在 Azure App Service 中使用 TLS/SSL 繫結保護自訂 DNS 名稱Secure a custom DNS name with a TLS/SSL binding in Azure App Service

本文說明如何藉由建立憑證繫結,在您的 App Service 應用程式函式應用程式中保護自訂網域This article shows you how to secure the custom domain in your App Service app or function app by creating a certificate binding. 完成此作業後,您將可在自訂 DNS 名稱的 https:// 端點存取您的 App Service 應用程式 (例如 https://www.contoso.com)。When you're finished, you can access your App Service app at the https:// endpoint for your custom DNS name (for example, https://www.contoso.com).

Web 應用程式與自訂 TLS/SSL 憑證

要使用憑證保護自訂網域,必須執行兩個步驟:Securing a custom domain with a certificate involves two steps:

在本教學課程中,您會了解如何:In this tutorial, you learn how to:

  • 升級應用程式的定價層Upgrade your app's pricing tier
  • 使用憑證保護自訂網域Secure a custom domain with a certificate
  • 強制使用 HTTPSEnforce HTTPS
  • 強制使用 TLS 1.1/1.2Enforce TLS 1.1/1.2
  • 使用指令碼將 TLS 管理自動化Automate TLS management with scripts

PrerequisitesPrerequisites

若要遵循本操作說明指南:To follow this how-to guide:

注意

要新增私人憑證,最簡單的方式是建立免費的 App Service 受控憑證 (預覽)。The easiest way to add a private certificate is to create a free App Service Managed Certificate (Preview).

準備您的 Web 應用程式Prepare your web app

若要為您的 App Service 應用程式建立自訂安全性繫結或啟用用戶端憑證,您的 App Service 方案必須使用 基本標準進階隔離 層。To create custom security bindings or enable client certificates for your App Service app, your App Service plan must be in the Basic , Standard , Premium , or Isolated tier. 在此步驟中,您要確定 Web 應用程式在支援的定價層。In this step, you make sure that your web app is in the supported pricing tier.

登入 AzureSign in to Azure

開啟 Azure 入口網站Open the Azure portal.

搜尋並選取 [應用程式服務] 。Search for and select App Services .

選取 [應用程式服務]

在 [應用程式服務] 頁面上,選取您的 Web 應用程式名稱。On the App Services page, select the name of your web app.

Azure 入口網站中 [應用程式服務] 頁面的螢幕擷取畫面,其中顯示所有執行中 Web 應用程式的清單並醒目提示清單中的第一個應用程式。

您已經位於 Web 應用程式的管理頁面上。You have landed on the management page of your web app.

檢查定價層Check the pricing tier

在 Web 應用程式頁面的左側導覽中,捲動到 [設定] 區段,然後選取 [擴大 (App Service 方案)] 。In the left-hand navigation of your web app page, scroll to the Settings section and select Scale up (App Service plan) .

相應增加功能表

請檢查以確定您的 Web 應用程式不在 F1D1 層中。Check to make sure that your web app is not in the F1 or D1 tier. 系統會以深藍色方塊醒目顯示 Web 應用程式目前的層。Your web app's current tier is highlighted by a dark blue box.

檢查定價層

F1D1 層中不支援自訂 SSL。Custom SSL is not supported in the F1 or D1 tier. 如果您需要擴大,請遵循下一節中的步驟來進行。If you need to scale up, follow the steps in the next section. 否則,請關閉 [擴大] 頁面,並略過擴大 App Service 方案一節。Otherwise, close the Scale up page and skip the Scale up your App Service plan section.

擴大您的 App Service 方案Scale up your App Service plan

選取任何非免費層 ( B1B2 B3 或「生產」類別中的任何一層)。 Select any of the non-free tiers ( B1 , B2 , B3 , or any tier in the Production category). 如需其他選項,請按一下 [查看其他選項] 。For additional options, click See additional options .

按一下 [套用] 。Click Apply .

選擇定價層

當您看見下列通知時,表示擴充作業已完成。When you see the following notification, the scale operation is complete.

擴大通知

保護自訂網域Secure a custom domain

請執行下列步驟:Do the following steps:

Azure 入口網站的左側功能表中,選取 [應用程式服務] > <app-name>。In the Azure portal, from the left menu, select App Services > <app-name>.

從應用程式的左側導覽中,透過下列方式啟動 [TLS/SSL 繫結] 對話方塊:From the left navigation of your app, start the TLS/SSL Binding dialog by:

  • 選取 [自訂網域] > [新增繫結] Selecting Custom domains > Add binding
  • 選取 [TLS/SSL 設定] > [新增 TLS/SSL 繫結] Selecting TLS/SSL settings > Add TLS/SSL binding

新增繫結至網域

在 [自訂網域] 中,選取要新增繫結的自訂網域。In Custom Domain, select the custom domain you want to add a binding for.

如果您的應用程式已經有所選自訂網域的憑證,請移至 直接建立系結If your app already has a certificate for the selected custom domain, go to Create binding directly. 否則,請繼續進行。Otherwise, keep going.

