应用程序网关的 SSL 终止和端到端 SSL 概述Overview of SSL termination and end to end SSL with Application Gateway

安全套接字层 (SSL) 是用于在 Web 服务器与浏览器之间建立加密链接的标准安全技术。Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. 此链接可确保在 Web 服务器与浏览器之间传递的所有数据都会得到保密和加密。This link ensures that all data passed between the web server and browsers remain private and encrypted. 应用程序网关支持网关上的 SSL 终止以及端到端的 SSL 加密。Application gateway supports both SSL termination at the gateway as well as end to end SSL encryption.

SSL 终止SSL termination

应用程序网关支持在网关上终止 SSL,之后,流量通常会以未加密状态流到后端服务器。Application Gateway supports SSL termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 在应用程序网关上执行 SSL 终止可以带来诸多优势:There are a number of advantages of doing SSL termination at the application gateway:

  • 提高性能 - 执行 SSL 解密时,初次握手最容易造成性能下降。Improved performance - The biggest performance hit when doing SSL decryption is the initial handshake. 为了提高性能,执行解密的服务器将会缓存 SSL 会话 ID 并管理 TLS 会话票证。To improve performance, the server doing the decryption caches SSL session IDs and manages TLS session tickets. 如果此操作是在应用程序网关上执行的,则来自同一个客户端的所有请求都可以使用缓存的值。If this is done at the application gateway, all requests from the same client can use the cached values. 如果此操作是在后端服务器上执行的,则每当客户端的请求转到另一台服务器时,客户端都必须重新进行身份验证。If it’s done on the backend servers, then each time the client’s requests go to a different server the client has to re‑authenticate. 使用 TLS 票证有助于缓解此问题,但并非所有客户端都支持 TLS 票证,并且配置和管理这些票证可能有难度。The use of TLS tickets can help mitigate this issue, but they are not supported by all clients and can be difficult to configure and manage.
  • 更好地利用后端服务器 - SSL/TLS 处理会消耗大量的 CPU 资源,随着密钥大小不断地增大,其消耗的资源会越来越多。Better utilization of the backend servers - SSL/TLS processing is very CPU intensive, and is becoming more intensive as key sizes increase. 从后端服务器中消除此任务可使它们专注于以最有效的方式提供内容。Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.
  • 智能路由 - 解密流量后,应用程序网关便可以访问标头、URI 等请求内容,并可以使用此数据来路由请求。Intelligent routing - By decrypting the traffic, the application gateway has access to the request content, such as headers, URI, and so on, and can use this data to route requests.
  • 证书管理 - 只需在应用程序网关上购买并安装证书,所有后端服务器不需要证书。Certificate management - Certificates only need to be purchased and installed on the application gateway and not all backend servers. 这可以节省时间和开支。This saves both time and money.

若要配置 SSL 终止,需将一个 SSL 证书添加到侦听器,使应用程序网关能够根据 SSL 协议规范派生对称密钥。To configure SSL termination, an SSL certificate is required to be added to the listener to enable the application gateway to derive a symmetric key as per SSL protocol specification. 然后,可以使用该对称密钥来加密和解密发送到网关的流量。The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. SSL 证书需采用个人信息交换 (PFX) 格式。The SSL certificate needs to be in Personal Information Exchange (PFX) format. 此文件格式适用于导出私钥,后者是应用程序网关对流量进行加解密所必需的。This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.

Note

应用程序网关不会提供任何用于创建新证书,或者将证书请求发送到证书颁发机构的功能。Application gateway does not provide any capability to create a new certificate or send a certificate request to a certification authority.

若要建立 SSL 连接,需要确保 SSL 证书符合以下条件:For the SSL connection to work, you need to ensure that the SSL certificate meets the following conditions:

  • 当前日期和时间处于证书上的“Valid from”(有效起始日期)和“Valid to”(有效结束日期)日期范围内。That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
  • 证书的“公用名”(CN) 与请求中的主机标头相匹配。That the certificate's "Common Name" (CN) matches the host header in the request. 例如,如果客户端正在向 https://www.contoso.com/ 发出请求,则 CN 必须是 www.contoso.comFor example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.

