針對應用程式閘道中的 App Service 問題進行疑難排解Troubleshoot App Service issues in Application Gateway

瞭解當 Azure App Service 用來作為具有 Azure 應用程式閘道的後端目標時,如何診斷並解決您可能會遇到的問題。Learn how to diagnose and resolve issues you might encounter when Azure App Service is used as a back-end target with Azure Application Gateway.

概觀Overview

在本文中,您將瞭解如何針對下列問題進行疑難排解:In this article, you'll learn how to troubleshoot the following issues:

  • 當有重新導向時,就會在瀏覽器中公開 app service URL。The app service URL is exposed in the browser when there's a redirection.
  • App service ARRAffinity cookie 網域設定為 app service 主機名稱 example.azurewebsites.net,而不是原始主機。The app service ARRAffinity cookie domain is set to the app service host name, example.azurewebsites.net, instead of the original host.

當後端應用程式傳送重新導向回應時,您可能會想要將用戶端重新導向至與後端應用程式所指定的 URL 不同的 URL。When a back-end application sends a redirection response, you might want to redirect the client to a different URL than the one specified by the back-end application. 當 app service 裝載在應用程式閘道後方,而且需要用戶端重新導向至其相對路徑時,您可能會想要這樣做。You might want to do this when an app service is hosted behind an application gateway and requires the client to do a redirection to its relative path. 例如,從 contoso.azurewebsites.net/path1 重新導向至 contoso.azurewebsites.net/path2。An example is a redirect from contoso.azurewebsites.net/path1 to contoso.azurewebsites.net/path2.

當 app service 傳送重新導向回應時,它會在其回應的 location 標頭中使用相同的主機名稱,其回應是從應用程式閘道收到的要求。When the app service sends a redirection response, it uses the same host name in the location header of its response as the one in the request it receives from the application gateway. 例如,用戶端會直接對 contoso.azurewebsites.net/path2 提出要求,而不是透過應用程式閘道 contoso.com/path2。For example, the client makes the request directly to contoso.azurewebsites.net/path2 instead of going through the application gateway contoso.com/path2. 您不想要略過應用程式閘道。You don't want to bypass the application gateway.

發生此問題的原因可能是下列主要原因:This issue might happen for the following main reasons:

  • 您已在 app service 上設定重新導向。You have redirection configured on your app service. 重新導向可以像在要求中加上尾端斜線一樣簡單。Redirection can be as simple as adding a trailing slash to the request.
  • 您有 Azure Active Directory 驗證,這會導致重新導向。You have Azure Active Directory authentication, which causes the redirection.

此外,當您使用應用程式閘道後方的應用程式服務時,與應用程式閘道相關聯的功能變數名稱 (example.com) 與 app service 的功能變數名稱不同 (例如 example.azurewebsites.net) 。Also, when you use app services behind an application gateway, the domain name associated with the application gateway (example.com) is different from the domain name of the app service (say, example.azurewebsites.net). App service 所設定之 ARRAffinity cookie 的定義域值會攜帶 example.azurewebsites.net 功能變數名稱,這並不理想。The domain value for the ARRAffinity cookie set by the app service carries the example.azurewebsites.net domain name, which isn't desirable. 原始主機名稱 example.com 應該是 cookie 中的功能變數名稱值。The original host name, example.com, should be the domain name value in the cookie.

範例組態Sample configuration

  • HTTP 接聽程式:基本或多網站HTTP listener: Basic or multi-site
  • 後端位址集區: App ServiceBack-end address pool: App Service
  • HTTP 設定:從已啟用的後端位址挑選主機名稱HTTP settings: Pick Hostname from Backend Address enabled
  • 探查:從啟用的 HTTP 設定挑選主機名稱Probe: Pick Hostname from HTTP Settings enabled

原因Cause

App Service 是多租使用者服務,因此它會使用要求中的主機標頭將要求路由至正確的端點。App Service is a multitenant service, so it uses the host header in the request to route the request to the correct endpoint. 應用程式服務的預設功能變數名稱(*. azurewebsites.net (比方說,contoso.azurewebsites.net) )與應用程式閘道的功能變數名稱不同 (例如,contoso.com) 。The default domain name of App Services, *.azurewebsites.net (say, contoso.azurewebsites.net), is different from the application gateway's domain name (say, contoso.com).

