代理将 SSL 请求传递到 localnet SSL 站点

代理将 SSL 请求传递到 localnet SSL 站点

我在本地网络中有两个通过 https 运行的站点并使用 letsencrypt 证书 - 我们将它们称为 git.foo.com 和 api.foo.com。

我想从互联网上查看这些网站。我有一个 OpenWRT 路由器,它运行在白色 IP 地址上(git.foo.com 和 api.foo.com 的 DNS 记录指向它的 IP)。

我刚刚将流量从 80 和 443 端口重定向(使用 iptables)到另一台本地机器,该机器必须是代理。问题是如何通过站点主机名将 SSL 流量传递到特定站点(已使用 SSL)服务器?

答案1

使用 apache 完成的。

<VirtualHost *:443>
    ServerName git.foo.com
    ErrorLog /var/log/apache2/git.error.log
    TransferLog /var/log/apache2/git.com.access.log
    SSLEngine On
    SSLProxyEngine On
    ProxyRequests Off
    ProxyPreserveHost On
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off
    SSLInsecureRenegotiation on
    SSLProxyVerify none
    SSLProxyCheckPeerName Off
    SSLVerifyClient none
    SSLCertificateFile /etc/certs/git.foo.com/fullchain2.pem
    SSLCertificateKeyFile /etc/certs/git.foo.com/privkey2.pem

    ProxyPass / https://192.168.3.230/
    ProxyPassReverse / https://192.168.3.230/

    <Location "/">
            Require all granted
    </Location>
</VirtualHost>

<VirtualHost *:443>
    ServerName api.foo.com
    ErrorLog /var/log/apache2/api.error.log
    TransferLog /var/log/apache2/api.access.log
    SSLEngine On
    SSLProxyEngine On
    ProxyPreserveHost on
    ProxyRequests Off
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off
    SSLInsecureRenegotiation on
    SSLProxyVerify none
    SSLProxyCheckPeerName Off
    SSLVerifyClient none
    SSLCertificateFile /etc/certs/api.foo.com/fullchain5.pem
    SSLCertificateKeyFile /etc/certs/api.foo.com/privkey5.pem

    ProxyPass / https://192.168.3.230/
    ProxyPassReverse / https://192.168.3.230/

    <Location "/">
            Require all granted
    </Location>
</VirtualHost>


<VirtualHost *:80>
    ServerName subapi.foo.com

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://192.168.3.27/
    ProxyPassReverse / https://192.168.3.27/

    <Location "/">
            Require all granted
    </Location>
</VirtualHost>

相关内容