使用反向代理连接到安全服务Connect to a secure service with the reverse proxy

本文介绍如何在反向代理与服务之间建立安全连接,从而启用端到端的安全通道。This article explains how to establish secure connection between the reverse proxy and services, thus enabling an end to end secure channel. 若要了解有关反向代理的详细信息,请参阅 Azure Service Fabric 中的反向代理To learn more about reverse proxy, see Reverse proxy in Azure Service Fabric

Important

仅当反向代理配置为侦听 HTTPS 时,才支持连接到安全服务。Connecting to secure services is supported only when reverse proxy is configured to listen on HTTPS. 本文假定现为这种情况。This article assumes this is the case. 请参阅在 Azure Service Fabric 中设置反向代理,在 Service Fabric 中配置反向代理。Refer to Setup reverse proxy in Azure Service Fabric to configure the reverse proxy in Service Fabric.

在反向代理与服务之间建立安全连接Secure connection establishment between the reverse proxy and services

反向代理在服务中进行身份验证:Reverse proxy authenticating to services:

反向代理使用其证书向服务标识自己。The reverse proxy identifies itself to services using its certificate. 对于 Azure 群集,证书使用资源管理器模板的 Microsoft.ServiceFabric/clusters 资源类型部分中的 reverseProxyCertificate 属性指定。For Azure clusters the certificate is specified with reverseProxyCertificate property in the Microsoft.ServiceFabric/clusters Resource type section of the Resource Manager template. 对于独立群集,证书使用 ClusterConfig.json“安全”部分中的 ReverseProxyCertificate 或 ReverseProxyCertificateCommonNames 属性指定。For standalone clusters, the certificate is specified with either the ReverseProxyCertificate or the ReverseProxyCertificateCommonNames property in the Security section of ClusterConfig.json. 若要了解详细信息,请参阅在独立群集上启用反向代理To learn more, see Enable reverse proxy on standalone clusters.

服务可以实现逻辑来验证反向代理提供的证书。Services can implement the logic to verify the certificate presented by the reverse proxy. 服务可以在配置包中将已接受的客户端证书详细信息指定为配置设置。The services can specify the accepted client certificate details as configuration settings in the configuration package. 此设置可在运行时读取,并用于验证反向代理提供的证书。This can be read at runtime and used to validate the certificate presented by the reverse proxy. 请参阅管理应用程序参数来添加配置设置。Refer to Manage application parameters to add the configuration settings.

反向代理通过服务提供的证书验证服务的身份:Reverse proxy verifying the service's identity via the certificate presented by the service:

反向代理支持使用以下策略对服务提供的证书执行服务器证书验证:None、ServiceCommonNameAndIssuer 和 ServiceCertificateThumbprints。Reverse proxy supports the following policies to perform server certificate validation of the certificates presented by services: None, ServiceCommonNameAndIssuer, and ServiceCertificateThumbprints. 若要选择反向代理使用的策略,请在 fabricSettings 中的 ApplicationGateway/Http 节下指定 ApplicationCertificateValidationPolicyTo select the policy for reverse proxy to use, specify the ApplicationCertificateValidationPolicy in the ApplicationGateway/Http section under fabricSettings.

下一部分介绍了其中每个选项的配置详细信息。The next section shows configuration details for each of these options.

服务证书验证选项Service certificate validation options

  • :反向代理跳过代理服务证书的验证,并建立安全连接。None: Reverse proxy skips verification of the proxied service certificate and establishes the secure connection. 这是默认行为。This is the default behavior. ApplicationGateway/Http 节中,指定值为 NoneApplicationCertificateValidationPolicySpecify the ApplicationCertificateValidationPolicy with value None in the ApplicationGateway/Http section.

    {
    "fabricSettings": [
             ...
             {
               "name": "ApplicationGateway/Http",
               "parameters": [
                 {
                   "name": "ApplicationCertificateValidationPolicy",
                   "value": "None"
                 }
               ]
             }
           ],
           ...
    }
    
  • ServiceCommonNameAndIssuer:反向代理根据证书公用名称和直接颁发者的指纹验证服务提供的证书: 在 ApplicationGateway/Http 节中,为 ApplicationCertificateValidationPolicy 指定值 ServiceCommonNameAndIssuerServiceCommonNameAndIssuer: Reverse proxy verifies the certificate presented by the service based on certificate's common name and immediate issuer's thumbprint: Specify the ApplicationCertificateValidationPolicy with value ServiceCommonNameAndIssuer in the ApplicationGateway/Http section.

