Apache-2.2

Apache 反向代理獲得重定向

  • May 12, 2019

我正在嘗試將 Apache 設置為反向代理。這是其配置的重要部分:

NameVirtualHost 10.16.10.245:9443
Listen 10.16.10.245:9443

<VirtualHost 10.16.10.245:9443>
 ServerName proxy.lan:9443

 SSLEngine on
 ...

 TraceEnable off

 SSLProxyEngine on
 ProxyPreserveHost On
 ProxyRequests Off
 ProxyVia full
 ProxyPass / http://localhost/
 ProxyPassReverse / http://localhost/
</VirtualHost>

請注意,代理正在偵聽非標準埠 9443。當我使用顯示 phpinfo 作為後端的虛擬頁面時,一切都按預期工作。但是,我需要放置在代理後面的站點要麼太嚴格,要麼寫得太差,所以行為變化如下:

client -> https://proxy.lan:443 -> http://localhost = success
client -> https://proxy.lan:<ANY_OTHER_PORT> -> http://localhost = wrong redirect

客戶端從https://proxy.lan:9443/>重定向到<https://proxy.lan/auth/login並且顯然代理無法處理請求,因為它沒有偵聽埠 443:

# wget --no-check-certificate -vS https://proxy.lan:9443
--2019-05-12 02:51:37--  https://proxy.lan:9443/
Resolving proxy.lan (proxy.lan)... 10.10.254.186
Connecting to proxy.lan (proxy.lan)|10.10.254.186|:9443... connected.
WARNING: cannot verify proxy.lan's certificate, issued by '...':
 Self-signed certificate encountered.
   WARNING: certificate common name 'backend.lan' doesn't match requested host name 'proxy.lan'.
HTTP request sent, awaiting response... 
 HTTP/1.1 302 Found
 Date: Sat, 11 May 2019 23:51:37 GMT
 Server: Apache
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-cache, no-store, must-revalidate
 Pragma: no-cache
 Location: https://proxy.lan/auth/login
 X-Frame-Options: DENY
 X-XSS-Protection: 1; mode=block
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
 X-Permitted-Cross-Domain-Policies: none
 Content-Length: 0
 Content-Type: text/html; charset=UTF-8
 Set-Cookie: PHPSESSID=...; path=/; secure; HttpOnly
 Via: 1.1 proxy.lan:9443 (Apache/2.2.31)
 Connection: close
Location: https://proxy.lan/auth/login [following]
--2019-05-12 02:51:37--  https://proxy.lan/auth/login
Connecting to proxy.lan (proxy.lan)|10.10.254.186|:443... failed: Connection refused.
Resolving proxy.lan (proxy.lan)... 10.10.254.186
Connecting to proxy.lan (proxy.lan)|10.10.254.186|:443... failed: Connection refused.

我可以手動將埠添加到生成的 URL 和https://proxy.lan:9443/auth/login>工作,除了頁面上指向<https://proxy.lan/的所有連結…

Apache 環境如下所示:

HTTP_HOST   proxy.lan:9443
HTTP_VIA    1.1 proxy.lan:9443 (Apache/2.2.31)
HTTP_X_FORWARDED_FOR    10.100.0.30
HTTP_X_FORWARDED_HOST   proxy.lan:9443
HTTP_X_FORWARDED_SERVER     proxy.lan
HTTP_CONNECTION     Keep-Alive
SERVER_SIGNATURE    &lt;address&gt;Apache Server at proxy.lan Port 9443&lt;/address&gt;
SERVER_NAME     proxy.lan
SERVER_ADDR     ::1
SERVER_PORT     9443
REMOTE_ADDR     ::1
...

任何想法可以在代理端做什麼?也許一些重寫規則?

ProxyPreserveHost on是造成這種情況的。如果您不確定是否需要它,請始終將其保留為預設值off,這樣您就很好。

對於您確實需要的極少數情況ProxyPreserveHost on,請明智地調整您的 ProxyPassReverse- 這是處理重定向的唯一指令。

ProxyPassReverse / http://localhost/在您的場景中看起來是錯誤的,因為您的後端(80 應用程序)似乎沒有在任何地方說“我將您重定向到http://localhost/foo/bar ”。如果你ProxyPassReverse / https://proxy.lan/有機會它會更好地工作 - 檢查官方文件。

引用自:https://serverfault.com/questions/966881