stackoom
  简体   繁体   中英

Stateless Web Api on Azure Service Fabric over https

 原文  2016-05-02 21:02:39       azure/ asp.net-web-api/ owin/ azure-service-fabric

Question

So I have a Web Api hosted on Azure Service Fabric which I would like to expose through https.

First question: is there actually a default certificate for *.cloudapp.azure.com provided by Microsoft similar to the App Service?

If there isn't, how can I have a valid certificate (issued by a well known CA) for a domain I do not own?

In case it is somehow possible I suppose I would need to upload this certificate to the Azure Vault and reference its thumbprint in the service manifest right?

Am I supposed to use the same certificate for securing the cluster and exposing SSL endpoints?

Thanks!

1 answers

solution1
 11 ACCPTED  2016-05-04 15:58:32

There is no wildcard cert for *.cloudapp.azure.com like there is for *.azurewebsites.net. For SSL you'll have to register your own domain and either CNAME it to your cluster domain (eg, mycluster.westus.cloudapp.azure.com), or get a static public IP for your load balancer VIP and point your A record to that ( more on public IPs in Azure here ). Then buy a certificate for that domain from your favorite CA.

Once you have a cert, yes you'll store that in Key Vault (make sure you set -EnabledForDeployment when you create your Key Vault!) and put that in your cluster ARM template ( to get it installed on your nodes ).

To use HTTPS, first set up a cert reference in ApplicationManifest.xml : 

<Certificates>
   <EndpointCertificate X509FindValue="<Your Certificate Thumbprint>" Name="Cert1" />
</Certificates>

Then set up an EndpointBindindPolicy in the ServiceManifestImport section of Application Manifest : 

<ServiceManifestImport>
...
   <Policies>
      <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="Cert1" />
   </Policies>
</ServiceManifestImport>

And finally, reference the cert in your Endpoint config in ServiceManifest.xml : 

<Endpoints>
  <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="Cert1"/>
</Endpoints>

You can use the same cert to secure your cluster and provide SSL to users, but I would recommend a different cert so that you're not handing out your server cert to clients for cluster authentication.

EDIT: One could also use Azure Application Gateway which supports SSL Offloading. Then it would handle the HTTPS aspects and talk HTTP back to the cluster

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Swagger for Azure Service Fabric Stateless Web API application Azure Service Fabric - Web Api on Owin - https problems How do I setup web pages within Azure Service Fabric Stateless Web API? Add https to Service Fabric Web Api Enabling CORS in Azure Service Fabric Web Api Scaling of Azure service fabric Stateless services Force HTTPS redirection on Azure web service (API) Connecting an NServiceBus gateway on an Azure Service Fabric stateless service Can't access a basic Fabric Azure WebAPI OWIN stateless service Configuration and resource governance options for Azure Service Fabric stateless services?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM