我已经将Apache OpenMeetings 4.0.4女巫Apache / 2.2.22作为代理。
在OM的conf / red5.properties中,
http.port=8080
我想做两件事:
重定向HTTP(80)-> HTTPS(443)
将HTTP(8080)重定向到HTTPS(443)
我的/ etc / apache2 / sites-avilable / default conf是:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
我的/ etc / apache2 / sites-avilable / default-ssl conf是:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
当我输入http://domain.test-test.eu/时,它会将我重定向到https://domain.test-test.eu。
当我输入http://192.168.XXX.YYY时,它会将我重定向到https://192.168.XXX.YYY
但是,当我输入http://192.168.XXX.YYY:8080或http://domain.test-test.eu:8080时,它不会将我重定向到https://192.168.XXX.YYY或https://domain.test-test.eu/。页面打开(没有HTTPS)。
第二个问题是,在OM的日志中,我可以看到CSRF信息,而无法通过HTTPS登录。
OM日志中的信息:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
我应该如何更改Apache设置以使其正常工作?
答案 0 :(得分:1)
恐怕无法设置“将HTTP(8080)重定向到HTTPS(443)”
如果您在端口8080上运行OpenMeetings,则不能将其用于Apache,反之亦然。互联网端口应由OM或Apache专用,而不能同时使用。
我将关闭FW级别的端口8080,以拒绝直接访问OM。 (并且请删除<VirtualHost *:8080>
的规则,否则OM将无法以Port already in use
消息开头)
现在根据CSRF:
您需要修改conf/jee-container.xml
并添加以下属性
<property name="secure" value="true" />
要在<!-- Tomcat without SSL enabled -->
之前<property name="connectionProperties">
阻止
这应该可以解决您的问题
但是OpenMeetings不适用于此配置....
因为您还需要代理WebSockets...。
因此,您还需要mod_rewrite和mod_proxy_wstunnel
然后您需要添加以下部分:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
另外,您可能想对RTMP流量执行隧道传输,这将需要针对open, send, idle and close
的特殊规则
以下是Apache 2.4的最终配置:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
按预期为我工作:)
答案 1 :(得分:0)
在“默认”文件中,我有:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
因此,当smb输入http://domain.test-test.eu时,它将重定向到https://domain.test-test.eu
我的'default-ssl'文件几乎与您的文件完全一样(我使用OM的8080 / tcp)。而且我正在使用针对OM的自签名证书(目前,它们尚未针对CN = domain.test-test.eu进行签名,而是针对CN = testname.eu进行了签名-我将在OM生效后对其进行更改)。
不幸的是,此配置不起作用。我可以看到周围有两个黑点。可能是由于浏览器过时(FF的版本为52.4.1和Chromium 51.0.2704.79)还是错误的站点证书?
答案 2 :(得分:0)
Maxim给出的apache配置正在运行。谢谢马克西姆!