【发布时间】:2018-08-21 23:32:51
【问题描述】:
我一直在尝试按照我可以找到的 microsoft 文档和各种帖子/博客上的说明在无状态 API 端点上设置 Https。它在本地运行良好,但在我的开发服务器上部署后我很难让它工作
Browser : HTTP ERROR 504
Vm event viewer : HandlerAsyncOperation EndProcessReverseProxyRequest failed with FABRIC_E_TIMEOUT
SF event table : Error while processing request: request url = https://mydomain:19081/appname/servicename/api/healthcheck/ping, verb = GET, remote (client) address = xxx, request processing start time = 2018-03-13T14:50:17.1396031Z, forward url = https://0.0.0.0:44338/api/healthcheck/ping, number of successful resolve attempts = 48, error = 2147949567, message = , phase = ResolveServicePartition
在实例监听器中的代码中
.UseKestrel(options =>
{
options.Listen(IPAddress.Any, 44338, listenOptions =>
{
listenOptions.UseHttps(GetCertificate());
});
})
服务清单
<Endpoint Protocol="https" Name="SslServiceEndpoint" Type="Input" Port="44338" />
启动
services.AddMvc(options =>
{
options.SslPort = 44338;
options.Filters.Add(new RequireHttpsAttribute());
});
+
var options = new RewriteOptions().AddRedirectToHttps(StatusCodes.Status301MovedPermanently, 44338);
app.UseRewriter(options);
这是我在 azure 中得到的(通过 ARM 模板部署)
Health probes
NAME PROTOCOL PORT USED BY
AppPortProbe TCP 44338 AppPortLBRule
FabricGatewayProbe TCP 19000 LBRule
FabricHttpGatewayProbe TCP 19080 LBHttpRule
SFReverseProxyProbe TCP 19081 LBSFReverseProxyRule
Load balancing rules
NAME LOAD BALANCING RULE BACKEND POOL HEALTH PROBE
AppPortLBRule AppPortLBRule (TCP/44338) LoadBalancerBEAddressPool AppPortProbe
LBHttpRule LBHttpRule (TCP/19080) LoadBalancerBEAddressPool FabricHttpGatewayProbe
LBRule LBRule (TCP/19000) LoadBalancerBEAddressPool FabricGatewayProbe
LBSFReverseProxyRule LBSFReverseProxyRule (TCP/19081) LoadBalancerBEAddressPool SFReverseProxyProbe
我有一个集群证书、ReverseProxy 证书,并通过 azure ad 和 ARM 对 api 进行身份验证
"fabricSettings": [
{
"parameters": [
{
"name": "ClusterProtectionLevel",
"value": "[parameters('clusterProtectionLevel')]"
}
],
"name": "Security"
},
{
"name": "ApplicationGateway/Http",
"parameters": [
{
"name": "ApplicationCertificateValidationPolicy",
"value": "None"
}
]
}
],
不确定还有什么相关的,如果您有任何想法/建议,非常欢迎
编辑:GetCertificate() 的代码
private X509Certificate2 GetCertificate()
{
var certificateBundle = Task.Run(async () => await GetKeyVaultClient()
.GetCertificateAsync(Environment.GetEnvironmentVariable("KeyVaultCertifIdentifier")));
var certificate = new X509Certificate2();
certificate.Import(certificateBundle.Result.Cer);
return certificate;
}
private KeyVaultClient GetKeyVaultClient() => new KeyVaultClient(async (authority, resource, scope) =>
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var clientCred = new ClientCredential(Environment.GetEnvironmentVariable("KeyVaultClientId"),
Environment.GetEnvironmentVariable("KeyVaultSecret"));
var authResult = await context.AcquireTokenAsync(resource, clientCred);
return authResult.AccessToken;
});
【问题讨论】:
-
您是否在 AplicationManifest 中配置了端点绑定?除此之外,如果你登录到你的开发机器并检查端口,你看到 44338 打开了吗?我建议的另一件事是在您的 ServiceManifest 中启用 ConsoleRedirection 日志记录,以查看是否会弹出任何有意义的内容。当然,您可以在事件查看器中验证 SF 日志。
-
您好,感谢您的回复,端口是开放的。根据 microsoft doc (docs.microsoft.com/en-us/azure/service-fabric/…),这将是 EndpointCertificate 和 EndpointBindingPolicy?我不确定它指的是哪个证书,是集群还是反向代理?我担心的最后一件事是服务器上的 ACL,我读到它可能是错误的,正在研究如何检查并在必要时进行更改
-
参考这个例子 - matt.kotsenas.com/posts/https-in-service-fabric-web-api。您将在那里找到如何将 AppManifest 中的服务与证书联系起来。不过,这与反向代理无关,而是告诉 SF 它应该与端点绑定什么证书。还要确保你的证书安装在开发机器上。
-
由于链接根本不涉及反向代理,我想那就是集群证书。所有使用的证书都在 ARM 模板中定义,因此它“应该”已经在正确的位置。我会尝试所有这些,谢谢您的帮助。
-
在将缺少的内容添加到 appmanifest 后仍然无法正常工作。尽管我有这种消息“ERROR_WINHTTP_CANNOT_CONNECT”或“Re-resolved service url = 0.0.0.0:44338/api/healthcheck/ping”,但我重新部署了集群以将日志设置为详细。 0.0.0.0:44338 看起来有点奇怪......
标签: https reverse-proxy azure-service-fabric kestrel