Apache SSL 代理不需要的重定向

tag-icon tag-icon apache-2.2 ubuntu ssl proxy virtualhost
Apache SSL 代理不需要的重定向

我正在运行 ubuntu server 12.04。我想通过 apache ssl 代理保护对 python 应用程序的访问。我有

sudo a2ensite erp.mydomain.com

我在 /etc/hosts 中有

127.0.0.1 mydomain.com erp.mydomain.com

我不明白这个重定向,任何指示都会有帮助。这是我的 erp.mydomain.com 文件:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
ServerName erp.mydomain.com
Redirect / https://erp.mydomain.com/
    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

<IfModule mod_ssl.c>

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
ServerName erp.mydomain.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPass        /   http://127.0.0.1:8069/
ProxyPassReverse /   http://127.0.0.1:8069/
SetEnv proxy-nokeepalive 1  
    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    SSLEngine on

    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

答案1

如果你没有

<VirtualHost *:443>
    ServerName mydomain.com
    ...
</VirtualHost>

常规 mydomain.com 站点文件中的块,那么问题在于,当没有其他匹配项时,Apache 将为配置的第一个虚拟主机提供服务。为该服务器名添加虚拟主机,问题应该可以解决。

如果出现这种情况,那么您可能遇到了 SNI 无法正常工作的问题,无论是在客户端(不支持 IE-on-XP)还是在服务器端(12.04 应该有正确版本的 OpenSSL)。在这种情况下,如果SSLStrictSNIVHostCheck关闭,客户端将使用默认的第一个虚拟主机,而不是错误消息。

最后,确保您已在 *.80 和 *.443 上设置基于名称的虚拟主机:

NameVirtualHost *:80
NameVirtualHost *:443

答案2

这更像是您的网站向客户端发送 HTTP 重定向。由于服务器和客户端都不知道代理的存在,因此它只是逃避了。

使用与此类似的重写规则

    ReWriteEngine On
    RewriteRule ^/web/webclient/home/(.*) https://%{HTTP_HOST}/web/webclient/home

因此,当发送重定向时,它会在客户端看到它之前被检测并重写以指回 https 服务器。

相关内容