JTe*_*ech 6 ssl wcf load-balancing svcutil.exe
的背景:
我在负载均衡器后面的IIS 7.0上托管了一个服务,它在流量通过时解密SSL.
服务所需的安全模式是混合模式,即TransportWithMessageSecurity
为了使服务能够接受HTTP流量,同时允许客户端通过SSL与Load Balancer进行通信,我创建了一个用户定义绑定,它将自定义HttpTransportBindingElement添加到其通道堆栈.
自定义HttpTransportBindingElement依次向框架声明它能够加密和签名消息......因此,当流量通过HTTP进入时,Framework不会抱怨,因为Transport声称它正在签名/加密消息. ..即使不是.
(对于所有相关人员,这已被确定为可接受的安全性,因为消息或者应该通过SSL到达负载均衡器......)
问题:
当我们使用svcutil.exe生成客户端代理时,生成的自动生成的app.config文件包含通过HTTP寻址的服务的端点.这应该通过HTTPS.
此外,<customBinding>节点中的<transport>元素在需要是<httpsTransport>元素时定义为<httpTransport>元素.
我怀疑这是因为使用自定义HttpTransportBindingElement(如上所述),由服务器上的框架生成的WSDL依次使用HTTP地址而不是HTTPS>构建.
自动生成的客户端app.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="myBindingEndpoint">
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://tempuri.org/': -->
<!-- <wsdl:binding name='myBindingEndpoint'> -->
<!-- <sp:HttpToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpToken> -->
<security defaultAlgorithmSuite="Default" authenticationMode="CertificateOverTransport"
requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Default" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://myserver/GAEASSLWcfService/ServiceOverSSL.svc"
binding="customBinding" bindingConfiguration="myBindingEndpoint"
contract="IServiceOverSSL" name="myBindingEndpoint" />
</client>
</system.serviceModel>
</configuration>
解决方法:
只需将<httpTransport />更改为<httpsTransport />并重新寻址端点以使用HTTPS即可解决问题.
但我们宁愿不必指示我们的服务消费者更改他们的.config文件......我们的服务的使用应该尽可能无缝......
问题:
如何确保客户端代理将使用正确的地址和传输元素自动生成?
参考文献:对于那些想要了解"负载均衡器/ ssl解密器背后的服务"和自定义HttpTransportBindingElement的解决方案的人,请参阅ZZZ关于构建用户定义绑定的这篇文章XXX以及ZZZ关于某些文章的这篇文章XXX在负载平衡/ SSL加速器背后公开服务的其他问题.
看看这个问题。尝试配置:
<serviceBehaviors>
<behavior name="<name>">
<!-- Other options would go here -->
<useRequestHeadersForMetadataAddress>
<defaultPorts> <!-- Use your own port numbers -->
<add scheme="http" port="81" />
<add scheme="https" port="444" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
</behavior>
</serviceBehaviors>
| 归档时间: |
|
| 查看次数: |
4257 次 |
| 最近记录: |