教學課程:在 Azure 中使用 Key Vault 內儲存的 SSL 憑證,來保護 Linux 虛擬機器上的網頁伺服器Tutorial: Secure a web server on a Linux virtual machine in Azure with SSL certificates stored in Key Vault

若要保護網頁伺服器,您可以使用安全通訊端層 (SSL) 憑證將 Web 流量加密。To secure web servers, a Secure Sockets Layer (SSL) certificate can be used to encrypt web traffic. 這些 SSL 憑證可儲存在 Azure Key Vault,並且能夠讓您將憑證安全地部署到 Azure 中的 Linux 虛擬機器 (VM)。These SSL certificates can be stored in Azure Key Vault, and allow secure deployments of certificates to Linux virtual machines (VMs) in Azure. 在本教學課程中,您將了解如何:In this tutorial you learn how to:

  • 建立 Azure Key VaultCreate an Azure Key Vault
  • 產生或上傳憑證至 Key VaultGenerate or upload a certificate to the Key Vault
  • 建立 VM 並安裝 NGINX 網頁伺服器Create a VM and install the NGINX web server
  • 將憑證插入 VM 並使用 SSL 繫結來設定 NGINXInject the certificate into the VM and configure NGINX with an SSL binding

開啟 Azure Cloud ShellOpen Azure Cloud Shell

Azure Cloud Shell 是裝載於 Azure 中的互動式殼層環境,並且會透過瀏覽器來使用。Azure Cloud Shell is an interactive shell environment hosted in Azure and used through your browse. Azure Cloud Shell 可讓您使用 bashPowerShell 殼層來執行各種可與 Azure 服務搭配運作的工具。Azure Cloud Shell allows you to use either bash or PowerShell shells to run a variety of tools to work with Azure services. Azure Cloud Shell 已預先安裝一些命令,可讓您執行本文的內容,而不必在本機環境上安裝任何工具。Azure Cloud Shell comes pre-installed with the commands to allow you to run the content of this article without having to install anything on your local environment.

若要在 Azure Cloud Shell 上執行本文所包含的任何程式碼,請開啟 Cloud Shell 工作階段、使用某個程式碼區塊上的 [複製] 按鈕來複製程式碼,然後使用 Ctrl+Shift+V (在 Windows 和 Linux 上) 或 Cmd+Shift+V (在 macOS 上) 將程式碼貼到 Cloud Shell 工作階段中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 貼上的文字不會自動執行,因此請按 Enter 來執行程式碼。Pasted text is not automatically executed, so press Enter to run code.

您可以使用下列方式來啟動 Azure Cloud Shell:You can launch Azure Cloud Shell with:

選項Option 範例/連結Example/Link
選取程式碼區塊右上角的 [試試看] 。Select Try It in the upper-right corner of a code block. 這__不會__自動將文字複製到 Cloud Shell。This doesn't automatically copy text to Cloud Shell. Azure Cloud Shell 的試試看範例
在瀏覽器中開啟 Azure Cloud ShellOpen Azure Cloud Shell in your browser. <a href="https://shell.azure.com" title="啟動 Azure Cloud Shell
選取 Azure 入口網站右上角功能表上的 [Cloud Shell] 按鈕。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Azure 入口網站中的 [Cloud Shell] 按鈕

如果您選擇在本機安裝和使用 CLI,本教學課程會要求您執行 Azure CLI 2.0.30 版或更新版本。If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.0.30 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

概觀Overview

Azure Key Vault 會保護密碼編譯金鑰和祕密,像是憑證或密碼。Azure Key Vault safeguards cryptographic keys and secrets, such as certificates or passwords. Key Vault 有助於簡化憑證管理程序,並可讓您掌控用來存取這些憑證的金鑰。Key Vault helps streamline the certificate management process and enables you to maintain control of keys that access those certificates. 您可以在 Key Vault 內建立自我簽署憑證,或上傳您目前已經擁有的受信任憑證。You can create a self-signed certificate inside Key Vault, or upload an existing, trusted certificate that you already own.