    {
    "fabricSettings": [
             ...
             {
               "name": "ApplicationGateway/Http",
               "parameters": [
                 {
                   "name": "ApplicationCertificateValidationPolicy",
                   "value": "ServiceCommonNameAndIssuer"
                 }
               ]
             }
           ],
           ...
    }
    

    若要指定服务公用名称和颁发者指纹,请在 fabricSettings 下添加 ApplicationGateway/Http/ServiceCommonNameAndIssuer 节,如下所示。To specify the list of service common name and issuer thumbprints, add a ApplicationGateway/Http/ServiceCommonNameAndIssuer section under fabricSettings, as shown below. 可在 parameters 数组中添加多个证书公用名称和颁发者指纹对。Multiple certificate common name and issuer thumbprint pairs can be added in the parameters array.

    如果反向代理要连接的终结点所提供的证书的公用名和颁发者指纹与此处指定的任何值匹配,则会建立 TLS 通道。If the endpoint reverse proxy is connecting to presents a certificate who's common name and issuer thumbprint matches any of the values specified here, a TLS channel is established. 如果无法匹配证书详细信息,则反向代理将无法处理该客户端的请求并返回 502(错误的网关)状态代码。Upon failure to match the certificate details, reverse proxy fails the client's request with a 502 (Bad Gateway) status code. HTTP 状态行也会包含短语“Invalid SSL Certificate”。The HTTP status line will also contain the phrase "Invalid SSL Certificate."

    {
    "fabricSettings": [
             ...
             {
               "name": "ApplicationGateway/Http/ServiceCommonNameAndIssuer",
               "parameters": [
                 {
                   "name": "WinFabric-Test-Certificate-CN1",
                   "value": "b3 44 9b 01 8d 0f 68 39 a2 c5 d6 2b 5b 6c 6a c8 22 b4 22 11"
                 },
                 {
                   "name": "WinFabric-Test-Certificate-CN2",
                   "value": "b3 44 9b 01 8d 0f 68 39 a2 c5 d6 2b 5b 6c 6a c8 22 11 33 44"
                 }
               ]
             }
           ],
           ...
    }
    
  • ServiceCertificateThumbprints:反向代理将根据代理服务证书的指纹验证该证书。ServiceCertificateThumbprints: Reverse proxy will verify the proxied service certificate based on its thumbprint. 当服务配置了自签名证书时,可以选择使用此路由:在 ApplicationGateway/Http 节中,为 ApplicationCertificateValidationPolicy 指定值 ServiceCertificateThumbprintsYou can choose to go this route when the services are configured with self signed certificates: Specify the ApplicationCertificateValidationPolicy with value ServiceCertificateThumbprints in the ApplicationGateway/Http section.

    {
    "fabricSettings": [
             ...
             {
               "name": "ApplicationGateway/Http",
               "parameters": [
                 {
                   "name": "ApplicationCertificateValidationPolicy",
                   "value": "ServiceCertificateThumbprints"
                 }
               ]
             }
           ],
           ...
    }
    

    另外,在 ApplicationGateway/Http 节中,指定包含 ServiceCertificateThumbprints 条目的指纹。Also specify the thumbprints with a ServiceCertificateThumbprints entry in the ApplicationGateway/Http section. 可在 value 字段中以逗号分隔列表的形式指定多个指纹,如下所示:Multiple thumbprints can be specified as a comma-separated list in the value field, as shown below:

    {
    "fabricSettings": [
             ...
             {
               "name": "ApplicationGateway/Http",
               "parameters": [
                   ...
                 {
                   "name": "ServiceCertificateThumbprints",
                   "value": "78 12 20 5a 39 d2 23 76 da a0 37 f0 5a ed e3 60 1a 7e 64 bf,78 12 20 5a 39 d2 23 76 da a0 37 f0 5a ed e3 60 1a 7e 64 b9"
                 }
               ]
             }
           ],
           ...
    }
    

    如果此配置条目中列出了服务器证书的指纹,则反向代理可成功建立 TLS 连接。If the thumbprint of the server certificate is listed in this config entry, reverse proxy succeeds the TLS connection. 否则,它会终止连接,无法处理客户端的请求并返回 502(错误的网关)。Otherwise, it terminates the connection and fails the client's request with a 502 (Bad Gateway). HTTP 状态行也会包含短语“Invalid SSL Certificate”。The HTTP status line will also contain the phrase "Invalid SSL Certificate."

