我在 apache 中使用 virtualmin。配置好varnish,想用apache终止ssl。 Apache 正在监听两个端口 443 和 8080 清漆监听端口 80
我面临的错误:
apache 站点中的 http 到 https 重定向问题。当请求是 https://example.com 没问题,但是当请求是 http://example.com 时,它不会重定向到 https。
这是我的 apache ssl 配置:
SuexecUserGroup "#1010" "#1006"
ServerName example.com
ServerAlias www.example.com
ServerAlias mail.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias autoconfig.example.com
ServerAlias autodiscover.example.com
DocumentRoot /home/biolink/public_html
ErrorLog /var/log/virtualmin/example.com_error_log
CustomLog /var/log/virtualmin/example.com_access_log combined
ScriptAlias /cgi-bin/ /home/biolink/cgi-bin/
ScriptAlias /awstats/ /home/biolink/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/biolink/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/biolink/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/biolink/cgi-bin/autoconfig.cgi
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/biolink/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.4
AddHandler fcgid-script .php8.2
FCGIWrapper /home/biolink/fcgi-bin/php7.4.fcgi .php
FCGIWrapper /home/biolink/fcgi-bin/php7.4.fcgi .php7.4
FCGIWrapper /home/biolink/fcgi-bin/php8.2.fcgi .php8.2
</Directory>
<Directory /home/biolink/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:10000/ [R]
SSLEngine on
SSLCertificateFile /home/biolink/ssl.cert
SSLCertificateKeyFile /home/biolink/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
<Files awstats.pl>
AuthName "example.com statistics"
AuthType Basic
AuthUserFile /home/biolink/.awstats-htpasswd
require valid-user
</Files>
Alias /dav /home/biolink/public_html
<Location /dav>
DAV on
AuthType Basic
AuthName "example.com"
AuthUserFile /home/biolink/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php7.4
RewriteEngine off
</Location>
<Location /git>
DAV on
AuthType Basic
AuthName example.com
AuthUserFile /home/biolink/etc/git.basic.passwd
Require valid-user
Satisfy All
RedirectMatch ^/git$ http://example.com/git/gitweb.cgi
RedirectMatch ^/git/$ http://example.com/git/gitweb.cgi
RewriteEngine off
AddHandler cgi-script .cgi
</Location>
SSLCACertificateFile /home/biolink/ssl.ca
RemoveHandler .php
RemoveHandler .php7.4
RemoveHandler .php8.2
IPCCommTimeout 2001
FcgidMaxRequestLen 1073741824
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
我使用 hitch 通过以下 vcl 配置终止 ssl,它正确地重定向到 https - 没问题。但是随着 apache ssl 终止,太多重定向循环的错误。
VCL配置:
sub vcl_recv {
if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
if (!req.http.X-Forwarded-Proto) {
if(std.port(server.ip) == 443) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "https";
}
}
}
sub vcl_synth {
if (resp.status == 301 || resp.status == 302) {
set resp.http.location = req.http.location;
return (deliver);
}
}
帮我解决我的问题。
Op 说:当请求是 https://example.com 没问题,但是当请求是 http://example.com 时,它不会重定向到 https。
就像为它添加一个特定的虚拟主机一样简单:
<Virtualhost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAlias mail.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias autoconfig.example.com
ServerAlias autodiscover.example.com
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301,L]
<Virtualhost>
如果我很了解你的配置,你有:
你想拥有:
在你的情况下,在清漆方面你有
if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
告诉清漆“如果你不在 IP:443 上回答,将它重定向到 443”
然后
if (!req.http.X-Forwarded-Proto) {
if(std.port(server.ip) == 443) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "https";
}
}
告诉清漆,“如果请求是带有 x-forwarded-proto 的,请考虑它” 但在你的情况下,varnish 应该总是在端口 80 上应答,所以只考虑第一个测试,所以你可能会有无限循环。
类似以下 VCL 代码的东西可能会完成这项工作
sub vcl_recv {
if (!req.http.X-Forwarded-Proto) {
# the test might be useless
# your varnish is probably configured to answer on 80 only
# (and apache httpd on IP:443)
if(std.port(server.ip) == 443) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "http";
}
}
if (req.http.X-Forwarded-Proto != "https") {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
}
sub vcl_synth {
if (resp.status == 301 || resp.status == 302) {
set resp.http.location = req.http.location;
return (deliver);
}
}