配置 HTTP 和 HTTPSConfiguring HTTP and HTTPS

WCF 服务和客户端可以通过 HTTP 和 HTTPS 通信。WCF services and clients can communicate over HTTP and HTTPS. 通过使用 Internet Information Services (IIS) 或命令行工具可以配置 HTTP/HTTPS 设置。The HTTP/HTTPS settings are configured by using Internet Information Services (IIS) or through the use of a command-line tool. 当某个 WCF 服务承载于 IIS 之下时,可以在 IIS 中配置 HTTP 或 HTTPS 设置(使用 inetmgr.exe 工具)。When a WCF service is hosted under IIS HTTP or HTTPS settings can be configured within IIS (using the inetmgr.exe tool). 如果 WCF 服务是自承载的,则可使用命令行工具配置 HTTP 或 HTTPS 设置。If a WCF service is self-hosted, HTTP or HTTPS settings are configured by using a command-line tool.

你至少需要为你的服务将使用的 URL 配置 URL 注册并添加防火墙例外。At a minimum, you want to configure a URL registration and add a Firewall exception for the URL your service will be using. 可以通过 Netsh.exe 工具配置这些设置。You can configure these settings with the Netsh.exe tool.

配置命名空间保留Configuring namespace reservations

命名空间预留将 HTTP URL 命名空间的一部分的权限分配给特定的用户组。Namespace reservation assigns the rights for a portion of the HTTP URL namespace to a particular group of users. 预留提供给这些用户创建用于侦听命名空间的相应部分的服务的权限。A reservation gives those users the right to create services that listen on that portion of the namespace. 保留是 URL 前缀,这意味着保留包含保留路径的所有子路径。Reservations are URL prefixes, meaning that the reservation covers all subpaths of the reservation path. 命名空间预留允许以两种方式使用通配符。Namespace reservations permit two ways to use wildcards. HTTP 服务器 API 文档介绍了涉及通配符的命名空间声明之间的解析顺序The HTTP Server API documentation describes the order of resolution between namespace claims that involve wildcards.

运行的应用程序可以创建一个类似请求来添加命名空间注册。A running application can create a similar request to add namespace registrations. 注册和预留会竞争命名空间的某些部分。Registrations and reservations compete for portions of the namespace. 根据在涉及通配符的命名空间声明之间的解析顺序,保留的顺序可能与注册的优先级不同。A reservation may have precedence over a registration according to the order of resolution given in the order of resolution between namespace claims that involve wildcards. 在此情况下,预留会阻止运行的应用程序接收请求。In this case, the reservation blocks the running application from receiving requests.

下面的示例使用 Netsh.exe 工具:The following example uses the Netsh.exe tool:

netsh http add urlacl url=http://+:80/MyUri user=DOMAIN\user

此命令为 DOMAIN\user 帐户的指定 URL 命名空间添加 URL 保留项。This command adds a URL reservation for the specified URL namespace for the DOMAIN\user account. 有关使用 netsh 命令的详细信息,请 netsh http add urlacl /? 在命令提示符下键入,然后按 enter。For more information on using the netsh command, type netsh http add urlacl /? in a command-prompt and press Enter.

配置防火墙例外Configuring a firewall exception

当自承载通过 HTTP 进行通信的 WCF 服务时,必须向防火墙配置添加一个例外,以允许使用特定 URL 的入站连接。When self-hosting a WCF service that communicates over HTTP, an exception must be added to the firewall configuration to allow inbound connections using a particular URL.

配置 SSL 证书Configuring SSL certificates

安全套接字层 (SSL) 协议在客户端和服务器上使用证书来存储加密密钥。The Secure Sockets Layer (SSL) protocol uses certificates on the client and server to store encryption keys. 在建立连接时,服务器会提供其 SSL 证书,以便客户端验证服务器标识。The server provides its SSL certificate when a connection is made so that the client can verify the server identity. 服务器还可以从客户端请求证书以提供连接双方的相互身份验证。The server can also request a certificate from the client to provide mutual authentication of both sides of the connection.

证书将根据连接的 IP 地址和端口号存储在一个中央存储区中。Certificates are stored in a centralized store according to the IP address and port number of the connection. 特殊的 IP 地址 0.0.0.0 可以与本地计算机的任何 IP 地址相匹配。The special IP address 0.0.0.0 matches any IP address for the local machine. 请注意,证书存储区不会基于路径来区分 Url。Note that the certificate store doesn't distinguish URLs based on the path. 即使服务的 URL 中的路径不同,带有相同 IP 地址和端口组合的服务也必须共享证书。Services with the same IP address and port combination must share certificates even if the path in the URL for the services is different.

有关分步说明,请参阅如何:使用 SSL 证书配置端口For step-by-step instructions, see How to: Configure a Port with an SSL Certificate.

配置 IP 侦听列表Configuring the IP Listen List

在用户注册一个 URL 之后,HTTP 服务器 API 只绑定到一个 IP 地址和端口。The HTTP Server API only binds to an IP address and port once a user registers a URL. 默认情况下,对于计算机的所有 IP 地址,HTTP 服务器 API 将绑定到所注册的 URL 中的端口。By default, the HTTP Server API binds to the port in the URL for all of the IP addresses of the machine. 如果未使用 HTTP 服务器 API 的应用程序以前已绑定到该 IP 地址和端口的组合,则会发生冲突。A conflict arises if an application that doesn't use the HTTP Server API has previously bound to that combination of IP address and port. IP 侦听列表允许 WCF 服务与使用端口的应用程序共存于计算机的某些 IP 地址。The IP Listen List allows WCF services to coexist with applications that use a port for some of the IP addresses of the machine. 如果 IP 侦听列表包含任何项,则 HTTP 服务器 API 只绑定到该列表指定的那些 IP 地址。If the IP Listen List contains any entries, the HTTP Server API only binds to those IP addresses that the list specifies. 修改 IP 侦听列表需要管理特权。Modifying the IP Listen List requires administrative privileges.

使用 netsh 工具修改 IP 侦听列表,如以下示例中所示:Use the netsh tool to modify the IP Listen List, as shown in the following example:

netsh http add iplisten ipaddress=0.0.0.0:8000

其他配置设置Other configuration settings

使用 WSDualHttpBinding 时,客户端连接使用与命名空间预留和 Windows 防火墙兼容的默认设置。When using WSDualHttpBinding, the client connection uses defaults that are compatible with namespace reservations and the Windows firewall. 如果选择自定义双向连接的客户端基址,则还必须配置这些客户端上的 HTTP 设置以与新地址相匹配。If you choose to customize the client base address of a dual connection, then you also must configure these HTTP settings on the client to match the new address.

HTTP 服务器 API 具有一些无法通过 Httpcfg.exe 获得的高级配置设置。The HTTP Server API has some advanced configuration settings that aren't available through HttpCfg. 这些设置保留在注册表中并应用于在使用 HTTP 服务器 API 的系统上运行的所有应用程序。These settings are maintained in the registry and apply to all applications running on the systems that use the HTTP Server APIs. 有关这些设置的详细信息,请参阅Http.sys IIS 的注册表设置For information about these settings, see Http.sys registry settings for IIS. 大多数用户不需要更改这些设置。Most users don't need to change these settings.

请参阅See also