当 HTTP 重定向到 HTTPS 时,Apache httpd 反向代理返回 SSL_ERROR_RX_RECORD_TOO_LONG

当 HTTP 重定向到 HTTPS 时,Apache httpd 反向代理返回 SSL_ERROR_RX_RECORD_TOO_LONG

我正在为另一台托管 Atlassian Confluence 的服务器设置 Apache v2.4 httpd 反向代理。

代理的私有 IP 地址是 10.0.0.77,其公共 IP 地址是 77.77.77.77,DNS A 记录将公共 IP 映射到confluence.example.com

有一个 NAT:

  • 77.77.77.77:10080 -> 10.0.0.77:80
  • 77.77.77.77:10443 -> 10.0.0.77:443

这是必要的,因为代理的公共 IP 地址也用于其他服务。

代理上的名称解析是通过 完成的/etc/hosts,它映射confluence.example.com到 Confluence 服务器的私有 IP 10.0.0.9。

这是/etc/httpd/conf.d/confluence.conf(如您所见,它还执行从 HTTP 到 HTTPS 的重定向):

<VirtualHost *:80>
    ServerName confluence.example.com
    ProxyRequests off
    ProxyPreserveHost off
    SetEnv force-proxy-request 1
    SetEnv proxy-nokeepalive 1
    ProxyPass        "/" "http://confluence.example.com:8090/" 
    ProxyPassReverse "/" "http://confluence.example.com:8090/"
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
    ServerName confluence.example.com
    ServerSignature On
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    # SSL cipher suite shortened for clarity
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384"
    SSLCertificateFile    /etc/httpd/ssl/example.crt
    SSLCertificateKeyFile /etc/httpd/ssl/example.key
    SSLCACertificateFile  /etc/httpd/ssl/example.crt
    ProxyRequests off
    ProxyPreserveHost on 
    ProxyPass        "/" "http://confluence.example.com:8090/" 
    ProxyPassReverse "/" "http://confluence.example.com:8090/"
</VirtualHost>

访问时http://confluence.example.com:10080(甚至http://77.77.77.77:10080) 从浏览器中,URL 更改为https://confluence.example.com:10080但是,没有显示 Confluence 登录页面,而是返回以下错误:

安全连接失败
连接到 77.77.77.77:10080 时发生错误。 SSL 收到的记录超出了最大允许长度。错误代码:SSL_ERROR_RX_RECORD_TOO_LONG

这是 http 访问日志中记录的内容(DEBUG 级别):

33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0"
33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

以及 http 错误日志:

[Mon Sep 17 17:11:58.095085 2018] [core:debug] [pid 23120] protocol.c(1271): [client 33.33.33.33:49745] AH00566: request failed: malformed request line

我已经设置了单独的 https 访问和错误日​​志,那里没有记录任何内容。正如您可能已经猜到的,33.33.33.33 是我的传出公共 IP。

访问https://confluence.example.com:10443工作正常。

相同的配置适用于另一个 Apache v2.2 反向代理。

有什么提示吗?

答案1

我为 Tomcat 实例执行此操作。 (以前是 Confluence,现在是 XWiki。)

  1. http → https vHost 是直接重定向,没有代理。
  2. https vHost 知道 URI 具有合理的模式,因此管理 Tomcat 的代理重写。

这是我的配置的(稍微)编辑版本:

<VirtualHost *:80>
        ServerAdmin [email protected]

        ServerName confluence.example.com

        DocumentRoot /home/www/confluence.example.com/docroot


        # Global protection
        #
        <Directory />
                Options none
                AllowOverride None
        </Directory>


        # Send users to canonical website
        #
        Redirect / https://confluence.example.com/


        # Logging
        #
        ServerSignature On
        LogLevel warn
        ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-error.log"
        CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-access.log" combined

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin [email protected]

        ServerName confluence.example.com

        DocumentRoot /home/www/confluence.example.com/docroot
        AddDefaultCharset UTF-8


        # Global protection
        #
        <Directory />
                Options none
                AllowOverride None
        </Directory>


        # Access to the application itself
        #
        ProxyPassMatch /(.*) http://confluence.example.com:8090/$1
        ProxyPassReverse / http://confluence.example.com:8090/
        ProxyPassReverseCookieDomain confluence.example.com confluence.example.com


        # Logging
        #
        ServerSignature On

        LogLevel warn rewrite:debug
        ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-error.log"
        CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-access.log" combined

        #RewriteLogLevel 1
        #RewriteLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-rewrite.log"


        # SSL
        #
        SSLEngine on

        SSLCertificateFile      "...crt"
        SSLCertificateKeyFile   "...key"
        SSLCertificateChainFile "...ca-bundle"

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

相关内容