Apache-2.4
Apache 反向代理不工作並生成 404 錯誤
我安裝了在 Jetty 9 上執行的 Shiboleth。通過 Apache,我有一個反向代理到 Jetty 的 8080 埠,該埠為 Shiboleth 實例提供服務。
當我在控制台中 curl http://localhost:8080/idp/shibboleth 時,正確生成了實例響應。
但是,當我在瀏覽器https://idp.example.com/idp/shibboleth上執行相同操作時,我收到 404 錯誤。
這表明反向代理無法正常工作?
這是我的 apache conf
SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) <VirtualHost *:80> ServerName "idp.spectrum.com.cy" Redirect permanent "/" "https://idp.spectrum.com.cy/" </VirtualHost> <IfModule mod_ssl.c> <VirtualHost _default_:443> ServerName idp.spectrum.com.cy:443 ServerAdmin pieros.tzamas@spectrum.com.cy # Debian CustomLog /var/log/apache2/idp.spectrum.com.cy.log combined ErrorLog /var/log/apache2/idp.spectrum.com.cy.org-error.log # Centos #CustomLog /var/log/httpd/idp.example.org.log combined #ErrorLog /var/log/httpd/idp.example.org-error.log DocumentRoot /var/www/html/idp.spectrum.com.cy SSLEngine On SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLHonorCipherOrder on # Disallow embedding your IdP's login page within an iframe and # Enable HTTP Strict Transport Security with a 2 year duration <IfModule headers_module> Header set X-Frame-Options DENY Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload" </IfModule> # Debian SSLCertificateFile /etc/ssl/certs/idp.spectrum.com.cy.crt SSLCertificateKeyFile /etc/ssl/private/idp.spectrum.com.cy.key # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA) #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem #SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem # Centos #SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt #SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA) #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem <IfModule mod_proxy.c> ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass /idp http://localhost:8080/idp/ retry=5 ProxyPassReverse /idp http://localhost:8080/idp/ retry=5 <Location /idp> Require all granted </Location> </IfModule> </VirtualHost> </IfModule> <VirtualHost 127.0.0.1:80> ProxyPass /idp http://localhost:8080/idp/ retry=5 ProxyPassReverse /idp http://localhost:8080/idp/ retry=5 <Location /idp> Require all granted </Location> </VirtualHost>我已經簡化了我的 conf 文件以刪除 https。下面的配置工作正常,但僅適用於 http。我將調查為什麼 https 配置會產生 404 錯誤。
<VirtualHost *:80> ServerName idp.spectrum.com.cy <IfModule mod_proxy.c> ProxyPreserveHost On ProxyPass /idp/ http://localhost:8080/idp/ retry=5 ProxyPassReverse /idp/ http://localhost:8080/idp/ retry=5 <Location /idp> Require all granted </Location> </IfModule># This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost <VirtualHost 127.0.0.1:80> ProxyPass /idp http://localhost:8080/idp/ retry=5 ProxyPassReverse /idp http://localhost:8080/idp/ retry=5 <Location /idp> Require all granted </Location> </VirtualHost>
它應該是
ProxyPass /idp/ http://localhost:8080/idp/
ProxyPass請注意命令的第一個參數中的尾部斜杠。始終對齊兩個參數中的尾部斜杠。我的
VirtualHost聲明非常基本,只包含最低限度的工作:<VirtualHost *:80> DocumentRoot /var/www/html ServerName idp.example.com ServerAlias idp ErrorLog logs/error_log CustomLog logs/access_log </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/html SSLEngine on SSLProxyEngine on SSLCertificateKeyFile /etc/pki/tls/private/idp.example.com.key SSLCertificateFile /etc/pki/tls/certs/idp.example.com.crt SSLCertificateChainFile /etc/pki/tls/certs/chain.crt ServerName idp.example.com ServerAlias idp ErrorLog logs/ssl-error_log CustomLog logs/ssl-access_log combined </VirtualHost>這是我的 IDP
/etc/httpd/conf.d/idp.conf:ProxyPass /idp/ http://localhost:8080/idp/ retry=5 ProxyPassReverse /idp/ http://localhost:8080/idp/ <Proxy http://localhost:8080> Require all granted RequestHeader set X-Forwarded-Proto https RequestHeader set X-Proxied-Https on RequestHeader set Proxy-ssl-id %{SSL_SESSION_ID}s </Proxy>