排查应用程序网关中的应用服务问题Troubleshoot App Service issues in Application Gateway

了解如何诊断并解决将 Azure 应用服务用作后端目标时 Azure 应用程序网关可能出现的问题。Learn how to diagnose and resolve issues you might encounter when Azure App Service is used as a back-end target with Azure Application Gateway.

概述Overview

本文介绍如何排查以下问题:In this article, you'll learn how to troubleshoot the following issues:

  • 发生重定向时,应用服务 URL 在浏览器中公开。The app service URL is exposed in the browser when there's a redirection.
  • 应用服务 ARRAffinity Cookie 域设置为应用服务主机名 (example.chinacloudsites.cn) 而不是原始主机。The app service ARRAffinity cookie domain is set to the app service host name, example.chinacloudsites.cn, instead of the original host.

当后端应用程序发送重定向响应时,你可能希望将客户端重定向到不同的 URL,而不是后端应用程序指定的 URL。When a back-end application sends a redirection response, you might want to redirect the client to a different URL than the one specified by the back-end application. 当应用服务托管在应用程序网关后面,并要求客户端重定向到其相对路径时,你可能希望这样做。You might want to do this when an app service is hosted behind an application gateway and requires the client to do a redirection to its relative path. 例如,从 contoso.chinacloudsites.cn/path1 重定向到 contoso.chinacloudsites.cn/path2。An example is a redirect from contoso.chinacloudsites.cn/path1 to contoso.chinacloudsites.cn/path2.

当应用服务发送重定向响应时,它会在其响应的位置标头中,使用它从应用程序网关收到的请求中的相同主机名。When the app service sends a redirection response, it uses the same host name in the location header of its response as the one in the request it receives from the application gateway. 例如,客户端将直接向 contoso.chinacloudsites.cn/path2 发出请求,而不是通过应用程序网关 contoso.com/path2 发出请求。For example, the client makes the request directly to contoso.chinacloudsites.cn/path2 instead of going through the application gateway contoso.com/path2. 你不希望绕过应用程序网关。You don't want to bypass the application gateway.

此问题可能是以下主要原因造成的:This issue might happen for the following main reasons:

  • 在应用服务中配置了重定向。You have redirection configured on your app service. 只需在请求中添加一个尾随的斜杠即可配置重定向。Redirection can be as simple as adding a trailing slash to the request.
  • Azure Active Directory 身份验证导致重定向。You have Azure Active Directory authentication, which causes the redirection.

此外,在应用程序网关后面使用应用服务时,与应用程序网关关联的域名 (example.com) 不同于应用服务的域名(例如 example.chinacloudsites.cn)。Also, when you use app services behind an application gateway, the domain name associated with the application gateway (example.com) is different from the domain name of the app service (say, example.chinacloudsites.cn). 应用服务设置的 ARRAffinity Cookie 域值携带 example.chinacloudsites.cn 域名,这不符合需要。The domain value for the ARRAffinity cookie set by the app service carries the example.chinacloudsites.cn domain name, which isn't desirable. 原始主机名 example.com 应是 Cookie 中的域名值。The original host name, example.com, should be the domain name value in the cookie.

示例配置Sample configuration

  • HTTP 侦听器:“基本”或“多站点”HTTP listener: Basic or multi-site
  • 后端地址池:应用服务Back-end address pool: App Service
  • HTTP 设置:已启用“从后端地址中选取主机名” HTTP settings: Pick Hostname from Backend Address enabled
  • 探测:已启用“从 HTTP 设置中选取主机名” Probe: Pick Hostname from HTTP Settings enabled

原因Cause

应用服务是多租户服务,因此它会使用请求中的主机标头将请求路由到正确的终结点。App Service is a multitenant service, so it uses the host header in the request to route the request to the correct endpoint. 应用服务的默认域名 *.chinacloudsites.cn(例如 contoso.chinacloudsites.cn)不同于应用程序网关的域名(例如 contoso.com)。The default domain name of App Services, *.chinacloudsites.cn (say, contoso.chinacloudsites.cn), is different from the application gateway's domain name (say, contoso.com).

