我有有效的 httpd 配置(反向代理),可以将请求转发到代理:
Listen 443 https
<VirtualHost *:443>
ServerName public-dns.example.org
ServerAlias internal-hostname.internal
ProxyPreserveHost On
RewriteEngine On
#check & block some URLs in target service
RewriteCond %{REQUEST_URI} ^/service
RewriteRule /service(/(api(/(([a-zA-Z_-]+)(/|/.*swagger.*)?(\.\.)?)?)?)?)?$ - [F,L]
<Location "/service/api/">
ProxyPreserveHost Off
ProxyErrorOverride Off
</Location>
ProxyPass /service/api/ https://services.apps.cloud.example.internal/
ProxyErrorOverride On
SSLProxyEngine On
#START - avoid unnecessary checks in internal network - development environment
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
#END - avoid unnecessary checks in internal network - development environment
#START - not relevant part of config (for this question)
SSLEngine On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder On
SSLCompression off
SSLSessionTickets Off
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
#END - not relevant part of config (for this question)
</VirtualHost>
我想丰富对上游服务器的请求 - 添加一个查询字符串参数,但我甚至在应用 rewriteRule 并将其转发到代理时遇到问题。
由于服务使用另一个查询字符串参数,我发现 mod_rewrite 标志 QSA 应该正确处理 ?/&...
当我添加这组重写规则时,所有 rewriteRules 尝试都会失败并出现相同的 502 代理错误。
根据 error_log,似乎 mod_proxy 没有根据上面定义的 ProxyPass 指令进行转发。
#test - adding query parameter to proxy request
RewriteCond %{REQUEST_URI} ^/service
# attempt 1 failed - match all under the rewriteCond "^/service", add "queryStringParam" and apply flags QSA & P (proxy)
# RewriteRule ^(.*)$ $1?queryStringParam=example [QSA,P]
# attempt 2 failed - try the same without QSA
# RewriteRule ^(.*)$ $1 [P]
# attempt 3/4 failed - try absolute url in target url
# RewriteRule ^(.*)$ %{REQUEST_SCHEME}://%{HTTP_HOST}$1?queryStringParam=example [QSA,P]
# RewriteRule ^(.*)$ %{REQUEST_SCHEME}://%{HTTP_HOST}$1 [P]
所有尝试均因代理错误(http 502)而失败:
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request "GET /services/api/example-service/list/".
你能给我指明正确的方向吗?谢谢
答案1
我发现标志 P 不适用于 ProxyPass 指令,而是立即转发到代理。因此目标 url 需要是上游的 url... ProxyPass 指令可以从原始配置中删除