排查应用程序网关中的应用服务问题Troubleshoot App Service issues in Application Gateway

了解如何诊断并解决将 Azure 应用服务用作后端目标时 Azure 应用程序网关可能出现的问题。Learn how to diagnose and resolve issues you might encounter when Azure App Service is used as a back-end target with Azure Application Gateway.

概述Overview

本文介绍如何排查以下问题:In this article, you'll learn how to troubleshoot the following issues:

  • 发生重定向时,应用服务 URL 在浏览器中公开。The app service URL is exposed in the browser when there's a redirection.
  • 应用服务 ARRAffinity Cookie 域设置为应用服务主机名 (example.chinacloudsites.cn) 而不是原始主机。The app service ARRAffinity cookie domain is set to the app service host name, example.chinacloudsites.cn, instead of the original host.

当后端应用程序发送重定向响应时,你可能希望将客户端重定向到不同的 URL,而不是后端应用程序指定的 URL。When a back-end application sends a redirection response, you might want to redirect the client to a different URL than the one specified by the back-end application. 当应用服务托管在应用程序网关后面,并要求客户端重定向到其相对路径时,你可能希望这样做。You might want to do this when an app service is hosted behind an application gateway and requires the client to do a redirection to its relative path. 例如,从 contoso.chinacloudsites.cn/path1 重定向到 contoso.chinacloudsites.cn/path2。An example is a redirect from contoso.chinacloudsites.cn/path1 to contoso.chinacloudsites.cn/path2.

当应用服务发送重定向响应时,它会在其响应的位置标头中,使用它从应用程序网关收到的请求中的相同主机名。When the app service sends a redirection response, it uses the same host name in the location header of its response as the one in the request it receives from the application gateway. 例如,客户端将直接向 contoso.chinacloudsites.cn/path2 发出请求,而不是通过应用程序网关 contoso.com/path2 发出请求。For example, the client makes the request directly to contoso.chinacloudsites.cn/path2 instead of going through the application gateway contoso.com/path2. 你不希望绕过应用程序网关。You don't want to bypass the application gateway.

此问题可能是以下主要原因造成的:This issue might happen for the following main reasons:

  • 在应用服务中配置了重定向。You have redirection configured on your app service. 只需在请求中添加一个尾随的斜杠即可配置重定向。Redirection can be as simple as adding a trailing slash to the request.
  • Azure Active Directory 身份验证导致重定向。You have Azure Active Directory authentication, which causes the redirection.

此外,在应用程序网关后面使用应用服务时,与应用程序网关关联的域名 (example.com) 不同于应用服务的域名(例如 example.chinacloudsites.cn)。Also, when you use app services behind an application gateway, the domain name associated with the application gateway (example.com) is different from the domain name of the app service (say, example.chinacloudsites.cn). 应用服务设置的 ARRAffinity Cookie 域值携带 example.chinacloudsites.cn 域名,这不符合需要。The domain value for the ARRAffinity cookie set by the app service carries the example.chinacloudsites.cn domain name, which isn't desirable. 原始主机名 example.com 应是 Cookie 中的域名值。The original host name, example.com, should be the domain name value in the cookie.

示例配置Sample configuration

  • HTTP 侦听器:基本或多站点HTTP listener: Basic or multi-site
  • 后端地址池:应用服务Back-end address pool: App Service
  • HTTP 设置:已启用“从后端地址中选择主机名”HTTP settings: Pick Hostname from Backend Address enabled
  • 探测:已启用“从 HTTP 设置中选择主机名”Probe: Pick Hostname from HTTP Settings enabled

原因Cause

应用服务是多租户服务,因此它会使用请求中的主机标头将请求路由到正确的终结点。App Service is a multitenant service, so it uses the host header in the request to route the request to the correct endpoint. 应用服务的默认域名 *.chinacloudsites.cn(例如 contoso.chinacloudsites.cn)不同于应用程序网关的域名(例如 contoso.com)。The default domain name of App Services, *.chinacloudsites.cn (say, contoso.chinacloudsites.cn), is different from the application gateway's domain name (say, contoso.com).

