Centos
當 HTTP 重定向到 HTTPS 時,Apache httpd 反向代理返回 SSL_ERROR_RX_RECORD_TOO_LONG
我正在為託管 Atlassian Confluence 的另一台伺服器設置 Apache v2.4 httpd 反向代理。
代理的私有 IP 地址為 10.0.0.77,其公有 IP 地址為 77.77.77.77,DNS A 記錄將公有 IP 映射到
confluence.example.com.有一個 NAT:
- 77.77.77.77:10080 -> 10.0.0.77:80
- 77.77.77.77:10443 -> 10.0.0.77:443
這是必要的,因為代理的公共 IP 地址也用於其他服務。
代理上的名稱解析是通過 完成的
/etc/hosts,它映射confluence.example.com到 Confluence 伺服器的私有 IP 10.0.0.9。這是
/etc/httpd/conf.d/confluence.conf(如您所見,它還執行從 HTTP 到 HTTPS 的重定向):<VirtualHost *:80> ServerName confluence.example.com ProxyRequests off ProxyPreserveHost off SetEnv force-proxy-request 1 SetEnv proxy-nokeepalive 1 ProxyPass "/" "http://confluence.example.com:8090/" ProxyPassReverse "/" "http://confluence.example.com:8090/" RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost> <VirtualHost *:443> ServerName confluence.example.com ServerSignature On <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder on # SSL cipher suite shortened for clarity SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384" SSLCertificateFile /etc/httpd/ssl/example.crt SSLCertificateKeyFile /etc/httpd/ssl/example.key SSLCACertificateFile /etc/httpd/ssl/example.crt ProxyRequests off ProxyPreserveHost on ProxyPass "/" "http://confluence.example.com:8090/" ProxyPassReverse "/" "http://confluence.example.com:8090/" </VirtualHost>從瀏覽器訪問http://confluence.example.com:10080>(甚至是<http://77.77.77.77:10080)時,URL 更改為https://confluence.example.com:10080但是,而不是顯示Confluence 登錄頁面,返回此錯誤:
安全連接失敗
連接到 77.77.77.77:10080 期間發生錯誤。SSL 收到超過最大允許長度的記錄。錯誤程式碼:SSL_ERROR_RX_RECORD_TOO_LONG
這是記錄(調試級別)到 http 訪問日誌的內容:
33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" 33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"和http錯誤日誌:
[Mon Sep 17 17:11:58.095085 2018] [core:debug] [pid 23120] protocol.c(1271): [client 33.33.33.33:49745] AH00566: request failed: malformed request line我已經設置了單獨的 https 訪問和錯誤日誌,那裡沒有記錄任何內容。您可能已經猜到了,33.33.33.33 是我的傳出公共 IP。
訪問https://confluence.example.com:10443工作正常。
相同的配置適用於另一個 Apache v2.2 反向代理。
有什麼提示嗎?
我為我的 Tomcat 實例執行此操作。(以前的 Confluence,現在的 XWiki。)
- http → https vHost 是直接重定向,沒有代理。
- https vHost 管理 Tomcat 的代理重寫,知道 URI 具有合理的模式。
這是我的配置的(略微)編輯版本:
<VirtualHost *:80> ServerAdmin web@example.com ServerName confluence.example.com DocumentRoot /home/www/confluence.example.com/docroot # Global protection # <Directory /> Options none AllowOverride None </Directory> # Send users to canonical website # Redirect / https://confluence.example.com/ # Logging # ServerSignature On LogLevel warn ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-error.log" CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-access.log" combined </VirtualHost> <VirtualHost *:443> ServerAdmin web@example.com ServerName confluence.example.com DocumentRoot /home/www/confluence.example.com/docroot AddDefaultCharset UTF-8 # Global protection # <Directory /> Options none AllowOverride None </Directory> # Access to the application itself # ProxyPassMatch /(.*) http://confluence.example.com:8090/$1 ProxyPassReverse / http://confluence.example.com:8090/ ProxyPassReverseCookieDomain confluence.example.com confluence.example.com # Logging # ServerSignature On LogLevel warn rewrite:debug ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-error.log" CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-access.log" combined #RewriteLogLevel 1 #RewriteLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-rewrite.log" # SSL # SSLEngine on SSLCertificateFile "...crt" SSLCertificateKeyFile "...key" SSLCertificateChainFile "...ca-bundle" BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>