Bad*_*pot 5 ssl azure azure-api-management
我已经拿起了别人设置的东西。我们有一个 API 管理实例,位于应用程序网关后面,它具有 API 策略:
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Client certificate required..d1PD" />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Request.Certificate.Verify())">
<return-response>
<set-status code="403" reason="Client certificate cannot be verified..d2PD " />
</return-response>
</when>
</choose>
<choose>
<when condition="@(!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Client certificate is untrusted or invalid..d3PD" />
</return-response>
</when>
</choose>
<base />
</inbound>
在邮递员中,我正在传递证书和密钥。邮递员控制台显示
Client Certificate:
keyPath:"C:\selfsigned\internalscm.X.com.key"
pemPath:"C:\selfsigned\internalscm.X.com.crt"
pfxPath:""
我正在传递Ocp-Apim-Trace请求的标头,因此我得到了包含以下内容的跟踪:
traceEntries {2}
inbound [10]
..
6 {4}
source : authentication-certificate
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0006857
data {2}
message : Certificate was attached to request per configuration.
certificate {...}
7 {4}
source : choose
timestamp : 2019-08-06T08:55:31.3435485Z
elapsed : 00:00:00.0007011
data {3}
message : Expression was successfully evaluated.
expression : context.Request.Certificate == null
value : true
更新:
评估的是后端的证书,与 Postman 声称包含在请求中的客户端证书(和)authentication-certificate无关(如果我传递和 密码而不是和,则会返回相同的结果)。.key.crtpfx.key.crt
当我点击网关保护的 API 时,我可以在跟踪中看到它正在处理客户端证书(并返回 200):
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.3825928Z",
"elapsed": "00:00:00.0005974",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225172",
"data": "Client certificate thumbprint '6C03F4E7999999999999999999999999' received."
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.6950495Z",
"elapsed": "00:00:00.3225288",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5849700",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Request.Certificate.Verify()",
"value": false
}
},
{
"source": "choose",
"timestamp": "2019-08-09T15:47:46.9606395Z",
"elapsed": "00:00:00.5850060",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "!context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)",
"value": false
}
}
所以看起来 AppGateway 正在删除客户端证书。
跟踪信息不足以让我开始推断为什么客户端证书(假设 Postman 将其传输到网关,就像 API 一样)被删除。我应该从哪里开始?
作为参考,当我删除策略时,请求将按预期处理。
我不确定你是否能让 AppGateway 通过证书 - 你需要检查他们的文档。我持怀疑态度的原因是 AppGateway 的整体理念是调查流量并通过这样做提供保护。唯一的方法是在 AppGateway 级别终止 SSL 连接。请参阅此处了解更多信息:https: //learn.microsoft.com/en-us/azure/application-gateway/ssl-overview AppGateway 有两种模式: AppGateway 对后端进行 HTTP(而非 HTTPS)调用时的 SSL 终止,当AppGateway使用自己的SSL证书连接到后端时,SSL端到端。
一些客户端证书信息可以通过服务器变量传递到后端: https: //learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#mutual-authentication-server-variables
| 归档时间: |
|
| 查看次数: |
5773 次 |
| 最近记录: |