apache reverse proxy with ssl設定－Aaron Yang

一般RD常會需要一些有的沒有的對外domain作測試,

如果都使用外部IP,成本也太高,

而對外的switch可以設定的NAT數量也超少(而且NAT似乎不能設domain)...

這時候就需要proxy了,最方便的就是apache或nginx,

這篇文章就是記錄使用apache作為prxoy設定的過程.

proxy介紹

proxy運作有兩種, Forward and Reverse

可以參考主題：使用 Reverse Proxy代理服務的說明

要作SSL首先要先有憑證,

申請憑證

這邊可以到 SSL For Free 註冊免費的憑證(3個月一期),

會得到一個壓縮檔,內有三個檔案

certificate.crt 伺服器憑證

private.key 憑證金鑰

ca_bundle.crt 中繼憑證

環境設定

web主機(192.168.0.10) - nginx

- 新增設定/etc/hosts

192.168.0.10 inner.domain.com

- 修改設定/etc/sysconfig/network

HOSTNAME=inner.domain.com

- 憑證路徑

/etc/nginx/ssl/

proxy主機 - apache

- 新增設定/etc/hosts

192.168.0.10 inner.domain.com

- 修改設定/etc/sysconfig/network

HOSTNAME=proxy.demo

- 憑證路徑

/etc/ssl/certs/inner.domain.com/

VirtualHost 設定檔

nginx的設定(主要設定用不同顏色)

server {
# 加入 SSL 設定
listen 443;
listen [::]:443;
# 憑證與金鑰的路徑
ssl on;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_client_certificate /etc/nginx/ssl/ca_bundle.crt;

server_name inner.domain.com;
server_tokens off;
root /home/service/website/public;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ /index.php$is_args$args;
}

location ~* \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}

apache的設定(主要設定用不同顏色)

<VirtualHost *:443>
ServerName inner.domain.com
ProxyPreserveHost On

ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log

SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On

SSLCertificateFile /etc/ssl/certs/inner.domain.com/certificate.crt
SSLCertificateKeyFile /etc/ssl/certs/inner.domain.com/private.key
SSLCACertificateFile /etc/ssl/certs/inner.domain.com/ca_bundle.crt

ProxyPass / https://inner.domain.com/
ProxyPassReverse / https://inner.domain.com/

<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

其中若apache(proxy主機)上沒有設定hosts,可以把

ProxyPass / https://inner.domain.com/
ProxyPassReverse / https://inner.domain.com/

改成,

ProxyHTMLInterp On
ProxyHTMLExtended On
ProxyHTMLURLMap (.*)192.168.0.10(.*) https://inner.domain.com/$2 [Rin]
ProxyPass / https://192.168.0.10/
ProxyPassReverse / https://192.168.0.10/

(需要安裝mod_proxy_html模組,參考Install mod_proxy_html in CentOS)

apache與nginx都重啟服務就可以了.(防火牆什麼的鑰記得打開)

參考

Desktop Workspace 4.0 – Advanced Setup Guide

Apache as Reverse Proxy with SSL