Azure API 管理

本文介绍了Azure API 管理 - 通过客户端证书的安全 API的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在使用开箱即用的 Echo API Get 请求测试客户端证书功能的身份验证，我添加了一个入站规则来检查请求是否具有证书

I am testing authenticate against Client Certificate functionality with out of the box Echo API Get request, I have added a inbound rule to check the request has certificate

我使用的是自签名证书，我已经在 CA 和客户端证书下更新了它

I am using self signed certificate, I have updated it under CA and client certificates

<inbound> <choose> <when condition="@(context.Request.Certificate == null)"> <return-response> <set-status code="403" reason="Invalid client certificate"/> </return-response> </when> </choose> <base /> </inbound>

在我的客户端应用程序中，我使用以下代码拨打电话

In my client Application, I am using below code to make a call

public static void MakeAnAzureApiCall() { var url = @"xxxx.azure-api/echo/resource?param1=sample"; var handler = new WebRequestHandler(); handler.ClientCertificateOptions = ClientCertificateOption.Manual; SecureString sec = new SecureString(); string pwd = "P@ssw0rd"; pwd.ToCharArray().ToList().ForEach(sec.AppendChar); sec.MakeReadOnly(); var cert = new X509Certificate2(@"C:\temp\apim.pfx", sec, X509KeyStorageFlags.MachineKeySet); //X509Certificate2.CreateFromCertFile(@"C:\temp\apim1.cer"); handler.ClientCertificates.Add(cert); var client = new HttpClient(handler); var request = new HttpRequestMessage(HttpMethod.Get, url); request.Headers.TryAddWithoutValidation("Ocp-Apim-Subscription-Key", "xxxxxxxxxxxxxxxxxx"); var response = client.SendAsync(request).Result; string responseString = response.Content.ReadAsStringAsync().Result; }

我总是从 API 管理部门收到 403 响应，看起来 APIM 从未收到过证书.有谁知道我在这里做错了什么?

I am always getting 403 response from API management, looks like cert never received to APIM. Could any one know what I am doing wrong here?

EDIT -1 这是来自 Azure 的跟踪文件

EDIT -1 Here is the trace file from Azure

`

{ "traceId":"421658ba50fb480786757c8d7c22da48", "traceEntries":{ "inbound":[ { "source":"api-inspector", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0002782", "data":{ "request":{ "method":"GET", "url":"doddapim.azure-api/echo/resource?param1=sample", "headers":[ { "name":"Ocp-Apim-Subscription-Key", "value":"e7f21197ef6f4628bdcde8f23394812d" }, { "name":"Postman-Token", "value":"c4f8ef9a-6428-4781-bf4a-e774145c14e9" }, { "name":"X-Forwarded-For", "value":"10.26.60.106" }, { "name":"X-BlueCoat-Via", "value":"ee27777141854371" }, { "name":"Cache-Control", "value":"no-cache" }, { "name":"Connection", "value":"Keep-Alive" }, { "name":"Accept", "value":"*/*" }, { "name":"Accept-Encoding", "value":"gzip,deflate" }, { "name":"Host", "value":"doddapim.azure-api" }, { "name":"User-Agent", "value":"PostmanRuntime/7.15.2" } ] } } }, { "source":"api-inspector", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0002814", "data":{ "configuration":{ "api":{ "from":"/echo", "to":{ "scheme":"http", "host":"echoapi.cloudapp", "port":80, "path":"/api", "queryString":"", "query":{ }, "isDefaultPort":true }, "version":null, "revision":"1" }, "operation":{ "method":"GET", "uriTemplate":"/resource" }, "user":"-", "product":"-" } } }, { "source":"cors", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014853", "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied." }, { "source":"cors", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014872", "data":"Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied." }, { "source":"client-certificate-handler", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0014961", "data":"Requesting client certificate because next handler requires access to it." }, { "source":"client-certificate-handler", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017793", "data":"No client certificate received." }, { "source":"choose", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017844", "data":{ "message":"Expression was successfully evaluated.", "expression":"context.Request.Certificate == null", "value":true } }, { "source":"set-status", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017909", "data":{ "message":[ "Response status code was set to 403", "Response status reason was set to 'Invalid client certificate'" ] } }, { "source":"return-response", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0017946", "data":{ "message":"Return response was applied", "response":{ "status":{ "code":"Forbidden", "reason":"Invalid client certificate" }, "headers":[ ] } } } ], "outbound":[ { "source":"transfer-response", "timestamp":"2019-08-22T16:01:59.6691383Z", "elapsed":"00:00:00.0018163", "data":{ "message":"Response headers have been sent to the caller." } } ] } }

`

推荐答案

最后，我想通了.代理阻止客户端将证书发送到服务器.代码或配置没有任何问题.

Finally, I figured it. Proxy is blocking the client from sending the certificate to the server. Nothing wrong with code or configuration.