我拿起了其他人设置的东西。 我们有一个 API 管理实例,位于应用程序网关后面,它具有 API 策略:
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Client certificate required..d1PD" />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Request.Certificate.Verify())">
<return-response>
<set-status code="403" reason="Client certificate cannot be verified..d2PD " />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Client certificate is untrusted or invalid..d3PD" />
</return-response>
</when>
</choose>
<base />
</inbound>
在 Postman 中,我正在传递证书和 key 。 postman 控制台显示
Client Certificate:
keyPath:"C:\selfsigned\internalscm.X.com.key"
pemPath:"C:\selfsigned\internalscm.X.com.crt"
pfxPath:""
我在请求 header 中传递 Ocp-Apim-Trace
,因此我得到了包含以下内容的跟踪:
traceEntries {2}
inbound [10]
..
6 {4}
source : authentication-certificate
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0006857
data {2}
message : Certificate was attached to request per configuration.
certificate {...}
7 {4}
source : choose
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0007011
data {3}
message : Expression was successfully evaluated.
expression : context.Request.Certificate == null
value : true
更新:
authentication-certificate
评估的是后端证书,与客户端证书无关(.key
和 .crt
) Postman 声称包含在请求中(如果我传递 pfx
和密码而不是 .key
和 .crt
,则会返回相同的结果)。
当我访问网关保护的 API 时,我可以在跟踪中看到它正在处理客户端证书(并返回 200):
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.3825928Z",
"elapsed": "00:00:00.0005974",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225172",
"data": "Client certificate thumbprint '6C03F4E7999999999999999999999999' received."
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225288",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5849700",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Request.Certificate.Verify()",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5850060",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)",
"value": false
}
}
看来 AppGateway 正在删除客户端证书。
跟踪信息不足以让我开始推断为什么客户端证书(假设 Postman 将其传输到网关,就像 API 一样)被删除。我应该从哪里开始?
仅供引用,当我删除该策略时,请求将按预期处理。
最佳答案
我不确定你是否能让AppGateway通过证书 - 你需要检查他们的文档。我持怀疑态度的原因是 AppGateway 的整体理念是调查流量并通过这样做提供保护。唯一的方法是在 AppGateway 级别终止 SSL 连接。请参阅此处了解更多信息:https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview AppGateway 有两种模式:AppGateway 对后端进行 HTTP(而非 HTTPS)调用时的 SSL 终止,以及 AppGateway 使用自己的 SSL 证书连接后端时的 SSL 端到端。
一些客户端证书信息可以通过服务器变量传递到后端:https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#mutual-authentication-server-variables
关于azure - Azure 应用程序网关未传递客户端证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57372611/