SSL 和 ProxyPass

SSL 和 ProxyPass

我正在运行 Node.js 服务器8200,我刚刚为我的域名获取了一些 SSL 证书。我希望能够通过 HTTPS 提供我的页面。

到目前为止我的 apache 配置文件是这样的

文件: /etc/apache2/sites-enabled/synsis.conf

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName  www.synsis.live
  ServerAlias synsis.live

  SSLEngine On
  SSLProxyEngine On
  SSLCertificateFile "/home/vas/synsis.live/certs/domain.crt"
  SSLCertificateKeyFile "/home/vas/synsis.live/certs/domain.key"
  SSLCertificateChainFile "/home/vas/synsis.live/certs/intermediate.pem"


  ProxyRequests Off
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

<Location />
  ProxyPass  https://localhost:8200/
  ProxyPassReverse  https://localhost:8200/
</Location>
</VirtualHost>

但是,使用此配置我的网站无法加载。有什么想法吗?

apachectl -t

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

apachectl -S

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost ch.mu (/etc/apache2/sites-enabled/c.conf:1)
         port 80 namevhost www.hai.run (/etc/apache2/sites-enabled/hai.conf:3)
                 alias hai.run
         port 80 namevhost practicalhuman.org (/etc/apache2/sites-enabled/ph.conf:4)
                 alias www.practicalhuman.org
*:443                  www.synthesis.live (/etc/apache2/sites-enabled/synthesis.conf:5)

ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

答案1

您的配置包含了我对现有配置示例的三个主要抱怨在野外

  1. <Proxy *>配置反向代理时使用块。<Proxy>块包括几乎专门用于配置正向代理而非反向代理。您这种情况不需要它。
  2. 位置块内部的使用ProxyPass。最佳实践是使用 2 个参数版本,ProxyPass除非没有其他选择。
  3. 在 Apache v2.4 中使用 Apache v2.2 授权指令。我强烈推荐总是将所有 v2.2 AllowOrderSatisfy指令更改require为新的 v2.4Require指令和<RequireAny><RequireAll>块。
  4. SSLProxyEngine指令用于在代理时配置您的服务器和基于 SSL 的服务,与您的实际虚拟主机是否为 SSL 无关(是的,我知道我说的是 3,但这是一个非常小的,我添加它只是因为您回复说您的后端未启用 SSL :-)

尝试以下内容作为基础,并希望“清理”,配置并从那里开始工作。 *如果它不起作用,请告诉我们实际发生了什么,而不仅仅是说“它不起作用”。

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName  www.synsis.live
  ServerAlias synsis.live

  SSLEngine On
  SSLProxyEngine On
  SSLCertificateFile "/home/vas/synsis.live/certs/domain.crt"
  SSLCertificateKeyFile "/home/vas/synsis.live/certs/domain.key"
  SSLCertificateChainFile "/home/vas/synsis.live/certs/intermediate.pem"

  # This is the default anyway, but no harm having it explicitly set
  ProxyRequests Off

  # You say in a comment your backend is not SSL, but your original configuration
  # tries to proxy to an SSL enabled service. This is almost certainly
  # why it originally failed
  ProxyPass / http://localhost:8200/
  ProxyPassReverse / http://localhost:8200/
</VirtualHost>

答案2

你的后端是 ssl 吗?

如果不:

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName  www.synsis.live
  ServerAlias synsis.live

  SSLEngine On
  SSLProxyEngine On
  SSLCertificateFile "/home/vas/synsis.live/certs/domain.crt"
  SSLCertificateKeyFile "/home/vas/synsis.live/certs/domain.key"
  SSLCertificateChainFile "/home/vas/synsis.live/certs/intermediate.pem"


  ProxyRequests Off
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

<Location />
  ProxyPass  http://localhost:8200/
  ProxyPassReverse  http://localhost:8200/
</Location>
</VirtualHost>

如果是:

<VirtualHost *:443>
  ServerAdmin [email protected]
  ServerName  www.synsis.live
  ServerAlias synsis.live

  SSLEngine On
  SSLProxyEngine On
  SSLCertificateFile "/home/vas/synsis.live/certs/domain.crt"
  SSLCertificateKeyFile "/home/vas/synsis.live/certs/domain.key"
  SSLCertificateChainFile "/home/vas/synsis.live/certs/intermediate.pem"


  ProxyRequests Off
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

<Location />
  SSLProxyEngine on
  ProxyPass  https://localhost:8200/
  ProxyPassReverse  https://localhost:8200/
</Location>
</VirtualHost>

相关内容