服务公开安全和不安全终结点时使用的终结点选择逻辑Endpoint selection logic when services expose secure as well as unsecured endpoints

Service Fabric 支持为服务配置多个终结点。Service fabric supports configuring multiple endpoints for a service. 有关详细信息,请参阅在服务清单中指定资源For more information, see Specify resources in a service manifest.

反向代理根据服务 URI 中的 ListenerName 查询参数选择某个终结点来转发请求。Reverse proxy selects one of the endpoints to forward the request based on the ListenerName query parameter in the service URI. 如果未指定 ListenerName 参数,则反向代理可以选取终结点列表中的任一终结点。If the ListenerName parameter is not specified, reverse proxy can pick any endpoint from the endpoints list. 根据为服务配置的终结点,所选终结点可以是 HTTP 或 HTTPS 终结点。Depending on the endpoints configured for the service, the endpoint selected can be an HTTP or HTTPS endpoint. 在某些情况下,或者根据某些要求,你希望反向代理在“仅限安全模式”下运行;也就是说,你不希望安全反向代理将请求转发到不安全的终结点。There might be scenarios or requirements where you want the reverse proxy to operate in a "secure-only mode"; that is, you don't want the secure reverse proxy to forward requests to unsecured endpoints. 若要将反向代理设置为仅限安全模式,请在 ApplicationGateway/Http 节中指定值为 trueSecureOnlyMode 配置条目。To set reverse proxy to secure-only mode, specify the SecureOnlyMode configuration entry with value true in the ApplicationGateway/Http section.

{
"fabricSettings": [
          ...
          {
            "name": "ApplicationGateway/Http",
            "parameters": [
                ...
              {
                "name": "SecureOnlyMode",
                "value": true
              }
            ]
          }
        ],
        ...
}

Note

SecureOnlyMode 下运行时,如果客户端已指定对应于 HTTP(不安全)终结点的 ListenerName,则反向代理拒绝请求,并显示 404 (Not Found) HTTP 状态代码。When operating in SecureOnlyMode, if a client has specified a ListenerName corresponding to an HTTP(unsecured) endpoint, reverse proxy fails the request with a 404 (Not Found) HTTP status code.

通过反向代理设置客户端证书身份验证Setting up client certificate authentication through the reverse proxy

反向代理会发生 TLS 终止,并且所有客户端证书数据都会丢失。TLS termination happens at the reverse proxy and all the client certificate data is lost. 若要让服务执行客户端证书身份验证,请在 ApplicationGateway/Http 节中指定 ForwardClientCertificate 设置。For the services to perform client certificate authentication, specify the ForwardClientCertificate setting in the ApplicationGateway/Http section.

  1. 如果将“ForwardClientCertificate”设置为“false” ,在反向代理与客户端执行 TLS 握手期间,反向代理不会请求客户端证书。When ForwardClientCertificate is set to false, reverse proxy will not request the client certificate during its TLS handshake with the client. 这是默认行为。This is the default behavior.

  2. 如果将“ForwardClientCertificate”设置为“true” ,在反向代理与客户端执行 TLS 握手期间,反向代理会请求客户端的证书。When ForwardClientCertificate is set to true, reverse proxy requests the client's certificate during its TLS handshake with the client. 然后,将会转发名为 X-Client-Certificate 的自定义 HTTP 标头中的客户端证书数据。It will then forward the client certificate data in a custom HTTP header named X-Client-Certificate. 标头值是客户端证书的 base64 编码 PEM 格式字符串。The header value is the base64 encoded PEM format string of the client's certificate. 检查证书数据后,服务可能会成功/无法处理请求并返回相应的状态代码。The service can succeed/fail the request with appropriate status code after inspecting the certificate data. 如果客户端未提供证书,反向代理将转发空标头,并让服务处理这种情况。If the client does not present a certificate, reverse proxy forwards an empty header and lets the service handle the case.

Note

反向代理仅用作转发服务。Reverse proxy acts only as a forwarding service. 它不会对客户端的证书执行任何验证。It will not perform any validation of the client's certificate.

后续步骤Next steps