支持用于 SSL 终止的证书Certificates supported for SSL termination

应用程序网关支持以下类型的证书:Application gateway supports the following types of certificates:

  • CA(证书颁发机构)证书:CA 证书是证书颁发机构 (CA) 颁发的数字证书CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA)
  • EV(扩展验证)证书:EV 证书是行业标准证书准则。EV (Extended Validation) certificate: An EV certificate is an industry standard certificate guidelines. 使用此类证书会使浏览器地址栏变为绿色,并发布公司名称。This will turn the browser locator bar green and publish company name as well.
  • 通配符证书:此证书支持任意数量的基于 *.site.com 的子域(其中的 * 需替换为你的子域)。Wildcard Certificate: This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *. 但是,它不支持 site.com,因此,如果用户在不键入前导“www”的情况下访问你的网站,则通配符证书不会反映这一点。It doesn’t, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate will not cover that.
  • 自签名证书:客户端浏览器不信任这些证书,并且会警告用户,指出虚拟服务的证书不是信任链的一部分。Self-Signed certificates: Client browsers do not trust these certificates and will warn the user that the virtual service’s certificate is not part of a trust chain. 自签名证书适合用于测试,或者管理员会在其中控制客户端并且可以安全绕过浏览器安全警报的环境。Self-signed certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. 切勿将自签名证书用于生产工作负荷。Production workloads should never use self-signed certificates.

有关详细信息,请参阅配置应用程序网关的 SSL 终止For more information, see configure SSL termination with application gateway.

端到端 SSL 加密End to end SSL encryption

某些客户可能不希望与后端服务器进行未加密的通信。Some customers may not desire unencrypted communication to the backend servers. 这可能是因为安全要求、符合性要求,或者应用程序可能仅接受安全连接。This could be due to security requirements, compliance requirements, or the application may only accept a secure connection. 对于此类应用程序,应用程序网关支持端到端 SSL 加密。For such applications, application gateway supports end to end SSL encryption.

使用端到端 SSL 可以安全地将敏感数据以加密方式传输到后端,同时仍可利用应用程序网关提供的第 7 层负载均衡功能的优点。End to end SSL allows you to securely transmit sensitive data to the backend encrypted while still taking advantage of the benefits of Layer 7 load-balancing features which application gateway provides. 部分功能包括:基于 Cookie 的会话相关性、基于 URL 的路由、基于站点的路由支持,或注入 X-Forwarded-* 标头。Some of these features are cookie-based session affinity, URL-based routing, support for routing based on sites, or ability to inject X-Forwarded-* headers.

如果配置为端到端 SSL 通信模式,应用程序网关会在网关上终止 SSL 会话,并解密用户流量。When configured with end to end SSL communication mode, application gateway terminates the SSL sessions at the gateway and decrypts user traffic. 然后,它会应用配置的规则,以选择要将流量路由到的适当后端池实例。It then applies the configured rules to select an appropriate backend pool instance to route traffic to. 应用程序网关接下来会初始化到后端服务器的新 SSL 连接,并先使用后端服务器的公钥证书重新加密数据,此后再将请求传输到后端。Application gateway then initiates a new SSL connection to the backend server and re-encrypts data using the backend server's public key certificate before transmitting the request to the backend. 来自 Web 服务器的任何响应都会经历相同的过程返回最终用户。Any response from the web server goes through the same process back to the end user. 若要启用端到端 SSL,可将 后端 HTTP 设置 中的协议设置为 HTTPS,此设置随后将应用到后端池。End to end SSL is enabled by setting protocol setting in Backend HTTP Setting to HTTPS, which is then applied to a backend pool.

