Service Environment, which is a dedicated deployment.

主机名替代Host name override

此功能可将应用程序网关上的传入请求中的 host 标头替换为指定的主机名。This capability replaces the host header in the incoming request on the application gateway with the host name that you specify.

例如,如果将 www.contoso.com 指定为“主机名”设置,则将请求转发到后端服务器时,原始请求 *https://appgw.chinanorth2.chinacloudapp.cn/path1 会更改为 *https://www.contoso.com/path1For example, if www.contoso.com is specified in the Host name setting, the original request *https://appgw.chinanorth2.chinacloudapp.cn/path1 is changed to *https://www.contoso.com/path1 when the request is forwarded to the back-end server.

后续步骤Next steps