Ssl
從 HTTPS(外部)到 HTTP(內部)的 Apache 可能存在反向代理問題
我有一台執行 Ubuntu 18.04 和 .NET Core 2.1、Kestrel 和 Apache2 的伺服器。我正在為 SSL 使用 LetsEncrypt,並且該域是使用 SSL 設置的。在安裝 .NET Core 並在此站點上託管項目之前,它是一個靜態 index.html 站點。遵循本指南後:https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-2.2,我一直無法讓域重定向到已配置的 Kestrel 服務。我可以在伺服器上正常訪問它。
Apache 錯誤日誌:
[Sat Apr 20 02:08:12.950750 2019] [ssl:warn] [pid 7473] AH01909: ct.com:443:0 server certificate does NOT include an ID which matches the server name [Sat Apr 20 02:08:13.001939 2019] [ssl:warn] [pid 7474] AH01909: ct.com:443:0 server certificate does NOT include an ID which matches the server name [Sat Apr 20 02:08:13.007430 2019] [mpm_prefork:notice] [pid 7474] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations [Sat Apr 20 02:08:13.007467 2019] [core:notice] [pid 7474] AH00094: Command line: '/usr/sbin/apache2' [Sat Apr 20 02:08:18.723565 2019] [autoindex:error] [pid 7483] [client 50.88.218.180:10635] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive虛擬主機配置 - ct.com.conf:
<VirtualHost *:*> RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} </VirtualHost> <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName ct.com ServerAlias www.ct.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / http://127.0.0.1:5000/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =ct.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>LetsEncrypt 配置:
/etc/apache2/sites-available# cat ct.com-le-ssl.conf <IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName ct.com ServerAlias www.ct.com DocumentRoot /var/www/ct.com/public_html/ps/publish <Directory /var/www/ct.com/public_html/ps/publish> AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on # Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops. # RewriteCond %{SERVER_NAME} =ct.com # RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/www.ct.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.ct.com/privkey.pem </VirtualHost> </IfModule>最近從 Apache2.conf 中刪除的索引:
<Directory /var/www/> Options FollowSymLinks AllowOverride None Require all granted </Directory>有沒有人看到為什麼我的伺服器不會通過 SSL 向我目前正在執行的站點提供任何請求?我還有其他可以通過 SSL 正常工作的網站。
更新 4/23:這是我嘗試使用 Postman 訪問端點時的 access.log:xx.xxx.xx.xx - -
$$ 23/Apr/2019:18:24:12 +0000 $$“GET /api/Main/TestCall HTTP/1.1”404 3805“-”“PostmanRuntime/7.6.1” 更新 4/23 (2):
Apache access.log 顯示與上述相同的錯誤。Apache error.log 如下:
[Wed Apr 24 00:13:25.017062 2019] [ssl:warn] [pid 4117] AH01909: localhost:443:0 server certificate does NOT include an ID whic matches the server name [Wed Apr 24 00:13:25.022627 2019] [mpm_prefork:notice] [pid 4117] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations新 ct.com.conf 4/24:
<VirtualHost *:*> RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} </VirtualHost> <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName ct.com ServerAlias www.ct.com RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined LogLevel debug </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName ct.com ServerAlias www.ct.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:5123/ ProxyPassReverse / http://127.0.0.1:5123/ SSLEngine On SSLProtocol all -SSLv2 ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined LogLevel debug #RewriteEngine on #RewriteCond %{SERVER_NAME} =ct.com #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,R=permanent] #RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4 SSLCertificateFile /etc/letsencrypt/live/www.ct.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.ct.com/privkey.pem </VirtualHost>帶有調試級別的 Error.log
tail -f /var/log/apache2/error.log [Wed Apr 24 16:01:15.260207 2019] [mpm_prefork:notice] [pid 19201] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured -- resuming normal operations [Wed Apr 24 16:01:15.260232 2019] [core:notice] [pid 19201] AH00094: Command line: '/usr/sbin/apache2' [Wed Apr 24 16:01:45.298236 2019] [proxy:debug] [pid 19233] proxy_util.c(1785): AH00925: initializing worker http://127.0.0.1:5123/ shared [Wed Apr 24 16:01:45.299302 2019] [proxy:debug] [pid 19233] proxy_util.c(1827): AH00927: initializing worker http://127.0.0.1:5123/ local [Wed Apr 24 16:01:45.299451 2019] [proxy:debug] [pid 19233] proxy_util.c(1878): AH00931: initialized single connection worker in child 19233 for (127.0.0.1) [Wed Apr 24 16:01:58.912849 2019] [autoindex:error] [pid 19211] [client 50.88.218.180:28627] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive [Wed Apr 24 16:01:59.408882 2019] [autoindex:error] [pid 19211] [client 50.88.218.180:28627] AH01276: Cannot serve directory /var/www/ct.com/public_html/ps/publish/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive [Wed Apr 24 16:02:05.322145 2019] [proxy:debug] [pid 19245] proxy_util.c(1785): AH00925: initializing worker http://127.0.0.1:5123/ shared [Wed Apr 24 16:02:05.324374 2019] [proxy:debug] [pid 19245] proxy_util.c(1827): AH00927: initializing worker http://127.0.0.1:5123/ local [Wed Apr 24 16:02:05.324607 2019] [proxy:debug] [pid 19245] proxy_util.c(1878): AH00931: initialized single connection worker in child 19245 for (127.0.0.1)
你複製了錯誤的例子。您在重定向到 https
ProxyPass的非 SSL 中定義。<VirtualHost *:80>將代理內容移動到您的
<VirtualHost *:443>. 請參閱 Microsoft 指南中的SSL 範例。還要更改您的
RewriteRule並刪除NE標誌。我想你在這裡不需要它。或者使用 SSL 範例中的規則:
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]而且證書有問題…