Apache 从 HTTPS(外部)到 HTTP(内部)可能存在反向代理问题

Apache 从 HTTPS(外部)到 HTTP(内部)可能存在反向代理问题

我有一台运行 Ubuntu 18.04 的服务器,该服务器装有 .NET Core 2.1、Kestrel 和 Apache2。我使用 LetsEncrypt 进行 SSL,并且域已使用 SSL 设置。在安装 .NET Core 并在此站点上托管项目之前,它是一个静态 index.html 站点。遵循本指南后:https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-2.2,我无法让域重定向到已配置的 Kestrel 服务。我可以在服务器上正常访问它。

Apache 错误日志:

[Sat Apr 20 02:08:12.950750 2019] [ssl:warn] [pid 7473] AH01909: ct.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 20 02:08:13.001939 2019] [ssl:warn] [pid 7474] AH01909: ct.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 20 02:08:13.007430 2019] [mpm_prefork:notice] [pid 7474] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Sat Apr 20 02:08:13.007467 2019] [core:notice] [pid 7474] AH00094: Command line: '/usr/sbin/apache2'
[Sat Apr 20 02:08:18.723565 2019] [autoindex:error] [pid 7483] [client 50.88.218.180:10635] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive

虚拟主机配置-ct.com.conf:

<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName ct.com
ServerAlias www.ct.com

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =ct.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

LetsEncrypt 配置:

/etc/apache2/sites-available# cat ct.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName ct.com
        ServerAlias www.ct.com
        DocumentRoot /var/www/ct.com/public_html/ps/publish

        <Directory /var/www/ct.com/public_html/ps/publish>
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =ct.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.ct.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ct.com/privkey.pem
</VirtualHost>
</IfModule>

最近从 Apache2.conf 中删除的索引:

<Directory /var/www/>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

有谁发现我的服务器无法通过 SSL 向我当前正在运行的网站提供任何请求,这有什么问题吗?我有其他网站可以通过 SSL 正常运行。

更新 4/23:这是我尝试使用 Postman 访问端点时的 access.log:xx.xxx.xx.xx - - [23/Apr/2019:18:24:12 +0000] "GET /api/Main/TestCall HTTP/1.1" 404 3805 "-" "PostmanRuntime/7.6.1"

更新4/23 (2):

Apache access.log 显示与上述相同的错误。Apache error.log 如下:

[Wed Apr 24 00:13:25.017062 2019] [ssl:warn] [pid 4117] AH01909: localhost:443:0 server certificate does NOT include an ID whic matches the server name
[Wed Apr 24 00:13:25.022627 2019] [mpm_prefork:notice] [pid 4117] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations

新 ct.com.conf 4/24:

<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName ct.com
ServerAlias www.ct.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]


ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogLevel debug
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName ct.com
ServerAlias www.ct.com

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5123/
ProxyPassReverse / http://127.0.0.1:5123/

SSLEngine On
SSLProtocol all -SSLv2

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogLevel debug
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =ct.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,R=permanent]
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
SSLCertificateFile /etc/letsencrypt/live/www.ct.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ct.com/privkey.pem
</VirtualHost>

带有调试级别的 Error.log

tail -f /var/log/apache2/error.log
[Wed Apr 24 16:01:15.260207 2019] [mpm_prefork:notice] [pid 19201] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations
[Wed Apr 24 16:01:15.260232 2019] [core:notice] [pid 19201] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 24 16:01:45.298236 2019] [proxy:debug] [pid 19233] proxy_util.c(1785): AH00925: initializing worker http://127.0.0.1:5123/ shared
[Wed Apr 24 16:01:45.299302 2019] [proxy:debug] [pid 19233] proxy_util.c(1827): AH00927: initializing worker http://127.0.0.1:5123/ local
[Wed Apr 24 16:01:45.299451 2019] [proxy:debug] [pid 19233] proxy_util.c(1878): AH00931: initialized single connection worker in child 19233 for (127.0.0.1)
[Wed Apr 24 16:01:58.912849 2019] [autoindex:error] [pid 19211] [client 50.88.218.180:28627] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
[Wed Apr 24 16:01:59.408882 2019] [autoindex:error] [pid 19211] [client 50.88.218.180:28627] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
[Wed Apr 24 16:02:05.322145 2019] [proxy:debug] [pid 19245] proxy_util.c(1785): AH00925: initializing worker http://127.0.0.1:5123/ shared
[Wed Apr 24 16:02:05.324374 2019] [proxy:debug] [pid 19245] proxy_util.c(1827): AH00927: initializing worker http://127.0.0.1:5123/ local
[Wed Apr 24 16:02:05.324607 2019] [proxy:debug] [pid 19245] proxy_util.c(1878): AH00931: initialized single connection worker in child 19245 for (127.0.0.1)

答案1

您复制了错误的示例。您的示例ProxyPass是在非 SSL 中定义的<VirtualHost *:80>,它会重定向到 https。

将代理内容移至您的<VirtualHost *:443>。请参阅SSL 示例在 Microsoft 指南中。

还要更改RewriteRule并删除NE标志。我猜你在这里不需要它。
或者使用 SSL 示例中的规则:

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

证书有问题...

相关内容