带有 SSL 的 Apache 反向代理的 Apache 指令

带有 SSL 的 Apache 反向代理的 Apache 指令

我在带有 ISPConfig / Apache2 反向代理的 Debian 10 LAMP 机器上运行 Gitea。我使用以下 apache 指令设法让 Gitea 在没有 SSL 的测试服务器上运行:

 ProxyPreserveHost On
    ProxyRequests off
    AllowEncodedSlashes NoDecode
    ProxyPass / http://localhost:3000/ nocanon
    ProxyPassReverse / http://localhost:3000/

但是,由于 SSL 问题,我无法让反向代理在生产服务器上运行。

目前,我正在尝试对 vhost 使用以下 apache 指令:

ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/

但是,我遇到了这些特定的错误:

[proxy:error] [pid 3974] (20014)Internal error (specific information not available): [client 34.96.130.19:34571] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 3974] [client 34.96.130.19:34571] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 3974] [client 34.96.130.19:34571] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 34.96.130.19 ()
[proxy:error] [pid 3974] (20014)Internal error (specific information not available): [client 34.96.130.19:34571] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 3974] [client 34.96.130.19:34571] AH00898: Error during SSL Handshake with remote server returned by /error/500.html
[proxy_http:error] [pid 3974] [client 34.96.130.19:34571] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 34.96.130.19 ()
[proxy:error] [pid 7611] (20014)Internal error (specific information not available): [client 49.247.196.186:51316] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 7611] [client 49.247.196.186:51316] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 7611] [client 49.247.196.186:51316] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 ()
[proxy:error] [pid 7611] (20014)Internal error (specific information not available): [client 49.247.196.186:51316] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 7611] [client 49.247.196.186:51316] AH00898: Error during SSL Handshake with remote server returned by /error/500.html
[proxy_http:error] [pid 7611] [client 49.247.196.186:51316] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 ()
[proxy:error] [pid 7607] (20014)Internal error (specific information not available): [client 49.247.196.186:51318] AH01084: pass request body failed to 127.0.0.1:3000 (localhost), referer: https://git.example.com/
[proxy:error] [pid 7607] [client 49.247.196.186:51318] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://git.example.com/
[proxy_http:error] [pid 7607] [client 49.247.196.186:51318] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 (), referer: https://git.example.com/
[proxy:error] [pid 7607] (20014)Internal error (specific information not available): [client 49.247.196.186:51318] AH01084: pass request body failed to 127.0.0.1:3000 (localhost), referer: https://git.example.com/
[proxy:error] [pid 7607] [client 49.247.196.186:51318] AH00898: Error during SSL Handshake with remote server returned by /error/500.html, referer: https://git.example.com/
[proxy_http:error] [pid 7607] [client 49.247.196.186:51318] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 (), referer: https://git.example.com/

有人知道如何纠正我的 apache 指令以使用 SSL 吗?

我的完整 vhost 文件如下:

<Directory /var/www/git.example.com>
        AllowOverride None
                Require all denied
        </Directory>

<VirtualHost *:80>


                    DocumentRoot /var/www/clients/client1/web7/web
            
        ServerName git.example.com
        ServerAdmin [email protected]


        ErrorLog /var/log/ispconfig/httpd/git.example.com/error.log

        Alias /error/ "/var/www/git.example.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html


        <Directory /var/www/git.example.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client1/web7/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web7 client1
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client1/web7/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/git.example.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client1/web7/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-80-git.example.com
                FastCgiExternalServer /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-80-git.example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web7.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web7.sock|fcgi://localhost//var/www/clients/client1/web7/web/$1
            <Directory /var/www/clients/client1/web7/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php7.3-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web7 client1
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client1/web7/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client1/web7/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

            ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/
    

</VirtualHost>


<VirtualHost *:443>


                    DocumentRoot /var/www/clients/client1/web7/web
            
        ServerName git.example.com
        ServerAdmin [email protected]

        <IfModule mod_http2.c>
            Protocols h2 http/1.1
        </IfModule>

        <IfModule mod_brotli.c>
            AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
        </IfModule>

        ErrorLog /var/log/ispconfig/httpd/git.example.com/error.log

        Alias /error/ "/var/www/git.example.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder     on
        # <IfModule mod_headers.c>
        # Header always add Strict-Transport-Security "max-age=15768000"
        # </IfModule>
        SSLCertificateFile /var/www/clients/client1/web7/ssl/git.example.com-le.crt
        SSLCertificateKeyFile /var/www/clients/client1/web7/ssl/git.example.com-le.key
                  SSLUseStapling on
          SSLStaplingResponderTimeout 5
          SSLStaplingReturnResponderErrors off
              </IfModule>

        <Directory /var/www/git.example.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client1/web7/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web7 client1
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client1/web7/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/git.example.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client1/web7/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-443-git.example.com
                FastCgiExternalServer /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-443-git.example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web7.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web7.sock|fcgi://localhost//var/www/clients/client1/web7/web/$1
            <Directory /var/www/clients/client1/web7/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php7.3-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web7 client1
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client1/web7/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client1/web7/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

    ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/


</VirtualHost>

<IfModule mod_ssl.c>
        SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

相关内容