Azure - 在临时部署中处理 SSL
我有一个托管在 Windows Azure 中的 Web 应用程序。我们希望使用 SSL 进行生产部署,并且我们有一个自定义域名和该域的 SSL 证书,所有这些都已在生产中设置并正常工作。
Web 角色当前同时具有 HTTP 和 HTTPS 端点,但我们希望禁用 HTTP 端点并在生产中仅使用 HTTPS。
如果我们删除 HTTP 端点,我的问题是:在 Azure 中处理临时部署的 HTTPS 端点的最佳方法是什么?每次在 Azure 中进行新的临时部署时,它都会为您提供该服务的新临时域名。在暂存过程中,我们是否应该根本不使用 SSL 证书,而直接跳过所有浏览器警告,或者当域名随每次部署而更改时,是否有办法在暂存过程中使用 SSL?或者,当我们切换到生产环境时,是否有一种方法可以“关闭”Azure 部署中的 (HTTP) 端点?
我最初的想法是创建两个具有不同端点的包,但我不相信 Azure 会允许您热交换产品和临时部署(如果它们具有不同的端点配置)。
I have a web application that is hosted in Windows Azure. We want to use SSL for the production deployment, and we have a custom domain name and SSL certificate for the domain, and all of that is setup and working correctly in production.
The web role currently has both an HTTP and an HTTPS endpoint, but we would like to disable the HTTP endpoint and just use HTTPS in production.
If we remove the HTTP endpoint, my question is: what is the best way to deal with the HTTPS endpoint for a Staging deployment in Azure? Every time you do a new staging deployment in Azure, it gives you a new temporary domain name for the service. In staging, should we just not use an SSL certificate at all, and just skip past all the browser warnings, or is there a way to use SSL in staging when the domain name changes with each deployment? Or when we swap to production, is there a way to just "turn off" an (HTTP) endpoint in an Azure deployment?
My initial thought was to create two packages that had different endpoints, but I don't believe Azure will let you hot-swap the prod and staging deployments if they have different endpoint configurations.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
对于我们的一个项目,我们正在使用 URL 重写模块,该模块已安装默认情况下在 Azure 上。效果很好。 web.config 中的一个部分使所有 HTTP 流量自动重定向到 HTTPS:
对于临时环境,最好使用与生产环境相同的证书。这样可以在生产和登台之间轻松进行热交换,并且您可以在浏览器中验证证书是否正确。缺点是您在测试暂存部署时必须单击“继续访问网站”。
请注意,虽然 URL 重写模块在 Azure 中始终可用,但对于 DevFabric,您必须下载它并将其安装在您的开发盒上。可在 http://www.iis.com 上下载。
For one of our projects we are using URL rewrite module, which comes installed by default on Azure. It works great. A section in web.config makes all HTTP traffic automatically redirected into HTTPS:
For staging environment it is best to use the same cert as for production. This allows for easy hot swap between production and staging, and you can verify in your browser that the certificate is the correct one. The downside is that you will have to click "continue to web site" while testing staging deployment.
Note that while the URL Rewrite module is always available in Azure, for DevFabric you will have to download and install it on your dev box. The download is available on http://www.iis.com.
对于此场景,我们所做的是在 Azure 中创建 2 个不同的服务部署,两者都有其生产\暂存环境。因此,我们在两个服务中使用 Production 实例,以保持 url 静态。
服务部署之间没有热交换,但是当从其中一个服务部署升级构建时,它会安装在第二个服务上,暂存部署,然后完成热交换。希望我说清楚了。
For this scenario what we have done is to create 2 different service deployments in Azure, both having their Production\Staging environment. Hence we are using Production instance in both services which keeps the url static.
There is no hot swap between the service deployments but when a build gets promoted from one of the service deployment, it is installed on the second services, staging deployment and then a hot swap is done. Hope i made myself clear.
我们在生产和临时部署中保持端口 80 和 443 开放,但我们使用 自定义 HttpModule 用于根据 Azure 配置设置将 HTTP 流量重定向到 HTTPS。如果配置值等于“Production”,则所有流量都强制通过 HTTPS。否则,HTTP 和 HTTPS 流量都会被处理。这对我们来说很重要,因为我们不希望用户在 HTTP 请求被拒绝时感到困惑,因为他们忘记在 URL 中添加 https:// 前缀。您需要禁用 HTTP 端点是否有特殊原因?
We keep ports 80 and 443 open on production and staging deployments, but we use a custom HttpModule to redirect HTTP traffic to HTTPS based on an Azure configuration setting. If the config value equals "Production", all traffic is forced over HTTPS. Otherwise, both HTTP and HTTPS traffic is handled. This was important for us because we didn't want our users to get confused when HTTP requests were rejected just because they forgot to prefix the URL with https://. Is there a particular reason you need to disable the HTTP endpoint?