Azure 应用服务反向代理仅适用于端口 80 http

Question

I'm trying to configure Azure App Service Reverse Proxy to expose webserver in Azure Virtual Network to the internet and I had limited success - it's working when I'm not using encrypted connection between reverse proxy and target server.我正在尝试配置 Azure 应用服务反向代理，以将 Azure 虚拟网络中的网络服务器公开到互联网，但我的成功有限 - 当我不使用反向代理和目标服务器之间的加密连接时，它正在工作。

Here is my currently working configuration:这是我当前的工作配置：

web.config web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <httpErrors errorMode="Detailed" />
        <rewrite>
            <rules>
                
                <rule name="ForceSSL" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
                
                <rule name="Proxy" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://example.com/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_UNPROXIED_URL" value="http://example.com/{R:1}" />
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> 
                        <set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <preConditions>
                    <preCondition name="CheckContentType">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(text/html|text/plain|text/xml|application/rss\+xml)" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

applicationHost.xdt应用程序主机.xdt

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
    <system.webServer>
        <proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false"/>
        <rewrite xdt:Transform="InsertIfMissing">
            <allowedServerVariables xdt:Transform="InsertIfMissing">
                <add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_X_UNPROXIED_URL" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
                <add name="HTTP_ACCEPT_ENCODING" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
            </allowedServerVariables>
        </rewrite>
    </system.webServer>
</configuration>

IP Address of the server has been replaced by example.com IP 服务器地址已替换为示例。com

When I change web.config rewrite rule and HTTP_X_UNPROXIED_URL to https I get following IIS Error当我将 web.config 重写规则和HTTP_X_UNPROXIED_URL更改为 https 时，我得到以下 IIS 错误

Detailed Error Information:
Module                         ApplicationRequestRouting
Notification                   ExecuteRequestHandler
Handler                        ApplicationRequestRoutingHandler
Error Code                     0x80072f8f
Requested URL                  https://example.com:80/
Physical Path                  D:\home\site\wwwroot
Logon Method                   Anonymous
Logon User                     Anonymous
Request Tracing Directory      D:\home\LogFiles

This suggests, that for some reason it's trying to request https on port 80.这表明，出于某种原因，它试图在端口 80 上请求 https。

I tried to follow guide from here: https://www.patrickob.com/2018/11/10/adding-ca-certs-to-the-trusted-root-store-for-web-apps-hosted-in-an-ase/我尝试从这里遵循指南： https://www.patrickob.com/2018/11/10/adding-ca-certs-to-the-trusted-root-store-for-web-apps-hosted-in-安酶/

I have added my organizations root cert to SSL certificated and added WEBSITE_LOAD_ROOT_CERTIFICATES setting.我已将我的组织根证书添加到 SSL 证书并添加了WEBSITE_LOAD_ROOT_CERTIFICATES设置。

Any help will be appreciated.任何帮助将不胜感激。

Answer 1

WEBSITE_LOAD_ROOT_CERTIFICATES is only supported in an App Service Environment, its not supported in multi-tenant app services. WEBSITE_LOAD_ROOT_CERTIFICATES 仅在应用服务环境中受支持，在多租户应用服务中不受支持。 If the endpoint on-premises is signed by a certificate not using a public CA at this time there's no direct workaround to make this work outside of updating the certificate or possibly writing a simple proxy app that can ignore SSL cert validation (I typically wouldn't recommend this option unless you do the cert validation yourself in code).如果本地端点由此时不使用公共 CA 的证书签名，则除了更新证书或可能编写一个可以忽略 SSL 证书验证的简单代理应用程序之外，没有直接的解决方法可以使这项工作正常进行（我通常不会t 建议使用此选项，除非您自己在代码中进行证书验证）。

Azure 应用服务反向代理仅适用于端口 80 http

问题描述

1 个解决方案

解决方案1
1 已采纳 2020-07-31 05:18:41

Azure 应用服务反向代理仅适用于端口 80 http

问题描述

1 个解决方案

解决方案1 1 已采纳 2020-07-31 05:18:41

解决方案1
1 已采纳 2020-07-31 05:18:41