公共反向代理后面的WCF，用于流量加密 [英] WCF behind a public reverse proxy which is used for traffic encryption

问题描述

我有一个连接到WCF服务的Silverlight应用程序.在我习惯的基本配置下，将此应用程序连接到其相应的WCF服务没有问题.

I have a Silverlight application that connects to a WCF service. Under the basic configuration I am used to, there's no problem connecting this application to its corresponding WCF service.

但是，最近，我的一位客户开始使用Apache反向代理.此代理是公共服务器，仅用于通过客户端与其之间的SSL(HTTPS)加密HTTP通信.该代理将所有流量从它传递到托管我的应用程序的实际Web服务器.公共代理和IIS服务器之间的流量只是纯HTTP.

However, recently, one of my clients started using an Apache reverse proxy. This proxy is the public server and it's only used to encrypt HTTP traffic via SSL (HTTPS) going between the client and it. This proxy passes all traffic from it to the actual web server that hosts my application. The traffic between the public proxy and the IIS server is just plain HTTP.

所以流量按如下方式流动:最终用户浏览器--- HTTPS ---->公共反向代理----- HTTP ---->承载WCF服务的IIS服务器.

So the traffic flows like this: End-User Browser ---HTTPS----> Public Reverse Proxy -----HTTP----> IIS server that hosts the WCF service.

反向代理和IIS位于两个单独的服务器上.

The reverse proxy and IIS are on two separate servers.

我无法使Silverlight应用程序正常运行.我不确定如何配置端点?每当我将公共代理服务器的地址用作端点地址时，我都会遇到问题.

I cannot get the Silverlight application to function properly. I am not sure how to configure the endpoints? I get problems whenever I use the public proxy's address as my endpoint address.

Silverlight应用程序通常具有以下配置:

The Silverlight application usually has this configuration:

<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="BasicHttpBinding_IPOTemplateEditorSrv" maxBufferSize="2147483647"
                    maxReceivedMessageSize="2147483647">
                    <security mode="TransportWithMessageCredential" />
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://public-reverse-proxy-url/POTemplateEditorSrv.svc"
                binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IPOTemplateEditorSrv"
                contract="POEditorSrvRef.IPOTemplateEditorSrv" name="BasicHttpBinding_IPOTemplateEditorSrv" />
        </client>
    </system.serviceModel>
</configuration>

请注意，我正在使用，并且我的端点地址指向反向代理的公共HTTPS地址.

Note that I am using and I have my endpoint address pointing to the public HTTPS address of the reverse proxy.

我错过了什么吗?可能还有其他信息可配置代理吗?有什么解决方法可以使我的Silverlight客户端连接到该服务?

Am I missing anything? Is there any additional information to configure the proxy perhaps? Any workarounds that would get my Silverlight client connect to the service?

推荐答案

也许这个答案有点太明显了，但是听起来好像WSDL正在将内部主机名作为WCF地址发布-当该地址不是实际的公众一员.因为IIS是在生成WSDL，所以它将仅在端点地址中使用它的主机名-这不是您想要的，而是您想要代理的地址.

Perhaps this answer is a little too obvious, but it simply sounds like the WSDL is advertising an internal host-name as the WCF address - when that address is not the actual public one. Because IIS is generating the WSDL, it will simply use it's host name in the endpoint addresses - which is not what you want, you want the proxy's address.

尝试创建WSDL文件的静态副本，并将其发布在Web服务器上.确保将所有引用替换为内部主机名，并使用公共代理主机名.然后修改您的WCF客户端配置以指向静态WSDL.您可以在此处找到简短说明:

Try creating a static copy of your WSDL file, and publish that on your web server. Make sure you replace ALL REFERENCES to the internal host name, with the public proxy host name. Then modify your WCF client config to point to the static WSDL. You can find a short explanation here: Supply a different endpoint address in the WSDL of a WCF web service

如果这不起作用-尝试使用嗅探器(wireshark)捕获来回发送的内容-禁用HTTPS可能是您需要从公式中删除的部分.您的Web服务请求似乎已发送到代理，但代理无法正确处理该请求-这是尝试使用我们的嗅探工具的完美方案.

If that doesnt work - try using a sniffer (wireshark) to capture what is being sent back and forth - disabling HTTPS might be a piece you need to remove from the equation. Your web service request appears to be SENT to the proxy, but the proxy is not able to handle the request properly - the perfect scenario to try our your sniffing tools.

当您使用网络浏览器直接向SVC发送请求时，该请求将如下所示

When you make a direct request to your SVC using a web browser, the request will look something like this

GET /POTemplateEditorSrv.svc HTTP/1.1
Host: public-reverse-proxy-url

但是当通过Silverlight发送时，可能看起来像这样

But when sent via Silverlight, it may look like this

GET /POTemplateEditorSrv.svc HTTP/1.1
Host: private-server-address

这可能是一个微妙的差异，足以使代理服务器崩溃.

This could be a subtle enough difference to upset the proxy.

这篇关于公共反向代理后面的WCF，用于流量加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！