如何将CentOS 7
Web 服务器配置为仅提供文件SSL
中的加密内容,并在代理服务器后面运行?war
tomcat
我想这涉及使用firewalld
、https
和tomcat
。这https
是 的包装器httpd
。目前,当我在端口 8080 上公开时,war
文件可以完美运行。但我想阻止对端口 8080 的所有外部访问。这个问题是关于如何在-encrypted后面进行包装。 tomcat
tomcat
tomcat
SSL
proxy server
这是我到目前为止所拥有的。
公众zone
是firewalld
:
[root@xxx-xx-xxx-xx conf]# firewall-cmd --list-all
public (default, active)
interfaces: enp3s0
sources:
services: https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
/usr/lib/firewalld/services/https.xml
看起来像这样:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Secure WWW (HTTPS)</short>
<description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
<port protocol="tcp" port="443"/>
</service>
我的/etc/httpd/conf/httpd.conf
可以通过单击准备就绪这个链接。请注意,我删除了很多与文件/目录权限相关的内容,因为我只想httpd
充当tomcat
.我还添加了一个virtualhost
标签。我需要添加任何东西吗httpd.conf
?另外,会因为我添加到公共httpd
而自动调用吗?https
firewalld
zone
我的/opt/tomcat/conf/server.xml
可以阅读这个链接。
编辑:
尝试重新启动 httpd 失败。结果如下:
[[email protected] ~]# systemctl restart httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
[[email protected] ~]# systemctl status httpd.service -l
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Thu 2014-12-11 15:38:00 EST; 59s ago
Process: 31036 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Process: 31034 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 31034 (code=exited, status=1/FAILURE)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
Dec 11 15:38:00 server.ip.address.static.servdns.com httpd[31034]: AH00526: Syntax error on line 58 of /etc/httpd/conf/httpd.conf:
Dec 11 15:38:00 server.ip.address.static.servdns.com httpd[31034]: Invalid command '...///', perhaps misspelled or defined by a module not included in the server configuration
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: Failed to start The Apache HTTP Server.
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: Unit httpd.service entered failed state.
编辑#2:
我更改了virtualhost
标签,index.html
在 处添加了一个简单的文件/www/example1/index.html
,然后添加了一个文档标签,httpd.conf
如下所示:
<VirtualHost *:443>
DocumentRoot /www/example1/
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/some.crt
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
SSLCertificateKeyFile /etc/pki/tls/private/some.key
# ProxyPass / http://local_host:8080/
# ProxyPassReverse / http://local_host:8080/
</VirtualHost>
<Directory "/www/example1/">
Options None
AllowOverride None
allow from all
</Directory>
但现在https://server.ip.address
在浏览器中输入结果Unable to connect. Firefox can't establish a connection to the server at server.ip.address
答案1
从它的声音来看,你正在追求一个reverse proxy
。快速谷歌一下就会显示出一系列可能的解决方案。
一个简单的选择是使用apache
您已安装的 Web 服务器作为代理。
为此,您需要更改httpd.conf
并添加:
<VirtualHost your.domain.name:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/your_public.crt
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
SSLCertificateKeyFile /etc/pki/tls/private/your_private.key
ProxyPass / http://ip.addr:8080/myappname
ProxyPassReverse / http://ip.addr:8080/myappname
</VirtualHost>
笔记:删除上面的下划线local_host
- SE 不允许我将其作为一个单词发布!
根据您的其他配置,可能需要进行一些细微的调整,但以上内容应该可以帮助您入门。