來自用戶端的原始要求會將應用程式閘道的功能變數名稱 contoso.com 為主機名。The original request from the client has the application gateway's domain name, contoso.com, as the host name. 您需要設定應用程式閘道,以便在將要求路由至 app service 後端時,將原始要求中的主機名稱變更為 app service 的主機名稱。You need to configure the application gateway to change the host name in the original request to the app service's host name when it routes the request to the app service back end. 在應用程式閘道的 HTTP 設定中,使用 來自後端位址的參數挑選主機名稱Use the switch Pick Hostname from Backend Address in the application gateway's HTTP setting configuration. 從健康情況探查 設定的後端 HTTP 設定 中,使用參數挑選主機名稱。Use the switch Pick Hostname from Backend HTTP Settings in the health probe configuration.

應用程式閘道變更主機名稱

當 app service 進行重新導向時,除非另外設定,否則會使用 location 標頭中的覆寫主機名稱 contoso.azurewebsites.net,而不是原始的主機名稱 contoso.com。When the app service does a redirection, it uses the overridden host name contoso.azurewebsites.net in the location header instead of the original host name contoso.com, unless configured otherwise. 檢查下列範例要求和回應標頭。Check the following example request and response headers.

## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://contoso.azurewebsites.net/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=contoso.azurewebsites.net

X-Powered-By: ASP.NET

在上述範例中,請注意,回應標頭的狀態碼為301以進行重新導向。In the previous example, notice that the response header has a status code of 301 for redirection. Location 標頭具有 app service 的主機名稱,而不是原始主機名稱 www.contoso.comThe location header has the app service's host name instead of the original host name www.contoso.com.

解決方案:重寫位置標頭Solution: Rewrite the location header

將 location 標頭中的主機名稱設定為應用程式閘道的功能變數名稱。Set the host name in the location header to the application gateway's domain name. 若要這樣做,請使用條件來建立 重寫規則 ,以評估回應中的位置標頭是否包含 azurewebsites.net。To do this, create a rewrite rule with a condition that evaluates if the location header in the response contains azurewebsites.net. 它也必須執行動作來重寫 location 標頭,使其具有應用程式閘道的主機名稱。It must also perform an action to rewrite the location header to have the application gateway's host name. 如需詳細資訊,請參閱 如何重寫位置標頭的指示。For more information, see instructions on how to rewrite the location header.

注意

HTTP 標頭重寫支援僅適用于應用程式閘道的 Standard_v2 和 WAF_V2 SKUThe HTTP header rewrite support is only available for the Standard_v2 and WAF_v2 SKU of Application Gateway. 建議您 遷移至 v2 以進行標頭重寫,以及 v2 SKU 提供的其他 先進功能We recommend migrating to v2 for Header Rewrite and other advanced capabilities that are available with v2 SKU.

替代解決方案:使用自訂功能變數名稱Alternate solution: Use a custom domain name

使用 App Service 的自訂網域功能,是 www.contoso.com 在我們的範例) 中,一律會將流量重新導向至應用程式閘道功能變數名稱 (的另一項解決方案。Using App Service's Custom Domain feature is another solution to always redirect the traffic to Application Gateway's domain name (www.contoso.com in our example). 此設定也可作為 ARR 親和性 cookie 問題的解決方案。This configuration also serves as a solution for the ARR Affinity cookie problem. 根據預設,ARRAffinity cookie 網域會設定為 App Service 的預設主機名稱 (example.azurewebsites.net) ,而不是應用程式閘道的功能變數名稱。By default, the ARRAffinity cookie domain is set to the App Service's default host name (example.azurewebsites.net) instead of the Application Gateway's domain name. 因此,在這種情況下,瀏覽器將會拒絕 cookie,因為要求的功能變數名稱和 cookie 的名稱差異。Therefore, the browser in such cases will reject the cookie due to the difference in the domain names of the request and the cookie.

您可以針對重新導向和 ARRAffinity 的 cookie 網域不符問題,遵循指定的方法。You can follow the given method for both the Redirection and ARRAffinity's cookie domain mismatch issues. 此方法需要您擁有自訂網域的 DNS 區域存取權。This method will need you to have your custom domain's DNS zone access.

