Apache modsec + ssl 代理循环

Apache modsec + ssl 代理循环

我有一台服务器,我们有以下设置:

http://example.com -(REDIRECT)-> https://example.com

现在我们想添加一个简单的 ssl 代理(在 A 记录指向的同一台机器上),它将执行以下操作:

https://otherexample.com -(PROXY)-> https://example.com/a-uri

由于某种原因,我们总是陷入循环,这就是 modsecurity 日志显示的内容:

GET /a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/...
HTTP/1.1
Host: otherexample.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-BE,nl;q=0.9
X-Forwarded-For: CLIENTIP, SERVERIP, SERVERIP, SERVERIP, ...
X-Forwarded-Host: otherexample.com, otherexample.com, otherexample.com, ...
X-Forwarded-Server: otherexample.com, otherexample.com, otherexample.com, ...

我尝试过的 Apache 配置:

ProxyPreserveHost On
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off


ProxyPass / https://example.com/a-uri/
ProxyPassReverse / https://example.com/a-uri/

重写引擎:

RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,l]

答案1

显然,这RewriteRule是由于循环造成的,因为它添加/a-uri到每个请求的 URL 前面,然后将其发回重新处理。

您没有说明该指令是否是服务器范围配置的一部分,但看起来可能是。它应该包含在 otherexample.com 的虚拟主机中,因此它仅适用于该主机。如下所示:

<VirtualHost *:443>
  ServerName otherexample.com
  RewriteEngine on
  RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,L]
</VirtualHost>

或者,也许更清楚一点:

<VirtualHost *:443>
  ServerName otherexample.com
  ProxyPass        / https://example.com/a-uri/
  ProxyPassReverse / https://example.com/a-uri/
</VirtualHost>

答案2

我无法解决 Apache 的问题。我们尝试了 nginx 代理,似乎效果更好,没有太多问题。

相关内容