使用Apache httpd 2.4.6和Tomcat 8配置安全的websockets

时间:2015-06-30 17:16:21

标签: java apache tomcat websocket atmosphere

我正在尝试使用httpd代理和反向代理配置websockets但它似乎不起作用。如果我直接使用tomcat服务器一切都很好,如果我通过apache httpd调用它,响应状态为 200 。这意味着apache httpd无法解释websocket请求并切换协议,对吧?

这是我的应用程序的httpd配置:

LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

Listen 443 https


SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost 10.224.130.50:80>

    ServerName myhost
    Redirect permanent / https://myhost/

</VirtualHost>

<VirtualHost 10.224.130.50:443>

    ServerName myhost
    ErrorLog logs/myhost.error.log
    CustomLog logs/myhost.access.log common

    ProxyPass /ws/       wss://localhost:8443/ws/ retry=0
    ProxyPassReverse /ws/ wss://localhost:8443/ws/ retry=0

    ProxyPass / https://myhost:8443/ connectiontimeout=600 timeout=1200
    ProxyPassReverse / https://myhost:8443/


    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLProxyEngine on
        SSLProxyVerify none 
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
    SSLCertificateFile    "/etc/pki/tls/certs/myhost.cer"
    SSLCertificateKeyFile "/etc/pki/tls/private/myhost.key"

</VirtualHost>

这是Apache Tomcat的连接器配置:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
           keystoreFile="/root/.keystore"
           keystorePass="password" />

2 个答案:

答案 0 :(得分:3)

我认为问题可能是斜线:

  

注意:严格注意斜线“/”或缺少斜线!   WebSocket url端点

ProxyPass / ws / wss:// localhost:8443 / ws

ProxyPassReverse / ws / wss:// localhost:8443 / ws

更多信息: tunneling-secure-websocket-connections-with-apache

答案 1 :(得分:1)

这对我有用,但由于我的内部应用程序上有Java Spring框架,我还需要一行。

以下是作为代理文件的整个解决方案:

<Location /outside-app>
    # WEBSOCKET
    Header always add "Access-Control-Allow-Origin" "*"
    ProxyPass wss://internal.company.com:11111/application

    RewriteEngine on
    Require all granted
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule .* https://internal.company.com:11111/application/$1 [P,L]

    # REVERSE PROXY
    ProxyPass https://internal.company.com:11111/application
    ProxyPassReverse https://internal.company.com:11111/application
</Location>
相关问题
最新问题