如何将CentOS 7Web 服务器配置为仅提供文件SSL中的加密内容,并在代理服务器后面运行?wartomcat
我想这涉及使用firewalld、https和tomcat。这https是 的包装器httpd。目前,当我在端口 8080 上公开时,war文件可以完美运行。但我想阻止对端口 8080 的所有外部访问。这个问题是关于如何在-encrypted后面进行包装。 tomcattomcattomcatSSLproxy server
这是我到目前为止所拥有的。
公众zone是firewalld:
[root@xxx-xx-xxx-xx conf]# firewall-cmd --list-all
public (default, active)
interfaces: enp3s0
sources:
services: https ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
/usr/lib/firewalld/services/https.xml看起来像这样:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Secure WWW (HTTPS)</short>
<description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
<port protocol="tcp" port="443"/>
</service>
我的/etc/httpd/conf/httpd.conf可以通过单击准备就绪这个链接。请注意,我删除了很多与文件/目录权限相关的内容,因为我只想httpd充当tomcat.我还添加了一个virtualhost标签。我需要添加任何东西吗httpd.conf?另外,会因为我添加到公共httpd而自动调用吗?httpsfirewalldzone
我的/opt/tomcat/conf/server.xml可以阅读这个链接。
编辑:
尝试重新启动 httpd 失败。结果如下:
[[email protected] ~]# systemctl restart httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
[[email protected] ~]# systemctl status httpd.service -l
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Thu 2014-12-11 15:38:00 EST; 59s ago
Process: 31036 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Process: 31034 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 31034 (code=exited, status=1/FAILURE)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
Dec 11 15:38:00 server.ip.address.static.servdns.com httpd[31034]: AH00526: Syntax error on line 58 of /etc/httpd/conf/httpd.conf:
Dec 11 15:38:00 server.ip.address.static.servdns.com httpd[31034]: Invalid command '...///', perhaps misspelled or defined by a module not included in the server configuration
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: Failed to start The Apache HTTP Server.
Dec 11 15:38:00 server.ip.address.static.servdns.com systemd[1]: Unit httpd.service entered failed state.
编辑#2:
我更改了virtualhost标签,index.html在 处添加了一个简单的文件/www/example1/index.html,然后添加了一个文档标签,httpd.conf如下所示:
<VirtualHost *:443>
DocumentRoot /www/example1/
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/some.crt
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
SSLCertificateKeyFile /etc/pki/tls/private/some.key
# ProxyPass / http://local_host:8080/
# ProxyPassReverse / http://local_host:8080/
</VirtualHost>
<Directory "/www/example1/">
Options None
AllowOverride None
allow from all
</Directory>
但现在https://server.ip.address在浏览器中输入结果Unable to connect. Firefox can't establish a connection to the server at server.ip.address
答案1
从它的声音来看,你正在追求一个reverse proxy。快速谷歌一下就会显示出一系列可能的解决方案。
一个简单的选择是使用apache您已安装的 Web 服务器作为代理。
为此,您需要更改httpd.conf并添加:
<VirtualHost your.domain.name:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/your_public.crt
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
SSLCertificateKeyFile /etc/pki/tls/private/your_private.key
ProxyPass / http://ip.addr:8080/myappname
ProxyPassReverse / http://ip.addr:8080/myappname
</VirtualHost>
笔记:删除上面的下划线local_host- SE 不允许我将其作为一个单词发布!
根据您的其他配置,可能需要进行一些细微的调整,但以上内容应该可以帮助您入门。