Apache 可以使用 HTTPS 页面反向代理吗?
client
|
Apache reverse proxy
https://example.com
https://example.net
https://example.org
192.0.2.1
|
-----------------------------------------
| | |
https://example.com https://example.net https://example.org
192.0.2.2:1234 198.51.100.3:5678 203.0.113.4:9012
答案1
是的,但如果您希望验证后端的证书,最好为它们设置单独的主机名。此外,example.com无法同时解析反向代理和后端服务器。您需要对证书续订和本地 DNS 进行一些不必要的(甚至是黑客式的)配置。
例如client --> https://example.com/ --> https://backend.example.com:1234/:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProxyEngine on
SSLProxyVerify require
SSLProxyCheckPeerName on
SSLProxyCheckPeerExpire on
ProxyPass / https://backend.example.com:1234/
ProxyPassReverse / https://backend.example.com:1234/
</VirtualHost>
相比之下,client --> https://example.net/ --> https://198.51.100.3:5678/没有任何证书验证:
<VirtualHost *:443>
ServerName example.net
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://198.51.100.3:5678/
ProxyPassReverse / https://198.51.100.3:5678/
</VirtualHost>