反向代理背后的 Web 应用程序 - 如何处理 SSL?

发布于 2024-10-08 04:07:43 字数 1665 浏览 6 评论 0原文

我有一个公共 Apache 服务器,需要代理到内部 Apache 服务器(用于 SVN 访问)。我想要的是:

User  ---[HTTPS]--->  Web Server  ---[HTTP]--->  SVN Server

我对 SSL 处理不太熟悉,所以我想了解一些关于这种方法的意见。这是一个好的模型吗?我应该在任何地方使用 SSL 吗?

我的方法在大多数情况下都有效,但在重写重定向回 HTTPS 时会失败。如果用户访问,

    https://acme.web.mcx/svn (no trailing '/')

他们会被 SVN 服务器重定向到

    http://acme.web.mcx/svn/ (almost there!) 

以下是我的 Web 服务器(代理服务器)配置:

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerAlias *.web.mcx www.web.mcx web.mcx

    DocumentRoot /server/web/app/webroot
    ErrorLog logs/web-error_log
    CustomLog logs/web-access_log common

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\.web\.mcx$ [NC]
    RewriteCond %{HTTP_HOST} ^(www\.)?([^.]+)\.web\.mcx$ [NC]
    RewriteRule ^/svn(.*) http://db.mcx/svn$1 [P]
    ProxyPassReverse /svn http://db.mcx/svn
    ProxyPreserveHost on

    SSLEngine on
    SSLCertificateFile      /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile   /etc/httpd/ssl/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyVia On

<Location /svn/>
    <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
        Order Deny,Allow
        Allow from all
        Satisfy Any
    </Limit>
</Location>

I have a public Apache server which needs to proxy to an internal Apache server (for SVN access). What I'd like to have is:

User  ---[HTTPS]--->  Web Server  ---[HTTP]--->  SVN Server

I'm not too familiar with SSL handling, so I'd like some opinions on this approach. Is this an ok model; should I be using SSL everywhere, etc.

My approach works for the most part, but fails when rewriting redirects back to HTTPS. If a user goes to

    https://acme.web.mcx/svn (no trailing '/')

they are redirected by the SVN server to

    http://acme.web.mcx/svn/ (almost there!) 

Here's my config for the Web Server (Proxying server):

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerAlias *.web.mcx www.web.mcx web.mcx

    DocumentRoot /server/web/app/webroot
    ErrorLog logs/web-error_log
    CustomLog logs/web-access_log common

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\.web\.mcx$ [NC]
    RewriteCond %{HTTP_HOST} ^(www\.)?([^.]+)\.web\.mcx$ [NC]
    RewriteRule ^/svn(.*) http://db.mcx/svn$1 [P]
    ProxyPassReverse /svn http://db.mcx/svn
    ProxyPreserveHost on

    SSLEngine on
    SSLCertificateFile      /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile   /etc/httpd/ssl/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyVia On

<Location /svn/>
    <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
        Order Deny,Allow
        Allow from all
        Satisfy Any
    </Limit>
</Location>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

笑着哭最痛 2024-10-15 04:07:43

我一直在回答我自己的问题:)

这是我的“工作直到崩溃”的解决方案:我更改了 VirtualHost 设置以始终将 /svn* 的 http:// 请求重定向到 https。客户端有时会被重定向两次(如果他们不使用尾部斜杠),但这对我来说没问题。重定向一:SVN 服务器将客户端重定向到带有斜杠的正确路径(尽管忘记了 https),重定向二:Web 服务器将客户端重定向回 https。

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerAlias *.web.mcx www.web.mcx web.mcx

    DocumentRoot /server/web/app/webroot
    ErrorLog logs/web-error_log
    CustomLog logs/web-access_log common

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\.web\.mcx$ [NC]
    RewriteCond %{HTTP_HOST} ^(www\.)?([^.]+)\.web\.mcx$ [NC]
    RewriteCond %{REQUEST_URI} svn.*
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

    ProxyRequests Off
</VirtualHost>

I keep answering my own questions :)

Here's my 'works until it breaks' solution: I changed my VirtualHost setting to always redirect http:// requests for /svn* to https. The client will be redirected twice sometimes (if they don't use the trailing slash), but that's ok with me. Redirect one: SVN server redirects client to the proper path with a slash (although forgets about https), redirect two: Web server redirects client back to https.

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerAlias *.web.mcx www.web.mcx web.mcx

    DocumentRoot /server/web/app/webroot
    ErrorLog logs/web-error_log
    CustomLog logs/web-access_log common

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www\.web\.mcx$ [NC]
    RewriteCond %{HTTP_HOST} ^(www\.)?([^.]+)\.web\.mcx$ [NC]
    RewriteCond %{REQUEST_URI} svn.*
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

    ProxyRequests Off
</VirtualHost>
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文