应用程序网关侦听器配置Application Gateway listener configuration

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

侦听器是一个逻辑实体,它可以使用端口、协议、主机和 IP 地址检查传入的连接请求。A listener is a logical entity that checks for incoming connection requests by using the port, protocol, host, and IP address. 配置侦听器时,必须输入与网关上传入请求中的对应值相匹配的值。When you configure the listener, you must enter values for these that match the corresponding values in the incoming request on the gateway.

使用 Azure 门户创建应用程序网关时,还可以通过选择侦听器的协议和端口来创建默认的侦听器。When you create an application gateway by using the Azure portal, you also create a default listener by choosing the protocol and port for the listener. 可以选择是否要在侦听器上启用 HTTP2 支持。You can choose whether to enable HTTP2 support on the listener. 创建应用程序网关后,可以编辑该默认侦听器的设置 (appGatewayHttpListener) 或创建新的侦听器。After you create the application gateway, you can edit the settings of that default listener (appGatewayHttpListener) or create new listeners.

侦听器类型Listener type

创建新侦听器时,可以选择“基本”或“多站点”When you create a new listener, you choose between basic and multi-site.

  • 如果你希望自己的所有请求(针对任何域)都能够被接受并转发到后端池,请选择“基本”。If you want all of your requests (for any domain) to be accepted and forwarded to backend pools, choose basic. 了解如何创建包含基本侦听器的应用程序网关Learn how to create an application gateway with a basic listener.

  • 如果希望根据主机头或主机名将请求转发到不同的后端池,请选择多站点侦听器,并且还必须在其中指定与传入请求匹配的主机名。If you want to forward requests to different backend pools based on the host header or host names, choose multi-site listener, where you must also specify a host name that matches with the incoming request. 这是因为,应用程序网关需要使用 HTTP 1.1 主机标头才能在相同的公共 IP 地址和端口上托管多个网站。This is because Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port. 如需了解详细信息,请参阅使用应用程序网关托管多个站点To learn more, see hosting multiple sites using Application Gateway.

侦听器的处理顺序Order of processing listeners

对于 v1 SKU,请求根据规则顺序和侦听器类型进行匹配。For the v1 SKU, requests are matched according to the order of the rules and the type of listener. 如果某项使用基本侦听器的规则在顺序上排第一,系统会先处理它,它会接受该端口和 IP 组合的任何请求。If a rule with basic listener comes first in the order, it's processed first and will accept any request for that port and IP combination. 为了避免这种情况,请先使用多站点侦听器配置规则,然后将包含基本侦听器的规则推送到列表中的最后。To avoid this, configure the rules with multi-site listeners first and push the rule with the basic listener to the last in the list.

对于 v2 SKU,在基本侦听器之前处理多站点侦听器。For the v2 SKU, multi-site listeners are processed before basic listeners.

前端 IP 地址Front-end IP address

选择要与此侦听器关联的前端 IP 地址。Choose the front-end IP address that you plan to associate with this listener. 侦听器将在此 IP 上侦听传入的请求。The listener will listen to incoming requests on this IP.

前端端口Front-end port

选择前端端口。Choose the front-end port. 选择现有端口或新建一个端口。Select an existing port or create a new one. 选择允许的端口范围内的任意值。Choose any value from the allowed range of ports. 不仅可以使用已知的端口(例如 80 和 443),而且还能使用任何适用的且允许的自定义端口。You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. 一个端口可用于公共侦听器或专用侦听器。A port can be used for public-facing listeners or private-facing listeners.

协议Protocol

选择 HTTP 或 HTTPS:Choose HTTP or HTTPS:

  • 如果选择 HTTP,则客户端与应用程序网关之间的流量将不会加密。If you choose HTTP, the traffic between the client and the application gateway is unencrypted.

  • 如果想要实现 TLS 终止端到端 TLS 加密,请选择 HTTPS。Choose HTTPS if you want TLS termination or end-to-end TLS encryption. 客户端与应用程序网关之间的流量将会加密。The traffic between the client and the application gateway is encrypted. TLS 连接将在应用程序网关上终止。And the TLS connection terminates at the application gateway. 若要实现端到端的 TLS 加密,必须选择 HTTPS,并配置“后端 HTTP”设置。If you want end-to-end TLS encryption, you must choose HTTPS and configure the back-end HTTP setting. 这可以确保流量在从应用程序网关传输到后端时重新得到加密。This ensures that traffic is re-encrypted when it travels from the application gateway to the back end.