来自客户端的原始请求包含应用程序网关的域名 contoso.com 作为主机名。The original request from the client has the application gateway's domain name, contoso.com, as the host name. 需要配置应用程序网关,以便在将请求路由到应用服务后端时,将原始请求中的主机名更改为应用服务的主机名。You need to configure the application gateway to change the host name in the original request to the app service's host name when it routes the request to the app service back end. 在应用程序网关的 HTTP 设置配置中使用开关“从后端地址中选取主机名”。Use the switch Pick Hostname from Backend Address in the application gateway's HTTP setting configuration. 在运行状况探测配置中使用开关“从后端 HTTP 设置中选取主机名”。Use the switch Pick Hostname from Backend HTTP Settings in the health probe configuration.

应用程序网关更改主机名

当应用服务执行重定向时,除非另有配置,否则,它会在 location 标头中使用替代的主机名 contoso.chinacloudsites.cn,而不使用原始主机名 contoso.com。When the app service does a redirection, it uses the overridden host name contoso.chinacloudsites.cn in the location header instead of the original host name contoso.com, unless configured otherwise. 检查以下示例请求和响应标头。Check the following example request and response headers.

## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://contoso.chinacloudsites.cn/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=contoso.chinacloudsites.cn

X-Powered-By: ASP.NET

在以上示例中,可以看到响应标头包含 301 重定向状态代码。In the previous example, notice that the response header has a status code of 301 for redirection. location 标头包含应用服务的主机名,而不是原始主机名 www.contoso.comThe location header has the app service's host name instead of the original host name www.contoso.com.

解决方案:重写 location 标头Solution: Rewrite the location header

将 location 标头中的主机名设置为应用程序网关的域名。Set the host name in the location header to the application gateway's domain name. 为此,请创建一个重写规则,其中的某个条件可以评估响应中的 location 标头是否包含 chinacloudsites.cn。To do this, create a rewrite rule with a condition that evaluates if the location header in the response contains chinacloudsites.cn. 该规则还必须执行相应的操作来重写 location 标头,使其包含应用程序网关的主机名。It must also perform an action to rewrite the location header to have the application gateway's host name. 有关详细信息,请参阅有关如何重写 location 标头的说明。For more information, see instructions on how to rewrite the location header.

备注

HTTP 标头重写支持仅适用于应用程序网关的 Standard_v2 和 WAF_v2 SKUThe HTTP header rewrite support is only available for the Standard_v2 and WAF_v2 SKU of Application Gateway. 建议迁移到 v2,以获得标头重写和其他 v2 SKU 的高级功能We recommend migrating to v2 for Header Rewrite and other advanced capabilities that are available with v2 SKU.

替代解决方案:使用自定义域名Alternate solution: Use a custom domain name

另一种解决方案是使用应用服务的“自定义域”功能,始终将流量重定向到应用程序网关域名(在示例中为 www.contoso.com)。Using App Service's Custom Domain feature is another solution to always redirect the traffic to Application Gateway's domain name (www.contoso.com in our example). 此配置还可以作为 ARR 相关性 Cookie 问题的解决方案。This configuration also serves as a solution for the ARR Affinity cookie problem. 默认情况下,ARRAffinity Cookie 域设置为应用服务的默认主机名 (example.chinacloudsites.cn),而不是应用程序网关的域名。By default, the ARRAffinity cookie domain is set to the App Service's default host name (example.chinacloudsites.cn) instead of the Application Gateway's domain name. 因此,在这种情况下,浏览器将由于请求域名和 Cookie 不同而拒绝 Cookie。Therefore, the browser in such cases will reject the cookie due to the difference in the domain names of the request and the cookie.

可以按照指定方法来处理重定向和 ARRAffinity 的 Cookie 域不匹配问题。You can follow the given method for both the Redirection and ARRAffinity's cookie domain mismatch issues. 此方法需要你拥有自定义域的 DNS 区域访问权限。This method will need you to have your custom domain's DNS zone access.

