教程:将现有自定义域映射到 Azure Spring CloudTutorial: Map an existing custom domain to Azure Spring Cloud

域名服务 (DNS) 是将网络节点名称存储在整个网络中的一种技术。Domain Name Service (DNS) is a technique for storing network node names throughout a network. 本教程使用 CNAME 记录来映射域(例如 www.contoso.com)。This tutorial maps a domain, such as www.contoso.com, using a CNAME record. 本教程将使用证书保护自定义域,并介绍如何强制实施传输层安全性 (TLS)(也称为安全套接字层 (SSL))。It secures the custom domain with a certificate and shows how to enforce Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL).

证书用于对 Web 流量进行加密。Certificates encrypt web traffic. 可将这些 TLS/SSL 证书存储在 Azure Key Vault 中。These TLS/SSL certificates can be stored in Azure Key Vault.

先决条件Prerequisites

Azure Spring Cloud 管理 IP 尚不属于 Azure 受信任的 Microsoft 服务。The Azure Spring Cloud management IPs are not yet part of the Azure Trusted Microsoft services. 因此,若要允许 Azure Spring Cloud 从受专用终结点连接保护的 Key Vault 加载证书,必须将以下 IP 添加到 Azure Key Vault 防火墙:Therefore, to allow Azure Spring Cloud to load certificates from a Key Vault protected with Private endpoint connections, you must add the following IPs to Azure Key Vault Firewall:

20.53.123.160 52.143.241.210 40.65.234.114 52.142.20.14 20.54.40.121 40.80.210.49 52.253.84.152 20.49.137.168 40.74.8.134 51.143.48.243

导入证书Import certificate

准备 PFX 格式的证书文件(可选)Prepare your certificate file in PFX (optional)

Azure Key Vault 支持导入 PEM 和 PFX 格式的专用证书。Azure Key Vault support importing private certificate in PEM and PFX format. 如果你从证书提供商获得的 PEM 文件在以下部分中不起作用:将证书保存到 Key Vault 中,按照此处步骤为 Azure Key Vault 生成 PFX。If the PEM file you obtained from your certificate provider doesn't work in section below: Save certificate in Key Vault, follow the steps here to generate a PFX for Azure Key Vault.

合并中间证书Merge intermediate certificates

如果证书颁发机构在证书链中提供了多个证书,则需按顺序合并证书。If your certificate authority gives you multiple certificates in the certificate chain, you need to merge the certificates in order.

若要执行此操作,请在文本编辑器中打开收到的所有证书。To do this, open each certificate you received in a text editor.

创建名为 mergedcertificate.crt 的合并证书文件。Create a file for the merged certificate, called mergedcertificate.crt. 在文本编辑器中,将每个证书的内容复制到此文件。In a text editor, copy the content of each certificate into this file. 证书的顺序应遵循证书链中的顺序,以你的证书开头,以根证书结尾,The order of your certificates should follow the order in the certificate chain, beginning with your certificate and ending with the root certificate. 如以下示例所示:It looks like the following example:

-----BEGIN CERTIFICATE-----
<your entire Base64 encoded SSL certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 1>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded intermediate certificate 2>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<The entire Base64 encoded root certificate>
-----END CERTIFICATE-----

将证书导出为 PFXExport certificate to PFX

使用在生成证书请求时所用的私钥导出合并的 TLS/SSL 证书。Export your merged TLS/SSL certificate with the private key that your certificate request was generated with.

如果使用 OpenSSL 生成证书请求,则已创建私钥文件。If you generated your certificate request using OpenSSL, then you have created a private key file. 若要将证书导出为 PFX,请运行以下命令。To export your certificate to PFX, run the following command. 将占位符 <private-key-file><merged-certificate-file> 分别替换为私钥和合并证书文件的路径。Replace the placeholders <private-key-file> and <merged-certificate-file> with the paths to your private key and your merged certificate file.

openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>

出现提示时,定义导出密码。When prompted, define an export password. 稍后将 TLS/SSL 证书上传到 Azure Key Vault 时要使用此密码。You'll use this password when uploading your TLS/SSL certificate to Azure Key Vault later.

如果使用 IIS 或 Certreq.exe 生成证书请求,请将证书安装到本地计算机,然后将证书导出为 PFXIf you used IIS or Certreq.exe to generate your certificate request, install the certificate to your local machine, and then export the certificate to PFX.

在 Key Vault 中保存证书Save certificate in Key Vault

导入证书的过程要求 PEM 或 PFX 编码的文件位于磁盘上,并且你必须具有私钥。The procedure to import a certificate requires the PEM or PFX encoded file to be on disk and you must have the private key.

若要将证书上传到密钥保管库,请执行以下操作:To upload your certificate to key vault:

  1. 转到你的密钥保管库实例。Go to your key vault instance.

  2. 在左侧导航窗格中,单击“证书”。In the left navigation pane, click Certificates.

  3. 在上部菜单中,单击“生成/导入”。On the upper menu, click Generate/import.

  4. 在“创建证书”对话框中,在“证书创建方法”下,选择 ImportIn the Create a certificate dialog under Method of certificate creation, select Import.

  5. 在“上传证书文件”下,导航到证书所在位置并选择该证书。Under Upload Certificate File, navigate to certificate location and select it.

  6. 在“密码”下,输入证书的私钥。Under Password, enter the private key for your certificate.

  7. 单击“创建”。Click Create.

