使用子域代理 HTTP 请求
我正在尝试完成以下操作:
- HTTP 请求进入地址 subdomain.domain.com 到运行代理的计算机上的公共 IP(也许是 apache?还有更好的吗?)
- 基于子域,我想要请求重定向到私有 IP 和特定端口上的内部计算机。该请求的响应将来自该内部机器。
我有什么选择?有实现这一目标的一般准则吗?什么是好的代理实现选择?还需要随着时间的推移动态添加子域,这些子域重定向到特定的内部 ip/端口。
ssl 证书如何在具有子域的设置中工作?每个子域都需要单独的证书吗?
I'm trying to get the following done:
- A HTTP request comes into an address subdomain.domain.com to a public ip on a machine running a proxy (maybe apache? Anything better?)
- Based on the subdomain, I'd like the request to be redirected to an internal machine on a private ip, and specific port. The response for that request will come from that internal machine.
What are my options? Any general guidelines out there for achieving this? Whats a good proxy implementation choice? Will also need to dynamically add subdomains over time, which redirect to specific internal ips/ports.
How do ssl certificates work in a setup with subdomains? Is a separate certificate required for every subdomain?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
设置并不太难。您只需为每个子域创建一个虚拟主机并将虚拟主机配置为代理即可。无论您选择哪种代理软件,方法都是相同的。我推荐你使用Nginx作为反向代理,因为配置更简单,而且性能比Apache好得多。如果您仍想使用 Apache,请确保不在代理计算机上运行 PHP 并使用 mpm_worker 而不是 mpm_prefork。
您可以制作一个脚本,将新的子域添加到配置文件中。这应该不会太难,因为除了 SSL 证书的路径和主干服务器的 IP 之外,它们看起来几乎相同。
对于 SSL,您可以使用通配符证书,该证书将覆盖整个域,包括子域。并非所有平台都支持此功能,但支持在过去几年有所增加,因此它应该非常安全。
否则,如果没有通配符证书,您将需要每个子域一个证书和一个单独的 IP 地址(由于 SSL 连接是在域名已知之前建立的,因此您需要通过不同的 IP 来区分不同的证书)。
The setup isn't too hard. You just make a virtual host for each subdomain and configure the vhosts as proxies. The approach is the same regardless of which proxy software you choose. I recommend you to use Nginx as an reverse proxy since the configuration is easier and the performance is much better than Apache. If you still want to use Apache, make sure you do not run PHP on the proxy machine and use mpm_worker instead of mpm_prefork.
You can make a script which adds new subdomains to the configuration file. It shouldn't be too hard since they will look almost the same, except for the path to the SSL certificate and the IP of the backbone server.
For SSL you can use a wildcard certificate which will cover the entire domain, including subdomains. This is not supported on all platforms, but the support have grown in the last years so it should be pretty safe.
Otherwise, without a wildcard certificate, you will need a certificate and a separate IP address per subdomain (since the SSL connection is set up before the domain name is known, you will need to differentiate different certificates by different IPs).
Apache 对于这个问题是完全合理的。您可以使用 mod_proxy 进行虚拟主机:
如果您想要托管数百或数千个子域,您实际上可以使用 mod_rewrite 相反,使用涉及本地名称查找的技巧,允许您将
bar.yyy.com代理为local.bar.yyy.com>。 apache 文档中提到了使用 mod_rewrite 进行大规模虚拟主机,使用它来代理而不是仅仅重写相对简单。这样做的优点是可以纯粹使用 DNS 添加新的子域。就 SSL 而言,如果您仅使用
*.yyy.com作为子域,则可以使用 通配符证书(我既不推荐也不反对thwate,他们只是有一个合理的描述)。在一般情况下,虽然在单个公共 IP 地址后面托管多个 SSL 站点 有点棘手。Apache is perfectly reasonable for this problem. You can do virtual hosts which use mod_proxy:
If you were looking to host hundreds or thousands of sub-domains you could actually do this with mod_rewrite instead, with a trick involving local name lookups that allowed you to proxy
bar.yyy.comto something likelocal.bar.yyy.com. Using mod_rewrite for mass virtual hosting is mentioned in the apache docs, using it to proxy instead of just rewrite is relatively straightforward. Doing it that way has the advantage that new sub domains can be added purely using DNS though.In terms of SSL if you are just using
*.yyy.comas the subdomains you can use a wildcard certificate (I neither recommend nor disapprove of thwate, they just had a reasonable description of it). In the general case though hosting multiple SSL sites behind a single public IP address is a bit more tricky.