您不必使用包含了內建憑證的自訂 VM 映像,而是要將憑證插入執行中的 VM。Rather than using a custom VM image that includes certificates baked-in, you inject certificates into a running VM. 此程序可確保您在部署期間安裝在網頁伺服器上的憑證會是最新的。This process ensures that the most up-to-date certificates are installed on a web server during deployment. 如果您更新或取代憑證,您就不必另外再建立新的自訂 VM 映像。If you renew or replace a certificate, you don't also have to create a new custom VM image. 當您建立其他 VM 時,系統會自動插入最新的憑證。The latest certificates are automatically injected as you create additional VMs. 在整個過程中,憑證絕對不會離開 Azure 平台,或在指令碼、命令列記錄或範本中公開。During the whole process, the certificates never leave the Azure platform or are exposed in a script, command-line history, or template.

建立 Azure Key VaultCreate an Azure Key Vault

建立 Key Vault 和憑證之前,請先使用 az group create 來建立資源群組。Before you can create a Key Vault and certificates, create a resource group with az group create. 下列範例會在 eastus 位置建立名為 myResourceGroupSecureWeb 的資源群組:The following example creates a resource group named myResourceGroupSecureWeb in the eastus location:

az group create --name myResourceGroupSecureWeb --location eastus

接著,使用 az keyvault create 建立 Key Vault,並加以啟用以供您在部署 VM 時使用。Next, create a Key Vault with az keyvault create and enable it for use when you deploy a VM. 每個 Key Vault 都需要唯一的名稱,且應全部使用小寫。Each Key Vault requires a unique name, and should be all lowercase. 使用您自己唯一的 Key Vault 名稱來取代下列範例中的 <mykeyvault>Replace <mykeyvault> in the following example with your own unique Key Vault name:

keyvault_name=<mykeyvault>
az keyvault create \
    --resource-group myResourceGroupSecureWeb \
    --name $keyvault_name \
    --enabled-for-deployment

產生憑證並儲存於 Key VaultGenerate a certificate and store in Key Vault

若要在生產環境中使用,您應該使用 az keyvault certificate import 來匯入由受信任的提供者所簽署的有效憑證。For production use, you should import a valid certificate signed by trusted provider with az keyvault certificate import. 在本教學課程中,下列範例示範如何透過使用預設憑證原則的 az keyvault certificate create 來產生自我簽署憑證:For this tutorial, the following example shows how you can generate a self-signed certificate with az keyvault certificate create that uses the default certificate policy:

az keyvault certificate create \
    --vault-name $keyvault_name \
    --name mycert \
    --policy "$(az keyvault certificate get-default-policy)"

準備要與 VM 搭配使用的憑證Prepare a certificate for use with a VM

若要在 VM 建立程序期間使用憑證,使用 az keyvault secret list-versions 來取得憑證的識別碼。To use the certificate during the VM create process, obtain the ID of your certificate with az keyvault secret list-versions. 使用 az vm secret format 轉換憑證。Convert the certificate with az vm secret format. 下列範例會將這些命令的輸出指派給變數,以方便在後續步驟中使用:The following example assigns the output of these commands to variables for ease of use in the next steps:

secret=$(az keyvault secret list-versions \
          --vault-name $keyvault_name \
          --name mycert \
          --query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm secret format --secrets "$secret")

建立 Cloud-init 組態來保護 NGINXCreate a cloud-init config to secure NGINX

Cloud-init (英文) 是在 Linux VM 初次開機時,廣泛用來自訂它們的方法。Cloud-init is a widely used approach to customize a Linux VM as it boots for the first time. 您可以使用 cloud-init 來安裝封裝和寫入檔案,或者設定使用者和安全性。You can use cloud-init to install packages and write files, or to configure users and security. 當 cloud-init 在初次開機程序期間執行時,不需要使用任何額外的步驟或必要的代理程式來套用您的組態。As cloud-init runs during the initial boot process, there are no additional steps or required agents to apply your configuration.