新增自訂網域的憑證Add a certificate for custom domain

如果您的應用程式沒有所選自訂網域的憑證,則您有兩個選項:If your app has no certificate for the selected custom domain, then you have two options:

注意

您也可以建立免費憑證 (預覽) 或匯入 Key Vault 憑證,但您必須個別加以執行,然後返回 [TLS/SSL 繫結] 對話方塊。You can also Create a free certificate (Preview) or Import a Key Vault certificate, but you must do it separately and then return to the TLS/SSL Binding dialog.

建立繫結Create binding

利用下表在 [TLS/SSL 繫結] 對話方塊中設定 TLS 繫結,然後按一下 [新增繫結] 。Use the following table to help you configure the TLS binding in the TLS/SSL Binding dialog, then click Add Binding.

設定Setting 描述Description
自訂網域Custom domain 要新增 TLS/SSL 繫結的網域名稱。The domain name to add the TLS/SSL binding for.
私人憑證指紋Private Certificate Thumbprint 要繫結的憑證。The certificate to bind.
TLS/SSL 類型TLS/SSL Type
  • SNI SSL - 可新增多個 SNI SSL 繫結。SNI SSL - Multiple SNI SSL bindings may be added. 此選項可允許多個 TLS/SSL 憑證保護同一個 IP 位址上的多個網域。This option allows multiple TLS/SSL certificates to secure multiple domains on the same IP address. 現今大部分的瀏覽器 (包括 Internet Explorer、Chrome、Firefox 和 Opera) 都支援 SNI (如需詳細資訊,請參閱伺服器名稱指示)。Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (for more information, see Server Name Indication).
  • IP SSL - 只能新增一個 IP SSL 繫結。IP SSL - Only one IP SSL binding may be added. 此選項只允許一個 TLS/SSL 憑證保護專用的公用 IP 位址。This option allows only one TLS/SSL certificate to secure a dedicated public IP address. 設定繫結之後,請依照為 IP SSL 重新對應記錄中的步驟執行。After you configure the binding, follow the steps in Remap records for IP SSL.
    只有標準層或更高的層級才支援 IP SSL。IP SSL is supported only in Standard tier or above.

作業完成後,自訂網域的 TLS/SSL 狀態會變更為安全Once the operation is complete, the custom domain's TLS/SSL state is changed to Secure.

TLS/SSL 繫結成功

注意

自訂網域中的安全狀態表示網域已透過憑證來保護,但是 App Service 不會檢查憑證是否已自我簽署或已過期等等,而這些狀況會導致瀏覽器顯示錯誤或警告。A Secure state in the Custom domains means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.

為 IP SSL 重新對應記錄Remap records for IP SSL

如果您未在應用程式中使用 IP SSL,請跳至測試自訂網域的 HTTPSIf you don't use IP SSL in your app, skip to Test HTTPS for your custom domain.

您可能需要進行兩個變更:There are two changes you need to make, potentially:

  • 根據預設,您的應用程式會使用共用的公用 IP 位址。By default, your app uses a shared public IP address. 當您將憑證與 IP SSL 繫結時,App Service 會為您的應用程式建立新的專用 IP 位址。When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. 如果您已將 A 記錄對應至應用程式,請使用這個新的專用 IP 位址來更新網域登錄。If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.

    應用程式的 [自訂網域] 頁面即會使用新的專用 IP 位址加以更新。Your app's Custom domain page is updated with the new, dedicated IP address. 複製此 IP 位址,然後將 A 記錄重新對應到這個新的 IP 位址。Copy this IP address, then remap the A record to this new IP address.

  • 如果您有繫結至 <app-name>.azurewebsites.net 的 SNI SSL,請重新對應任何 CNAME 對應,以改為指向 sni.<app-name>.azurewebsites.net (新增 sni 前置詞)。If you have an SNI SSL binding to <app-name>.azurewebsites.net, remap any CNAME mapping to point to sni.<app-name>.azurewebsites.net instead (add the sni prefix).

測試 HTTPSTest HTTPS

在各種瀏覽器中瀏覽至 https://<your.custom.domain>,以確認它是否為您的應用程式提供服務。In various browsers, browse to https://<your.custom.domain> to verify that it serves up your app.

顯示瀏覽至自訂網域 (已醒目提示 contoso.com URL) 範例的螢幕擷取畫面。

您的應用程式程式碼可以透過 "x-appservice-proto" 標頭來檢查通訊協定。Your application code can inspect the protocol via the "x-appservice-proto" header. 標頭的值會是 httphttpsThe header will have a value of http or https.

注意

如果您的應用程式出現憑證驗證錯誤,您可能使用了自我簽署憑證。If your app gives you certificate validation errors, you're probably using a self-signed certificate.

如果不是,在您將憑證匯出為 PFX 檔案時,可能遺漏了中繼憑證。If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.