    导入证书 1

授予 Azure Spring Cloud 对密钥保管库的访问权限Grant Azure Spring Cloud access to your key vault

在导入证书之前,需要授予 Azure Spring Cloud 对密钥保管库的访问权限:You need to grant Azure Spring Cloud access to your key vault before you import certificate:

  1. 转到你的密钥保管库实例。Go to your key vault instance.
  2. 在左侧导航窗格中,单击“访问策略”。In the left navigation pane, click Access Police.
  3. 在上方菜单中,单击“添加访问策略”。On the upper menu, click Add Access Policy.
  4. 填写信息,单击“添加按钮,然后保存访问策略。Fill in the info, and click Add button, then Save access police.
机密权限Secret permission 证书权限Certificate permission 选择主体Select principal
获取、列出Get, List 获取、列出Get, List Azure Spring Cloud 域管理Azure Spring Cloud Domain-Management

导入证书 2

将证书导入 Azure Spring CloudImport certificate to Azure Spring Cloud

  1. 转到你的服务实例。Go to your service instance.

  2. 在你的应用的左侧导航窗格中,选择“TLS/SSL 设置”。From the left navigation pane of your app, select TLS/SSL settings.

  3. 然后单击“导入 Key Vault 证书”。Then click Import Key Vault Certificate.

    导入证书

  4. 成功导入证书后,会在“私钥证书”列表中看到它。When you have successfully imported your certificate, you'll see it in the list of Private Key Certificates.

    私钥证书

重要

若要使用此证书保护自定义域,仍需将此证书绑定到特定的域。To secure a custom domain with this certificate, you still need to bind the certificate to a specific domain. 请遵循本部分中的步骤:添加 SSL 绑定Follow the steps in this section: Add SSL Binding.

添加自定义域Add Custom Domain

可以使用 CNAME 记录将自定义 DNS 名称映射到 Azure Spring Cloud。You can use a CNAME record to map a custom DNS name to Azure Spring Cloud.

备注

不支持 A 记录。The A record is not supported.

创建 CNAME 记录Create the CNAME record

转到 DNS 提供程序,添加一条 CNAME 记录以将域映射到 <service_name>.microservices.azure.cn。Go to your DNS provider and add a CNAME record to map your domain to the <service_name>.microservices.azure.cn. 此处的 <service_name> 是 Azure Spring Cloud 实例的名称。Here <service_name> is the name of your Azure Spring Cloud instance. 我们支持通配符域和子域。We support wildcard domain and sub domain. 添加 CNAME 后,DNS 记录页将类似于以下示例:After you add the CNAME, the DNS records page will resemble the following example:

DNS 记录页

将自定义域映射到 Azure Spring Cloud 应用Map your custom domain to Azure Spring Cloud app

如果你在 Azure Spring Cloud 中没有应用程序,请按照以下教程操作:快速入门:使用 Azure 门户启动现有 Azure Spring Cloud 应用程序If you don't have an application in Azure Spring Cloud, follow the instructions in Quickstart: Launch an existing Azure Spring Cloud application using the Azure portal.

转到应用程序页。Go to application page.

  1. 选择“自定义域”。Select Custom Domain.

  2. 然后选择“添加自定义域”。Then Add Custom Domain.

    自定义域

  3. 键入你为其添加了 CNAME 记录的完全限定的域名,例如 www.contoso.com。Type the fully qualified domain name for which you added a CNAME record, such as www.contoso.com. 请确保将“主机名记录类型”设置为 CNAME (<service_name>.microservices.azure.cn)Make sure that Hostname record type is set to CNAME (<service_name>.microservices.azure.cn)

  4. 单击“验证”以启用“添加”按钮 。Click Validate to enable the Add button.

  5. 单击“添加”。Click Add.

    添加自定义域

一个应用可以有多个域,但一个域只能映射到一个应用。One app can have multiple domains, but one domain can only map to one app. 成功将自定义域映射到应用后,会在自定义域表中看到该域。When you've successfully mapped your custom domain to the app, you'll see it on the custom domain table.

自定义域表

备注

自定义域带有“不安全”标签意味着该域尚未绑定到 SSL 证书。A Not Secure label for your custom domain means that it's not yet bound to an SSL certificate. 从浏览器向自定义域发出任何 HTTPS 请求都会收到错误或警告。Any HTTPS request from a browser to your custom domain will receive an error or warning.

添加 SSL 绑定Add SSL binding

在自定义域表中,如上图所示选择“添加 SSL 绑定”。In the custom domain table, select Add ssl binding as shown in the previous figure.

  1. 选择或导入你的证书。Select your Certificate or import it.

  2. 单击“ 保存”。Click Save.

    添加 SSL 绑定 1

成功添加 SSL 绑定后,域将处于安全状态:“正常运行”。After you successfully add SSL binding, the domain state will be secure: Healthy.

添加 SSL 绑定 2

实施 HTTPSEnforce HTTPS

默认情况下,所有人仍可使用 HTTP 访问你的应用,但你可以将所有 HTTP 请求重定向到 HTTPS 端口。By default, anyone can still access your app using HTTP, but you can redirect all HTTP requests to the HTTPS port.

在应用页的左侧导航窗格中,选择“自定义域”。In your app page, in the left navigation, select Custom Domain. 然后,将“仅限 HTTPS”设置为“True”。Then, set HTTPS Only, to True.

添加 SSL 绑定 3

该操作完成后,导航到指向你的应用的任一 HTTP URL。When the operation is complete, navigate to any of the HTTPS URLs that point to your app. 请注意,HTTP URL 不起作用。Note that HTTP URLs don't work.

另请参阅See also