若要配置 TLS 终止和端到端 TLS 加密,必须将一个证书添加到侦听器,使应用程序网关能够派生对称密钥。To configure TLS termination and end-to-end TLS encryption, you must add a certificate to the listener to enable the application gateway to derive a symmetric key. 派生过程是根据 TLS 协议规范进行的。This is dictated by the TLS protocol specification. 使用该对称密钥可以加密和解密发送到网关的流量。The symmetric key is used to encrypt and decrypt the traffic that's sent to the gateway. 网关证书必须采用个人信息交换 (PFX) 格式。The gateway certificate must be in Personal Information Exchange (PFX) format. 使用此格式可以导出私钥,供网关用来加密和解密流量。This format lets you export the private key that the gateway uses to encrypt and decrypt traffic.

支持的证书Supported certificates

请参阅应用程序网关的 TLS 终止和端到端 TLS 概述See Overview of TLS termination and end to end TLS with Application Gateway

其他协议支持Additional protocol support

HTTP2 支持HTTP2 support

仅针对连接到应用程序网关侦听器的客户端提供 HTTP/2 协议支持。HTTP/2 protocol support is available to clients that connect to application gateway listeners only. 与后端服务器池的通信是通过 HTTP/1.1 进行的。The communication to back-end server pools is over HTTP/1.1. 默认情况下,HTTP/2 支持处于禁用状态。By default, HTTP/2 support is disabled. 以下 Azure PowerShell 代码片段演示如何启用此支持:The following Azure PowerShell code snippet shows how to enable this:

$gw = Get-AzApplicationGateway -Name test -ResourceGroupName hm

$gw.EnableHttp2 = $true

Set-AzApplicationGateway -ApplicationGateway $gw

WebSocket 支持WebSocket support

默认已启用 WebSocket 支持。WebSocket support is enabled by default. 没有任何用户可配置的设置可以启用或禁用此支持。There's no user-configurable setting to enable or disable it. 可对 HTTP 和 HTTPS 侦听器使用 WebSocket。You can use WebSockets with both HTTP and HTTPS listeners.

自定义错误页Custom error pages

可以在全局级别以及侦听器级别定义自定义错误。You can define custom error at the global level or the listener level. 但是,目前不支持在 Azure 门户中创建全局级别的自定义错误页。But creating global-level custom error pages from the Azure portal is currently not supported. 可以在侦听器级别为 403 Web 应用程序防火墙错误或 502 维护页配置自定义错误页。You can configure a custom error page for a 403 web application firewall error or a 502 maintenance page at the listener level. 此外,必须为给定的错误状态代码指定一个可公开访问的 Blob URL。You must also specify a publicly accessible blob URL for the given error status code. 有关详细信息,请参阅创建应用程序网关自定义错误页For more information, see Create Application Gateway custom error pages.

应用程序网关错误代码

若要配置全局自定义错误页,请参阅 Azure PowerShell 配置To configure a global custom error page, see Azure PowerShell configuration.

TLS 策略TLS policy

可以集中管理 TLS/SSL 证书,以及减小后端服务器场的加密-解密开销。You can centralize TLS/SSL certificate management and reduce encryption-decryption overhead for a back-end server farm. 采用集中式 TLS 处理还能指定符合安全要求的集中 TLS 策略。Centralized TLS handling also lets you specify a central TLS policy that's suited to your security requirements. 可以选择默认、预定义或自定义的 TLS 策略。 You can choose default, predefined, or custom TLS policy.

配置 TLS 策略来控制 TLS 协议版本。You configure TLS policy to control TLS protocol versions. 可将应用程序网关配置为使用 TLS1.0、TLS1.1 和 TLS1.2 中适用于 TLS 握手的最低协议版本。You can configure an application gateway to use a minimum protocol version for TLS handshakes from TLS1.0, TLS1.1, and TLS1.2. 默认情况下,SSL 2.0 和 3.0 已禁用且不可配置。By default, SSL 2.0 and 3.0 are disabled and aren't configurable. 有关详细信息,请参阅应用程序网关 TLS 策略概述For more information, see Application Gateway TLS policy overview.

创建侦听器后,请将它关联到某个请求路由规则。After you create a listener, you associate it with a request-routing rule. 该规则确定如何将侦听器上收到的请求路由到后端。That rule determines how requests that are received on the listener are routed to the back end.

后续步骤Next steps