當您建立 VM 時,憑證和金鑰會儲存在受保護的 /var/lib/waagent/ 目錄中。When you create a VM, certificates and keys are stored in the protected /var/lib/waagent/ directory. 若要自動將憑證新增至 VM 並設定網頁伺服器,請使用 cloud-init。To automate adding the certificate to the VM and configuring the web server, use cloud-init. 在此範例中,您會安裝和設定 NGINX Web 伺服器。In this example, you install and configure the NGINX web server. 您可以使用相同的程序來安裝和設定 Apache。You can use the same process to install and configure Apache.

建立名為 cloud-init-web-server.txt 的檔案,並貼上下列組態:Create a file named cloud-init-web-server.txt and paste the following configuration:

#cloud-config
package_upgrade: true
packages:
  - nginx
write_files:
  - owner: www-data:www-data
  - path: /etc/nginx/sites-available/default
    content: |
      server {
        listen 443 ssl;
        ssl_certificate /etc/nginx/ssl/mycert.cert;
        ssl_certificate_key /etc/nginx/ssl/mycert.prv;
      }
runcmd:
  - secretsname=$(find /var/lib/waagent/ -name "*.prv" | cut -c -57)
  - mkdir /etc/nginx/ssl
  - cp $secretsname.crt /etc/nginx/ssl/mycert.cert
  - cp $secretsname.prv /etc/nginx/ssl/mycert.prv
  - service nginx restart

建立安全的 VMCreate a secure VM

現在,使用 az vm create 建立 VM。Now create a VM with az vm create. 使用 --secrets 參數,從 Key Vault 插入憑證資料。The certificate data is injected from Key Vault with the --secrets parameter. 使用 --custom-data 參數傳入 cloud-init 組態:You pass in the cloud-init config with the --custom-data parameter:

az vm create \
    --resource-group myResourceGroupSecureWeb \
    --name myVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys \
    --custom-data cloud-init-web-server.txt \
    --secrets "$vm_secret"

系統需要花幾分鐘的時間來建立 VM、安裝封裝和啟動應用程式。It takes a few minutes for the VM to be created, the packages to install, and the app to start. 建立 VM 之後,請注意 Azure CLI 所顯示的 publicIpAddressWhen the VM has been created, take note of the publicIpAddress displayed by the Azure CLI. 您可以使用此位址在網頁瀏覽器中存取您的網站。This address is used to access your site in a web browser.

若要讓 Web 流量安全到達您的 VM,請使用 az vm open-port 從網際網路開啟通訊埠 443:To allow secure web traffic to reach your VM, open port 443 from the Internet with az vm open-port:

az vm open-port \
    --resource-group myResourceGroupSecureWeb \
    --name myVM \
    --port 443

測試安全的 Web 應用程式Test the secure web app

現在,您可以開啟 Web 瀏覽器,並在網址列輸入 https://<publicIpAddress>Now you can open a web browser and enter https://<publicIpAddress> in the address bar. 提供您自己從 VM 建立程序中取得的公用 IP 位址。Provide your own public IP address from the VM create process. 如果您使用自我簽署憑證,請接受安全性警告:Accept the security warning if you used a self-signed certificate:

接受 Web 瀏覽器安全性警告

接著會顯示受保護的 NGINX 網站,如下列範例所示:Your secured NGINX site is then displayed as in the following example:

檢視執行中安全的 NGINX 網站

後續步驟Next steps

在本教學課程中,您已使用儲存在 Azure Key Vault 中的 SSL 憑證來保護 NGINX 網頁伺服器。In this tutorial, you secured an NGINX web server with an SSL certificate stored in Azure Key Vault. 您已了解如何︰You learned how to:

  • 建立 Azure Key VaultCreate an Azure Key Vault
  • 產生或上傳憑證至 Key VaultGenerate or upload a certificate to the Key Vault
  • 建立 VM 並安裝 NGINX 網頁伺服器Create a VM and install the NGINX web server
  • 將憑證插入 VM 並使用 SSL 繫結來設定 NGINXInject the certificate into the VM and configure NGINX with an SSL binding

用以下連結查看預先建立的虛擬機器指令碼範例。Follow this link to see pre-built virtual machine script samples.