Apache-2.2
Apache 反向代理獲得重定向
我正在嘗試將 Apache 設置為反向代理。這是其配置的重要部分:
NameVirtualHost 10.16.10.245:9443 Listen 10.16.10.245:9443 <VirtualHost 10.16.10.245:9443> ServerName proxy.lan:9443 SSLEngine on ... TraceEnable off SSLProxyEngine on ProxyPreserveHost On ProxyRequests Off ProxyVia full ProxyPass / http://localhost/ ProxyPassReverse / http://localhost/ </VirtualHost>
請注意,代理正在偵聽非標準埠 9443。當我使用顯示 phpinfo 作為後端的虛擬頁面時,一切都按預期工作。但是,我需要放置在代理後面的站點要麼太嚴格,要麼寫得太差,所以行為變化如下:
client -> https://proxy.lan:443 -> http://localhost = success client -> https://proxy.lan:<ANY_OTHER_PORT> -> http://localhost = wrong redirect
客戶端從https://proxy.lan:9443/>重定向到<https://proxy.lan/auth/login並且顯然代理無法處理請求,因為它沒有偵聽埠 443:
# wget --no-check-certificate -vS https://proxy.lan:9443 --2019-05-12 02:51:37-- https://proxy.lan:9443/ Resolving proxy.lan (proxy.lan)... 10.10.254.186 Connecting to proxy.lan (proxy.lan)|10.10.254.186|:9443... connected. WARNING: cannot verify proxy.lan's certificate, issued by '...': Self-signed certificate encountered. WARNING: certificate common name 'backend.lan' doesn't match requested host name 'proxy.lan'. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Sat, 11 May 2019 23:51:37 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Location: https://proxy.lan/auth/login X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Permitted-Cross-Domain-Policies: none Content-Length: 0 Content-Type: text/html; charset=UTF-8 Set-Cookie: PHPSESSID=...; path=/; secure; HttpOnly Via: 1.1 proxy.lan:9443 (Apache/2.2.31) Connection: close Location: https://proxy.lan/auth/login [following] --2019-05-12 02:51:37-- https://proxy.lan/auth/login Connecting to proxy.lan (proxy.lan)|10.10.254.186|:443... failed: Connection refused. Resolving proxy.lan (proxy.lan)... 10.10.254.186 Connecting to proxy.lan (proxy.lan)|10.10.254.186|:443... failed: Connection refused.
我可以手動將埠添加到生成的 URL 和https://proxy.lan:9443/auth/login>工作,除了頁面上指向<https://proxy.lan/的所有連結…
Apache 環境如下所示:
HTTP_HOST proxy.lan:9443 HTTP_VIA 1.1 proxy.lan:9443 (Apache/2.2.31) HTTP_X_FORWARDED_FOR 10.100.0.30 HTTP_X_FORWARDED_HOST proxy.lan:9443 HTTP_X_FORWARDED_SERVER proxy.lan HTTP_CONNECTION Keep-Alive SERVER_SIGNATURE <address>Apache Server at proxy.lan Port 9443</address> SERVER_NAME proxy.lan SERVER_ADDR ::1 SERVER_PORT 9443 REMOTE_ADDR ::1 ...
任何想法可以在代理端做什麼?也許一些重寫規則?
ProxyPreserveHost on
是造成這種情況的。如果您不確定是否需要它,請始終將其保留為預設值off
,這樣您就很好。對於您確實需要的極少數情況
ProxyPreserveHost on
,請明智地調整您的ProxyPassReverse
- 這是處理重定向的唯一指令。
ProxyPassReverse / http://localhost/
在您的場景中看起來是錯誤的,因為您的後端(80 應用程序)似乎沒有在任何地方說“我將您重定向到http://localhost/foo/bar ”。如果你ProxyPassReverse / https://proxy.lan/
有機會它會更好地工作 - 檢查官方文件。