我一直在研究一个本地反向代理,它可以在两个本地Apache安装之间路由流量(每个安装都运行不同版本的mod_wsgi,这就是分叉的原因)。我希望这个反向代理无论请求是HTTP还是HTTPS都能正常工作。
然而,当使用SSL时,ProxyPassReverse没有修改(正确)Location响应头。
下面是VirtualHost分别对HTTP和HTTPS流量的定义。
<VirtualHost *:80>
# Proxy traffic for Version 6 with an alias of: 6x/
ProxyPass /6x/ http://localhost:10090/
ProxyPassReverse /6x/ http://localhost:10090/
# Proxy traffic for previous versions with aliases of: 5x/, 4x/, and /
ProxyPass /5x/ http://localhost:10080/
ProxyPassReverse /5x/ http://localhost:10080/
ProxyPass /4x/ http://localhost:10080/
ProxyPassReverse /4x/ http://localhost:10080/
ProxyPass / http://localhost:10080/
ProxyPassReverse / http://localhost:10080/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName snakeoil.us.com
ProxyPreserveHost on
ProxyRequests off
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/ssl/certs/snakeoil.crt
SSLCertificateKeyFile /etc/ssl/certs/snakeoil.key
SSLCertificateChainFile /etc/ssl/certs/bundle-client.crt
# Proxy traffic for Version 6 with an alias of: 6x/
ProxyPass /6x/ https://localhost:10453/
ProxyPassReverse /6x/ https://localhost:10453/
# Proxy traffic for previous versions with aliases of: 5x/, 4x/, and /
ProxyPass /5x/ https://localhost:10443/
ProxyPassReverse /5x/ https://localhost:10443/
ProxyPass /4x/ https://localhost:10443/
ProxyPassReverse /4x/ https://localhost:10443/
ProxyPass / https://localhost:10443/
ProxyPassReverse / https://localhost:10443/
</VirtualHost>
</IfModule>
当我访问网址时 http://snakeoil.us.com/6x/snk610/index, 位置头返回为: Location: http://snakeoil.us.com/6x/snk610/index.
然而,当我访问url https://snakeoil.us.com/6x/snk610/index,位置头返回为。Location: https://snakeoil.us.com/snk610/index这将导致404,因为被代理的两个本地Apache实例中只有一个(与6x路由相关联的那个)能识别出 snk610 别名(在这种情况下,它不是被路由到的实例)。
最重要的是,HTTP VirtualHost定义代理了两个本地Apache实例之间的请求,没有失败。然而,HTTPS VirtualHost定义却没有,我不清楚是什么原因导致了这种差异。
找到了解决方案。回想起来,这应该是更明显的。
在被代理的Apache实例上,我将access_log格式改为如下。
LogFormat "%h %l %u %t \"%r\" %>s %b --> ResponseLocation: '%{Location}o'" common
这将导致输出响应位置被记录下来。
这里是Apache HTTP实例(被代理到)的输出。
[snake6x@test1 httpd6x]$ grep "ResponseLocation: 'http" logs/access_log
::1 - - [06/May/2020:15:43:25 -0400] "GET /snk610 HTTP/1.1" 301 233 --> ResponseLocation: 'http://localhost:10090/snk610/index'
::1 - - [06/May/2020:15:43:30 -0400] "GET /snk610/index HTTP/1.1" 302 247 --> ResponseLocation: 'http://localhost:10090/snk610/login?params=&message=&redirect_to=index'
::1 - - [06/May/2020:15:43:32 -0400] "POST /snk610/auth?redirect_to=index¶ms= HTTP/1.1" 302 204 --> ResponseLocation: 'http://localhost:10090/snk610/index'
从上面你可以看到,响应位置头看起来和预期的一样,也就是说,ProxyPassReverse应该可以成功地进行替换。
相反,这里是Apache HTTPS实例(被代理到)的输出。
[snake6x@test1 httpd]$ grep "ResponseLocation: 'http" logs/ssl_request_log
[06/May/2020:19:53:38 +0000] ::1 "GET /snk610 HTTP/1.1" 240 2645788 --> ResponseLocation: 'https://snakeoil.us.com/snk610/index'
[06/May/2020:19:56:21 +0000] ::1 "GET /snk610/index HTTP/1.1" 254 2682899 --> ResponseLocation: 'https://snakeoil.us.com/snk610/login?params=&message=&redirect_to=index'
[06/May/2020:19:56:23 +0000] ::1 "POST /snk610/auth?redirect_to=index¶ms= HTTP/1.1" 240 752392 --> ResponseLocation: 'https://snakeoil.us.com/snk610/index'
从上面的内容可以看出,服务器名称已经被替换成了响应位置头中的传入主机名称。这就是导致ProxyPassReverse无法替换传出主机名的原因(在反向代理服务器上)。
我通过明确更新被代理服务器上的传出位置头来解决这个问题。
# Since this server has a proxy immediately in front of it, we need the outgoing
# location to match the incoming location. However, the ServerName tag will
# cause the incoming location to be changed to include the ServerName, which will
# cause the upstream ProxyPassReverse to fail to update the outgoing location
# properly.
#
# This Header modification replaces the outgoing ServerName with the incoming
# name.
#
# FIXME: There is surely a better way to do this with a variable that contains
# the incoming host
Header edit Location ^https://snakeoil.us.com:443 https://localhost:10453
Header edit Location ^https://snakeoil.us.com https://localhost:10453