SSL 策略将应用到前端和后端流量。The SSL policy applies to both frontend and backend traffic. 在前端上,应用程序网关充当服务器并强制实施该策略。On the front end, Application Gateway acts as the server and enforces the policy. 在后端上,应用程序网关充当客户端,并在 SSL 握手期间将协议/密码信息作为首选项发送。On the backend, Application Gateway acts as the client and sends the protocol/cipher information as the preference during the SSL handshake.

应用程序网关只会与下面所述的后端实例通信:已将其证书加入应用程序网关的白名单,或者其证书已由已知的 CA 颁发机构签名,并且证书 CN 与 HTTP 后端设置中的主机名匹配。Application gateway only communicates with those backend instances that have either whitelisted their certificate with the application gateway or whose certificates are signed by well known CA authorities where the certificate CN matches the host name in the HTTP backend settings. 这些实例包括受信任的 Azure 服务,例如 Azure 应用服务 Web 应用和 Azure API 管理。These include the trusted Azure services such as Azure App service web apps and Azure API Management.

如果后端池成员的证书未由已知 CA 颁发机构签名,则必须为后端池中已启用端到端 SSL 的每个实例配置一个证书,这样才能进行安全通信。If the certificates of the members in the backend pool are not signed by well known CA authorities, then each instance in the backend pool with end to end SSL enabled must be configured with a certificate to allow secure communication. 添加证书后,可确保应用程序网关仅与已知后端实例通信。Adding the certificate ensures that the application gateway only communicates with known back-end instances. 从而进一步保护端到端通信。This further secures the end-to-end communication.

Note

Azure 应用服务 Web 应用和 Azure API 管理等受信任的 Azure 服务不需要身份验证证书设置。Authentication certificate setup is not required for trusted Azure services such as Azure App service web apps and Azure API Management.

Note

添加到“后端 HTTP 设置”中的、用于对后端服务器进行身份验证的证书,可以是添加到侦听器的、用于在应用程序网关上实现 SSL 终止的同一个证书;为了增强安全性,两者也可以不同。The certificate added to Backend HTTP Setting to authenticate the backend servers can be the same as the certificate added to the listener for SSL termination at application gateway or different for enhanced security.

端到端 ssl 方案

在此示例中,使用 TLS1.2 的请求通过端到端 SSL 路由到池 1 中的后端服务器。In this example, requests using TLS1.2 are routed to backend servers in Pool1 using end to end SSL.

端到端 SSL 和证书允许列表End to end SSL and whitelisting of certificates

应用程序网关只会与已知的后端实例通信,这些实例已将其证书加入应用程序网关的允许列表。Application gateway only communicates with known backend instances that have whitelisted their certificate with the application gateway. 要启用证书允许列表,必须将后端服务器证书(不是根证书)的公钥上传到应用程序网关。To enable whitelisting of certificates, you must upload the public key of backend server certificates to the application gateway (not the root certificate). 只允许连接到已知的和列入允许列表的后端。Only connections to known and whitelisted backends are then allowed. 其余后端会导致网关错误。The remaining backends results in a gateway error. 自签名证书仅用于测试目的,不建议用于生产工作负荷。Self-signed certificates are for test purposes only and not recommended for production workloads. 如前面的步骤中所述,此类证书必须加入应用程序网关的允许列表,才可以使用。Such certificates must be whitelisted with the application gateway as described in the preceding steps before they can be used.

Note

Azure 应用服务等受信任的 Azure 服务不需要身份验证证书设置。Authentication certificate setup is not required for trusted Azure services such as Azure App Service.

后续步骤Next steps

了解端到端 SSL 后,请转到使用应用程序网关和 PowerShell 配置端到端 SSL,以使用端到端 SSL 创建应用程序网关。After learning about end to end SSL, go to Configure end to end SSL by using Application Gateway with PowerShell to create an application gateway using end to end SSL.