来自客户端的原始请求包含应用程序网关的域名 contoso.com 作为主机名。The original request from the client has the application gateway's domain name, contoso.com, as the host name. 需要配置应用程序网关,以便在将请求路由到应用服务后端时,将原始请求中的主机名更改为应用服务的主机名。You need to configure the application gateway to change the host name in the original request to the app service's host name when it routes the request to the app service back end. 在应用程序网关的 HTTP 设置配置中使用开关“从后端地址中选取主机名”。 Use the switch Pick Hostname from Backend Address in the application gateway's HTTP setting configuration. 在运行状况探测配置中使用开关“从后端 HTTP 设置中选取主机名”。 Use the switch Pick Hostname from Backend HTTP Settings in the health probe configuration.

应用程序网关更改主机名

当应用服务执行重定向时,除非另有配置,否则,它会在 location 标头中使用替代的主机名 contoso.chinacloudsites.cn,而不使用原始主机名 contoso.com。When the app service does a redirection, it uses the overridden host name contoso.chinacloudsites.cn in the location header instead of the original host name contoso.com, unless configured otherwise. 检查以下示例请求和响应标头。Check the following example request and response headers.

## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://contoso.chinacloudsites.cn/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=contoso.chinacloudsites.cn

X-Powered-By: ASP.NET

在以上示例中,可以看到响应标头包含 301 重定向状态代码。In the previous example, notice that the response header has a status code of 301 for redirection. location 标头包含应用服务的主机名,而不是原始主机名 www.contoso.comThe location header has the app service's host name instead of the original host name www.contoso.com.

解决方案:重写 location 标头Solution: Rewrite the location header

将 location 标头中的主机名设置为应用程序网关的域名。Set the host name in the location header to the application gateway's domain name. 为此,请创建一个重写规则,其中的某个条件可以评估响应中的 location 标头是否包含 chinacloudsites.cn。To do this, create a rewrite rule with a condition that evaluates if the location header in the response contains chinacloudsites.cn. 该规则还必须执行相应的操作来重写 location 标头,使其包含应用程序网关的主机名。It must also perform an action to rewrite the location header to have the application gateway's host name. 有关详细信息,请参阅有关如何重写 location 标头的说明。For more information, see instructions on how to rewrite the location header.

备注

HTTP 标头重写支持仅适用于应用程序网关的 Standard_v2 和 WAF_v2 SKUThe HTTP header rewrite support is only available for the Standard_v2 and WAF_v2 SKU of Application Gateway. 如果使用 v1 SKU,我们建议从 v1 迁移到 v2If you use v1 SKU, we recommend that you migrate from v1 to v2. 需要使用 v2 SKU 中提供的重写和其他高级功能You want to use rewrite and other advanced capabilities that are available with v2 SKU.

备用解决方案:使用自定义域名Alternate solution: Use a custom domain name

如果使用 v1 SKU,则无法重写 location 标头。If you use v1 SKU, you can't rewrite the location header. 此功能仅适用于 v2 SKU。This capability is only available for v2 SKU. 若要解决重定向问题,请将应用程序网关接收的同一主机名传递给应用服务,而不要执行主机替代。To resolve the redirection issue, pass the same host name that the application gateway receives to the app service as well, instead of doing a host override.

现在,应用服务会在指向应用程序网关而不是指向自身的同一原始主机标头中执行重定向(如果有)。The app service now does the redirection (if any) on the same original host header that points to the application gateway and not its own.

必须拥有一个自定义域并执行以下过程:You must own a custom domain and follow this process:

  • 将该域注册到应用服务的自定义域列表。Register the domain to the custom domain list of the app service. 必须在自定义域中创建一个指向应用服务 FQDN 的 CNAME。You must have a CNAME in your custom domain that points to the app service's FQDN. 有关详细信息,请参阅将现有的自定义 DNS 名称映射到 Azure 应用服务For more information, see Map an existing custom DNS name to Azure App Service.

