在Ubuntu中建立Web反向代理

纪录在工作环境上,建立Web反向代理的过程。首先准备两台 Apache主机服务器,一台用来做 Reverse Proxy(反向代理),另一台为 Web Content Provider。 Reverse Proxy 负责对外提供 https 服务, Reverse Proxy 和 Web Content Provider 之间以 https 方式传输。

以下范例是 Ubuntu 18.04 Apache Reverse Proxy 的设定:

  • proxy.yourdomain.com 向 web.yourdomain.com 反向代理
  • 自动从 http 跳转至 https
  • proxy.yourdomain.com 使用公开信赖的 SSL 凭证
  • proxy.yourdomain.com 之间的连接 web.yourdomain.com 采用自签凭证(这一段不验证)

Reverse Proxy 反向代理

1、启用所需相关 module

$ sudo a2enmod ssl
$ sudo a2enmod proxy_http
$ sudo a2enmod rewrite

2、编辑 apache site conf

<VirtualHost *:80>
ServerName proxy.yourdomain.com
ServerAdmin webmaster@localhost

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined 

# http redirect to https
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName proxy.yourdomain.com
ServerAdmin webmaster@localhost 

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# upgrade-insecure-requests
Header always set Content-Security-Policy: upgrade-insecure-requests

# SSL cert
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCertificateChainFile /etc/apache2/ssl/uca.cer

# SSLProxy: don't verify certificate
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

# reverse proxy path
ProxyPreserveHost On
ProxyPass "/" "https://web.yourdomain.com/"
ProxyPassReverse "/" "https://web.yourdomain.com/"

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

3、重启 Apache 服务

$ sudo service apache2 restart

Web Content Provider

启用所需相关 module

$ sudo a2enmod ssl

编辑 apache site conf

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName web.yourdomain.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

重启 Apache 服务

$ sudo service apache2 restart

另外,Firewall policy 的部分,可以设定为

  • proxy.yourdomain.com 对外开放 80, 443 port
  • web.yourdomain.com 的 443 port 只对 proxy.yourdomain.com 开放

转载需保留链接来源:软件玩家 » 在Ubuntu中建立Web反向代理

赞 (0)

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

感谢您的支持!

微信扫一扫打赏