防止 IP 變更Prevent IP changes

當您刪除繫結時,您可以變更輸入 IP 位址,即使該繫結是 IP SSL 亦然。Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. 當您更新已在 IP SSL 繫結中的憑證時,這一點尤為重要。This is especially important when you renew a certificate that's already in an IP SSL binding. 若要避免變更應用程式的 IP 位址,請依序執行下列步驟:To avoid a change in your app's IP address, follow these steps in order:

  1. 上傳新憑證。Upload the new certificate.
  2. 將新的憑證繫結至您要的自訂網域,而不刪除舊憑證。Bind the new certificate to the custom domain you want without deleting the old one. 此動作會取代繫結,而不會移除舊的繫結。This action replaces the binding instead of removing the old one.
  3. 刪除舊憑證。Delete the old certificate.

強制使用 HTTPSEnforce HTTPS

根據預設,所有人都仍能使用 HTTP 來存取您的應用程式。By default, anyone can still access your app using HTTP. 您可以將所有 HTTP 要求重新都導向至 HTTPS 連接埠。You can redirect all HTTP requests to the HTTPS port.

在應用程式頁面的左側導覽中,選取 [SSL 設定] 。In your app page, in the left navigation, select SSL settings. 然後,在 [僅限 HTTPS] 中選取 [開啟] 。Then, in HTTPS Only, select On.

強制使用 HTTPS

當作業完成時,瀏覽至指向您的應用程式的任何 HTTP URL。When the operation is complete, navigate to any of the HTTP URLs that point to your app. 例如:For example:

  • http://<app_name>.azurewebsites.net
  • http://contoso.com
  • http://www.contoso.com

強制使用 TLS 版本Enforce TLS versions

根據預設,您的應用程式會允許 TLS 1.2,此為業界標準 (例如 PCI DSS) 建議的 TLS 層級。Your app allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. 若要強制使用不同的 TLS 版本,請遵循下列步驟:To enforce different TLS versions, follow these steps:

在應用程式頁面的左側導覽中,選取 [SSL 設定] 。In your app page, in the left navigation, select SSL settings. 然後,在 [TLS 版本] 中,選取您想要的最低 TLS 版本。Then, in TLS version, select the minimum TLS version you want. 此設定只會控制內送的呼叫。This setting controls the inbound calls only.

強制使用 TLS 1.1 或 1.2

當作業完成時,您的應用程式會拒絕與較低 TLS 版本的所有連線。When the operation is complete, your app rejects all connections with lower TLS versions.

處理 TLS 終止Handle TLS termination

在 App Service 中,TLS 終止會在網路負載平衡器上發生,因此所有的 HTTPS 要求都會以未加密 HTTP 要求的形式進入您的應用程式。In App Service, TLS termination happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. 如果您的應用程式邏輯需要檢查使用者要求是否有加密,請檢查 X-Forwarded-Proto 標頭。If your app logic needs to check if the user requests are encrypted or not, inspect the X-Forwarded-Proto header.

語言專屬的設定指南 (如 Linux Node.js 設定指南) 會說明如何在應用程式的程式碼中偵測 HTTPS 工作階段。Language specific configuration guides, such as the Linux Node.js configuration guide, shows you how to detect an HTTPS session in your application code.

使用指令碼進行自動化Automate with scripts

Azure CLIAzure CLI

#!/bin/bash

fqdn=<replace-with-www.{yourdomain}>
pfxPath=<replace-with-path-to-your-.PFX-file>
pfxPassword=<replace-with-your=.PFX-password>
resourceGroup=myResourceGroup
webappname=mywebapp$RANDOM

# Create a resource group.
az group create --location westeurope --name $resourceGroup

# Create an App Service plan in Basic tier (minimum required by custom domains).
az appservice plan create --name $webappname --resource-group $resourceGroup --sku B1

# Create a web app.
az webapp create --name $webappname --resource-group $resourceGroup \
--plan $webappname

echo "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
read -p "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Map your prepared custom domain name to the web app.
az webapp config hostname add --webapp-name $webappname --resource-group $resourceGroup \
--hostname $fqdn

# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)

# Binds the uploaded SSL certificate to the web app.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \
--name $webappname --resource-group $resourceGroup

echo "You can now browse to https://$fqdn"

PowerShellPowerShell

$fqdn="<Replace with your custom domain name>"
$pfxPath="<Replace with path to your .PFX file>"
$pfxPassword="<Replace with your .PFX password>"
$webappname="mywebapp$(Get-Random)"
$location="West Europe"

# Create a resource group.
New-AzResourceGroup -Name $webappname -Location $location

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location $location `
-ResourceGroupName $webappname -Tier Free

# Create a web app.
New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname `
-ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.azurewebsites.net"
Read-Host "Press [Enter] key when ready ..."

# Before continuing, go to your DNS configuration UI for your custom domain and follow the 
# instructions at https://aka.ms/appservicecustomdns to configure a CNAME record for the 
# hostname "www" and point it your web app's default domain name.

# Upgrade App Service plan to Basic tier (minimum required by custom SSL certificates)
Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname `
-Tier Basic

# Add a custom domain name to the web app. 
Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `
-HostNames @($fqdn,"$webappname.azurewebsites.net")

# Upload and bind the SSL certificate to the web app.
New-AzWebAppSSLBinding -WebAppName $webappname -ResourceGroupName $webappname -Name $fqdn `
-CertificateFilePath $pfxPath -CertificatePassword $pfxPassword -SslState SniEnabled

其他資源More resources