    应用服务自定义域列表

  • 应用服务现已准备好接受主机名 www.contoso.comYour app service is ready to accept the host name www.contoso.com. 更改 DNS 中的 CNAME 条目,使其重新指向应用程序网关的 FQDN,例如 appgw.chinanorth.chinacloudapp.cnChange your CNAME entry in DNS to point it back to the application gateway's FQDN, for example, appgw.chinanorth.chinacloudapp.cn.

  • 确保执行 DNS 查询时,域 www.contoso.com 解析为应用程序网关的 FQDN。Make sure that your domain www.contoso.com resolves to the application gateway's FQDN when you do a DNS query.

  • 设置自定义探测以禁用“从后端 HTTP 设置中选取主机名”。 Set your custom probe to disable Pick Hostname from Backend HTTP Settings. 在 Azure 门户中,清除探测设置中的复选框。In the Azure portal, clear the check box in the probe settings. 在 PowerShell 中,请不要在 Set-AzApplicationGatewayProbeConfig 命令中使用 -PickHostNameFromBackendHttpSettings 开关。In PowerShell, don't use the -PickHostNameFromBackendHttpSettings switch in the Set-AzApplicationGatewayProbeConfig command. 在探测的主机名字段中,输入应用服务的 FQDN:example.chinacloudsites.cn。In the host name field of the probe, enter your app service's FQDN, example.chinacloudsites.cn. 从应用程序网关发送的探测请求会在 host 标头中携带此 FQDN。The probe requests sent from the application gateway carry this FQDN in the host header.

    备注

    对于下一步骤,请确保自定义探测未关联到后端 HTTP 设置。For the next step, make sure that your custom probe isn't associated to your back-end HTTP settings. 此时,HTTP 设置中仍已启用“从后端地址中选取主机名”开关。 Your HTTP settings still have the Pick Hostname from Backend Address switch enabled at this point.

  • 设置应用程序网关的 HTTP 设置以禁用“从后端地址中选取主机名”。 Set your application gateway's HTTP settings to disable Pick Hostname from Backend Address. 在 Azure 门户中清除相应的复选框。In the Azure portal, clear the check box. 在 PowerShell 中,请不要在 Set-AzApplicationGatewayBackendHttpSettings 命令中使用 -PickHostNameFromBackendAddress 开关。In PowerShell, don't use the -PickHostNameFromBackendAddress switch in the Set-AzApplicationGatewayBackendHttpSettings command.

  • 将自定义探测重新关联到后端 HTTP 设置,并验证后端是否正常。Associate the custom probe back to the back-end HTTP settings, and verify that the back end is healthy.

  • 现在,应用程序网关应会将同一主机名 www.contoso.com 转发到应用服务。The application gateway should now forward the same host name, www.contoso.com, to the app service. 重定向在同一主机名中发生。The redirection happens on the same host name. 检查以下示例请求和响应标头。Check the following example request and response headers.

若要使用 PowerShell 对现有设置执行上述步骤,请使用以下示例 PowerShell 脚本。To implement the previous steps using PowerShell for an existing setup, use the sample PowerShell script that follows. 请注意,我们没有在探测和 HTTP 设置配置中使用 -PickHostname 开关。Note how we haven't used the -PickHostname switches in the probe and HTTP settings configuration.

$gw=Get-AzApplicationGateway -Name AppGw1 -ResourceGroupName AppGwRG
Set-AzApplicationGatewayProbeConfig -ApplicationGateway $gw -Name AppServiceProbe -Protocol Http -HostName "example.chinacloudsites.cn" -Path "/" -Interval 30 -Timeout 30 -UnhealthyThreshold 3
$probe=Get-AzApplicationGatewayProbeConfig -Name AppServiceProbe -ApplicationGateway $gw
Set-AzApplicationGatewayBackendHttpSettings -Name appgwhttpsettings -ApplicationGateway $gw -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 30
Set-AzApplicationGateway -ApplicationGateway $gw
## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://www.contoso.com/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=www.contoso.com

X-Powered-By: ASP.NET

后续步骤Next steps

如果上述步骤无法解决问题,请开具支持票证If the preceding steps didn't resolve the issue, open a support ticket.