步骤 1:在应用服务中设置自定义域,并通过添加 CNAME & TXT DNS 记录来验证域所有权。Step1: Set a Custom Domain in App Service and verify the domain ownership by adding the CNAME & TXT DNS records. 记录看起来类似于The records would look similar to

  • www.contoso.com IN CNAME contoso.azurewebsite.netwww.contoso.com IN CNAME contoso.azurewebsite.net
  • asuid.www.contoso.com IN TXT "<verification id string>"asuid.www.contoso.com IN TXT "<verification id string>"

步骤 2:仅域验证需要上一步中的 CNAME 记录。Step2: The CNAME record in the previous step was only needed for the domain verification. 最后需要通过应用程序网关路由的流量。Ultimately, we need the traffic to route via Application Gateway. 因此,可以立即修改 www.contoso.com 的CNAME 以指向应用程序网关的 FQDN。You can thus modify www.contoso.com's CNAME now to point to Application Gateway's FQDN. 要为应用程序网关设置 FQDN,请导航到其公共 IP 地址资源并为其分配“DNS 名称标签”。To set a FQDN for your Application Gateway, navigate to its Public IP address resource and assign a "DNS Name label" for it. 更新后的 CNAME 记录现在应如下所示The updated CNAME record should now look as

  • www.contoso.com IN CNAME contoso.chinanorth2.chinacloudapp.cnwww.contoso.com IN CNAME contoso.chinanorth2.chinacloudapp.cn

步骤 3:为关联的 HTTP 设置禁用“从后端地址中选择主机名”。Step3: Disable "Pick Hostname from Backend Address" for the associated HTTP Setting.

在 PowerShell 中,请勿在 Set-AzApplicationGatewayBackendHttpSettings 命令中使用 -PickHostNameFromBackendAddress 开关。In PowerShell, don't use the -PickHostNameFromBackendAddress switch in the Set-AzApplicationGatewayBackendHttpSettings command.

步骤 4:为使探测确定后端是否正常运行和操作流量,请将自定义“主机的运行状况探测”字段设置为应用服务的自定义域或默认域。Step4: For the probes to determine the backend as healthy and an operational traffic, set a custom Health Probe with Host field as custom or default domain of the App Service.

在 PowerShell 中,请勿在 Set-AzApplicationGatewayProbeConfig 命令中使用 -PickHostNameFromBackendHttpSettings 开关,改为在探测的 -HostName 开关中使用应用服务的自定义域或默认域。In PowerShell, don't use the -PickHostNameFromBackendHttpSettings switch in the Set-AzApplicationGatewayProbeConfig command and use either the custom or default domain of the App Service in the -HostName switch of the probe.

若要使用 PowerShell 对现有设置执行上述步骤,请使用以下示例 PowerShell 脚本。To implement the previous steps using PowerShell for an existing setup, use the sample PowerShell script that follows. 请注意,我们没有在探测和 HTTP 设置配置中使用 -PickHostname 开关。Note how we haven't used the -PickHostname switches in the probe and HTTP settings configuration.

$gw=Get-AzApplicationGateway -Name AppGw1 -ResourceGroupName AppGwRG
Set-AzApplicationGatewayProbeConfig -ApplicationGateway $gw -Name AppServiceProbe -Protocol Http -HostName "example.chinacloudsites.cn" -Path "/" -Interval 30 -Timeout 30 -UnhealthyThreshold 3
$probe=Get-AzApplicationGatewayProbeConfig -Name AppServiceProbe -ApplicationGateway $gw
Set-AzApplicationGatewayBackendHttpSettings -Name appgwhttpsettings -ApplicationGateway $gw -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 30
Set-AzApplicationGateway -ApplicationGateway $gw
## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://www.contoso.com/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=www.contoso.com

X-Powered-By: ASP.NET

后续步骤Next steps

如果上述步骤无法解决问题,请开具支持票证If the preceding steps didn't resolve the issue, open a support ticket.