如何配置Azure应用程序网关以重定向旧的SSL连接? [英] How can I configure Azure Application Gateway to redirect old SSL connections?

问题描述

我有一个网站，我希望允许对所有内容进行SSL访问，但仅对API和应用程序的任何敏感部分使用TLS 1.2.

I have a website that I want to allow SSL access to everything, but TLS 1.2 only to the API, and any sensitive portion of the app.

任何过时的客户端都应该转到错误页面，解释为什么他们无法访问该资源，并且有关过时的浏览器的警告是不是我们，而是您".

Any outdated client should go to an error page, explaining why they can't access the resource, and that "it's not us, its you" warning about an outdated browser.

如何在App Gateway中配置此等效功能(Netscaler BTW中存在)?

How can I configure this equivalent functionality (which is present on a Netscaler BTW) in App Gateway?

推荐答案

我记得建议您在其他线程上尝试一下.事后看来，我现在对此感到遗憾，因为该文档没有提及检测TLS协议版本和采取自定义操作的任何功能.

I remember recommending you try that on a different thread. In hindsight i now regret it, since the documentation has no mention of any ability to detect TLS protocol version and take custom action.

但是在已经存在更长时间的内容中，例如 nginx ，这几乎是微不足道的:

However in something that has been around for longer, like nginx, this is almost trivial to accomplish:

if ($ssl_protocol != "TLSv1.2") {
    return 302 https://example.com/outdated.html;
}

请参阅此主题进行更广泛的讨论:
https://community.qualys.com/thread/12758

See this thread for a broader discussion:
https://community.qualys.com/thread/12758

这种方法的缺点自然是，由于您使用的是TLS 1.0和1.1，因此任何现有的PCI-ish安全审核工具都会将您标记为不安全".

Naturally the downside of your approach is that any PCI-ish security audit tool out there is going to flag you as "insecure", since you're handshaking on TLS 1.0 and 1.1.

无论您做什么，都不要与SSLv3握手， 甚至不要一次 .

Whatever you do, DO NOT shake hands with SSLv3, not even once.

在其他消息中，Citrix似乎拥有自己的许可证

In other news, Citrix seems to have a bring-your-own-license NetScaler offering on Azure.

这篇关于如何配置Azure应用程序网关以重定向旧的SSL连接?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！