我正在运行一个名为安巴尔在 (Samba) 文件服务器上。我希望网络中的用户能够自由、安全地搜索文档。由于 Ambar 在 HTTP 上运行,并且服务器上之前已经有 Apache,因此我决定通过端口 443 设置 Ambar 的反向代理。人们可能会认为这应该很简单,但事实并非如此,显然 Ambar(在 Redis 上运行)说了以下内容:
Possible SECURITY ATTACK detected. It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted.
(取自docker-compose日志)。
我可以访问应用程序的 GUI,但无法在那里执行任何操作。无论如何,这是一件好事,因为至少我知道这不是证书问题。
这是我的 Apache 配置:
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost *:443>
ServerName ambar.internal
ProxyPreserveHost On
ProxyPass / http://ambar.internal:1000/
ProxyPassReverse / http://ambar.internal:1000/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ambar.crt
SSLCertificateKeyFile /etc/ssl/private/ambar.pem
</VirtualHost>
编辑:从另一台机器激活 SSL/TLS 的反向代理也不起作用。
由于整个应用程序都带有现成的 Docker 容器,因此手动修改 Ambar 软件包并不是一个好主意。因此,我的下一个尝试是在文件中设置 SSL docker-compose.yml
,但难道不应该有办法通过老式的反向代理来实现这一点吗?
这是我的docker-compose.yml:
version: "2.1"
networks:
internal_network:
services:
db:
restart: always
networks:
- internal_network
image: ambar/ambar-mongodb:latest
environment:
- cacheSizeGB=2
volumes:
- /opt/ambar/db:/data/db
expose:
- "27017"
es:
restart: always
networks:
- internal_network
image: ambar/ambar-es:latest
expose:
- "9200"
environment:
- cluster.name=ambar-es
- ES_JAVA_OPTS=-Xms2g -Xmx2g
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
cap_add:
- IPC_LOCK
volumes:
- /opt/ambar/es:/usr/share/elasticsearch/data
rabbit:
restart: always
networks:
- internal_network
image: ambar/ambar-rabbit:latest
hostname: rabbit
expose:
- "15672"
- "5672"
volumes:
- /opt/ambar/rabbit:/var/lib/rabbitmq
redis:
restart: always
sysctls:
- net.core.somaxconn=1024
networks:
- internal_network
image: ambar/ambar-redis:latest
expose:
- "6379"
serviceapi:
depends_on:
redis:
condition: service_healthy
rabbit:
condition: service_healthy
es:
condition: service_healthy
db:
condition: service_healthy
restart: always
networks:
- internal_network
image: ambar/ambar-serviceapi:latest
expose:
- "8081"
environment:
- mongoDbUrl=mongodb://db:27017/ambar_data
- elasticSearchUrl=http://es:9200
- redisHost=redis
- redisPort=6379
- rabbitHost=amqp://rabbit
- langAnalyzer=ambar_en
webapi:
depends_on:
serviceapi:
condition: service_healthy
restart: always
networks:
- internal_network
image: ambar/ambar-webapi:latest
expose:
- "8080"
ports:
- "8080:8080"
environment:
- uiLang=en
- mongoDbUrl=mongodb://db:27017/ambar_data
- elasticSearchUrl=http://es:9200
- redisHost=redis
- redisPort=6379
- serviceApiUrl=http://serviceapi:8081
- rabbitHost=amqp://rabbit
frontend:
depends_on:
webapi:
condition: service_healthy
image: ambar/ambar-frontend:latest
restart: always
networks:
- internal_network
ports:
- "1000:80"
expose:
- "1000"
environment:
- api=http://192.168.123.123:8080
pipeline0:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-pipeline:latest
restart: always
networks:
- internal_network
environment:
- id=0
- apiUrl=http://serviceapi:8081
- rabbit_host=amqp://rabbit
documentation:
depends_on:
serviceapi:
condition: service_healthy
image: ambar/ambar-local-crawler
restart: always
networks:
- internal_network
expose:
- "8082"
environment:
- name=documentation
- ignoreExtensions=.{exe,dll,rar,s,so}
- apiUrl=http://serviceapi:8081
volumes:
- /media/Documentation:/usr/data