Apache-2.4

Apache 反向代理不工作並生成 404 錯誤

  • July 8, 2021

我安裝了在 Jetty 9 上執行的 Shiboleth。通過 Apache,我有一個反向代理到 Jetty 的 8080 埠,該埠為 Shiboleth 實例提供服務。

當我在控制台中 curl http://localhost:8080/idp/shibboleth 時,正確生成了實例響應。

但是,當我在瀏覽器https://idp.example.com/idp/shibboleth上執行相同操作時,我收到 404 錯誤。

這表明反向代理無法正常工作?

這是我的 apache conf

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>
ServerName "idp.spectrum.com.cy"
Redirect permanent "/" "https://idp.spectrum.com.cy/"
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName idp.spectrum.com.cy:443
ServerAdmin pieros.tzamas@spectrum.com.cy
# Debian
CustomLog /var/log/apache2/idp.spectrum.com.cy.log combined
ErrorLog /var/log/apache2/idp.spectrum.com.cy.org-error.log
# Centos
#CustomLog /var/log/httpd/idp.example.org.log combined
#ErrorLog /var/log/httpd/idp.example.org-error.log

DocumentRoot /var/www/html/idp.spectrum.com.cy

SSLEngine On
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

SSLHonorCipherOrder on

# Disallow embedding your IdP's login page within an iframe and
# Enable HTTP Strict Transport Security with a 2 year duration
<IfModule headers_module>
   Header set X-Frame-Options DENY
   Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
</IfModule>

# Debian
SSLCertificateFile /etc/ssl/certs/idp.spectrum.com.cy.crt
SSLCertificateKeyFile /etc/ssl/private/idp.spectrum.com.cy.key

# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
#SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem


# Centos
#SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt
#SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key

# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
#SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem

<IfModule mod_proxy.c>
   ProxyPreserveHost On
   RequestHeader set X-Forwarded-Proto "https"
   ProxyPass /idp http://localhost:8080/idp/ retry=5
   ProxyPassReverse /idp http://localhost:8080/idp/ retry=5

   <Location /idp>
      Require all granted
   </Location>
</IfModule>
</VirtualHost>
</IfModule>

<VirtualHost 127.0.0.1:80>
 ProxyPass /idp  http://localhost:8080/idp/ retry=5
 ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
 <Location /idp>
  Require all granted
 </Location>
</VirtualHost>

我已經簡化了我的 conf 文件以刪除 https。下面的配置工作正常,但僅適用於 http。我將調查為什麼 https 配置會產生 404 錯誤。

<VirtualHost *:80>
ServerName idp.spectrum.com.cy

<IfModule mod_proxy.c>
   ProxyPreserveHost On
   ProxyPass /idp/ http://localhost:8080/idp/ retry=5
   ProxyPassReverse /idp/ http://localhost:8080/idp/ retry=5

   <Location /idp>
      Require all granted
   </Location>
</IfModule>
# This virtualhost is only here to handle administrative commands 
for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
 ProxyPass /idp  http://localhost:8080/idp/ retry=5
 ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
 <Location /idp>
   Require all granted
 </Location>
</VirtualHost>

它應該是

ProxyPass /idp/ http://localhost:8080/idp/

ProxyPass請注意命令的第一個參數中的尾部斜杠。始終對齊兩個參數中的尾部斜杠。

我的VirtualHost聲明非常基本,只包含最低限度的工作:

<VirtualHost *:80>
   DocumentRoot /var/www/html

   ServerName idp.example.com
   ServerAlias idp
   ErrorLog  logs/error_log
   CustomLog logs/access_log    
</VirtualHost>
<VirtualHost *:443>
   DocumentRoot /var/www/html

   SSLEngine on
   SSLProxyEngine on
   SSLCertificateKeyFile /etc/pki/tls/private/idp.example.com.key
   SSLCertificateFile /etc/pki/tls/certs/idp.example.com.crt
   SSLCertificateChainFile /etc/pki/tls/certs/chain.crt

   ServerName idp.example.com
   ServerAlias idp
   ErrorLog  logs/ssl-error_log
   CustomLog logs/ssl-access_log combined
</VirtualHost>

這是我的 IDP /etc/httpd/conf.d/idp.conf

ProxyPass /idp/ http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp/ http://localhost:8080/idp/

<Proxy http://localhost:8080>
      Require all granted
      RequestHeader set X-Forwarded-Proto https
      RequestHeader set X-Proxied-Https on
      RequestHeader set Proxy-ssl-id %{SSL_SESSION_ID}s
</Proxy>

引用自:https://serverfault.com/questions/1068250