如何将 HTTP 重定向到 HTTPS,同时通过 apache 和 varnish 配置终止 ssl

问题描述 投票:0回答:2

我在 apache 中使用 virtualmin。配置好varnish,想用apache终止ssl。 Apache 正在监听两个端口 443 和 8080 清漆监听端口 80

我面临的错误:

apache 站点中的 http 到 https 重定向问题。当请求是 https://example.com 没问题,但是当请求是 http://example.com 时,它不会重定向到 https。

这是我的 apache ssl 配置:

SuexecUserGroup "#1010" "#1006"
ServerName example.com
ServerAlias www.example.com
ServerAlias mail.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias autoconfig.example.com
ServerAlias autodiscover.example.com

DocumentRoot /home/biolink/public_html

ErrorLog /var/log/virtualmin/example.com_error_log
CustomLog /var/log/virtualmin/example.com_access_log combined

ScriptAlias /cgi-bin/ /home/biolink/cgi-bin/
ScriptAlias /awstats/ /home/biolink/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/biolink/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/biolink/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/biolink/cgi-bin/autoconfig.cgi

DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/biolink/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    AddHandler fcgid-script .php8.2
    FCGIWrapper /home/biolink/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/biolink/fcgi-bin/php7.4.fcgi .php7.4
    FCGIWrapper /home/biolink/fcgi-bin/php8.2.fcgi .php8.2
</Directory>

<Directory /home/biolink/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
</Directory>

RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(?!/.well-known)(.*) https://example.com:10000/ [R]

SSLEngine on
SSLCertificateFile /home/biolink/ssl.cert
SSLCertificateKeyFile /home/biolink/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

<Files awstats.pl>
    AuthName "example.com statistics"
    AuthType Basic
    AuthUserFile /home/biolink/.awstats-htpasswd
    require valid-user
</Files>

Alias /dav /home/biolink/public_html

<Location /dav>
    DAV on
    AuthType Basic
    AuthName "example.com"
    AuthUserFile /home/biolink/etc/dav.digest.passwd
    Require valid-user
    ForceType text/plain
    Satisfy All
    RemoveHandler .php
    RemoveHandler .php7.4

    RewriteEngine off
</Location>

<Location /git>
    DAV on
    AuthType Basic
    AuthName example.com
    AuthUserFile /home/biolink/etc/git.basic.passwd
    Require valid-user
    Satisfy All
    RedirectMatch ^/git$ http://example.com/git/gitweb.cgi
    RedirectMatch ^/git/$ http://example.com/git/gitweb.cgi

    RewriteEngine off
    AddHandler cgi-script .cgi
</Location>

SSLCACertificateFile /home/biolink/ssl.ca
RemoveHandler .php
RemoveHandler .php7.4
RemoveHandler .php8.2
IPCCommTimeout 2001

FcgidMaxRequestLen 1073741824
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"

我使用 hitch 通过以下 vcl 配置终止 ssl,它正确地重定向到 https - 没问题。但是随着 apache ssl 终止,太多重定向循环的错误。

VCL配置:

sub vcl_recv {

if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}

    if (!req.http.X-Forwarded-Proto) {
        if(std.port(server.ip) == 443) {
            set req.http.X-Forwarded-Proto = "https";
        } else {
            set req.http.X-Forwarded-Proto = "https";
        }
    }

}
sub vcl_synth {

    if (resp.status == 301 || resp.status == 302) {
        set resp.http.location = req.http.location;
        return (deliver);
    }
}

帮我解决我的问题。

apache ssl varnish forum discourse
2个回答
0
投票

Op 说:当请求是 https://example.com 没问题,但是当请求是 http://example.com 时,它不会重定向到 https。

就像为它添加一个特定的虚拟主机一样简单:

<Virtualhost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAlias mail.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias autoconfig.example.com
ServerAlias autodiscover.example.com

RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R=301,L]
<Virtualhost>
0
投票

如果我很了解你的配置,你有:

  • 清漆响应 HTTP 80
  • apache httpd 响应 HTTPS 443

你想拥有:

  • 通过清漆缓存 HTTPS 内容
  • 硬重定向告诉最终用户使用 HTTPS(即 301 someurl:80 到 https://someurl:443)

在你的情况下,在清漆方面你有

if (std.port(server.ip) != 443) {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}

告诉清漆“如果你不在 IP:443 上回答,将它重定向到 443”

然后

    if (!req.http.X-Forwarded-Proto) {
      if(std.port(server.ip) == 443) {
        set req.http.X-Forwarded-Proto = "https";
      } else {
        set req.http.X-Forwarded-Proto = "https";
      }
    }

告诉清漆,“如果请求是带有 x-forwarded-proto 的,请考虑它” 但在你的情况下,varnish 应该总是在端口 80 上应答,所以只考虑第一个测试,所以你可能会有无限循环。

类似以下 VCL 代码的东西可能会完成这项工作

sub vcl_recv {

  if (!req.http.X-Forwarded-Proto) {
    # the test might be useless
    # your varnish is probably configured to answer on 80 only
    # (and apache httpd on IP:443)
    if(std.port(server.ip) == 443) {
        set req.http.X-Forwarded-Proto = "https";
    } else {
        set req.http.X-Forwarded-Proto = "http";
    }
  }

  if (req.http.X-Forwarded-Proto != "https") {
    set req.http.location = "https://" + req.http.host + req.url;
    return(synth(301));
  }
}

sub vcl_synth {
  if (resp.status == 301 || resp.status == 302) {
    set resp.http.location = req.http.location;
    return (deliver);
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.