步驟 1:在 App Service 中設定自訂網域,並藉由新增 CNAME & TXT DNS 記錄來確認網域擁有權。Step1: Set a Custom Domain in App Service and verify the domain ownership by adding the CNAME & TXT DNS records. 記錄看起來會像這樣The records would look similar to

  • www.contoso.com 在 CNAME 中 contoso.azurewebsite.netwww.contoso.com IN CNAME contoso.azurewebsite.net
  • asuid.www.contoso.com IN TXT " <verification id string> "asuid.www.contoso.com IN TXT "<verification id string>"

步驟 2:只有網域驗證需要上一個步驟中的 CNAME 記錄。Step2: The CNAME record in the previous step was only needed for the domain verification. 最後,我們需要透過應用程式閘道路由傳送流量。Ultimately, we need the traffic to route via Application Gateway. 因此,您現在可以修改 www.contoso.com CNAME,以指向應用程式閘道的 FQDN。You can thus modify www.contoso.com's CNAME now to point to Application Gateway's FQDN. 若要為您的應用程式閘道設定 FQDN,請流覽至其公用 IP 位址資源,並為其指派「DNS 名稱標籤」。To set a FQDN for your Application Gateway, navigate to its Public IP address resource and assign a "DNS Name label" for it. 更新的 CNAME 記錄現在看起來應該如下所示The updated CNAME record should now look as

  • www.contoso.com 在 CNAME 中 contoso.eastus.cloudapp.azure.comwww.contoso.com IN CNAME contoso.eastus.cloudapp.azure.com

步驟 3:針對相關聯的 HTTP 設定,停用 [從後端位址挑選主機名稱]。Step3: Disable "Pick Hostname from Backend Address" for the associated HTTP Setting.

在 PowerShell 中,請勿 -PickHostNameFromBackendAddress 在命令中使用 Set-AzApplicationGatewayBackendHttpSettings 參數。In PowerShell, don't use the -PickHostNameFromBackendAddress switch in the Set-AzApplicationGatewayBackendHttpSettings command.

步驟 4:若要讓探查將後端判斷為狀況良好和操作流量,請將主機欄位的自訂健康情況探查設定為 App Service 的自訂或預設網域。Step4: For the probes to determine the backend as healthy and an operational traffic, set a custom Health Probe with Host field as custom or default domain of the App Service.

在 PowerShell 中,請勿使用 -PickHostNameFromBackendHttpSettings 命令中的參數 Set-AzApplicationGatewayProbeConfig ,並使用探查的-HostName 參數中 App Service 的自訂或預設網域。In PowerShell, don't use the -PickHostNameFromBackendHttpSettings switch in the Set-AzApplicationGatewayProbeConfig command and use either the custom or default domain of the App Service in the -HostName switch of the probe.

若要針對現有的安裝程式使用 PowerShell 來執行先前的步驟,請使用下列範例 PowerShell 腳本。To implement the previous steps using PowerShell for an existing setup, use the sample PowerShell script that follows. 請注意,我們尚未在探查和 HTTP 設定中使用 -PickHostname 參數。Note how we haven't used the -PickHostname switches in the probe and HTTP settings configuration.

$gw=Get-AzApplicationGateway -Name AppGw1 -ResourceGroupName AppGwRG
Set-AzApplicationGatewayProbeConfig -ApplicationGateway $gw -Name AppServiceProbe -Protocol Http -HostName "example.azurewebsites.net" -Path "/" -Interval 30 -Timeout 30 -UnhealthyThreshold 3
$probe=Get-AzApplicationGatewayProbeConfig -Name AppServiceProbe -ApplicationGateway $gw
Set-AzApplicationGatewayBackendHttpSettings -Name appgwhttpsettings -ApplicationGateway $gw -Port 80 -Protocol Http -CookieBasedAffinity Disabled -Probe $probe -RequestTimeout 30
Set-AzApplicationGateway -ApplicationGateway $gw
## Request headers to Application Gateway:

Request URL: http://www.contoso.com/path

Request Method: GET

Host: www.contoso.com

## Response headers:

Status Code: 301 Moved Permanently

Location: http://www.contoso.com/path/

Server: Microsoft-IIS/10.0

Set-Cookie: ARRAffinity=b5b1b14066f35b3e4533a1974cacfbbd969bf1960b6518aa2c2e2619700e4010;Path=/;HttpOnly;Domain=www.contoso.com

X-Powered-By: ASP.NET

下一步Next steps

如果上述步驟無法解決問題,請開啟 支援票證If the preceding steps didn't resolve the issue, open a support ticket.