实现Apache前置机,反向代理到Tomcat服务,附带https的启用和转发配置。
使用环境:Centos6.9、Tomcat 7
80端口配置,设置强制转发至https端口,采用Rewrite方式
<VirtualHost *:80> DocumentRoot /var/www/html/samplefolder ServerName www.sample.com ServerAlias www.sample1.com <Directory /var/www/html/samplefolder> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <Proxy *> Order deny,allow Allow from all </Proxy> RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] ErrorLog logs/error.log LogLevel warn CustomLog logs/access.log combined </VirtualHost>
https的443端口配置,设置Request Header头部信息为https,用于tomcat内进行识别
<VirtualHost *:443> RequestHeader set X-Forwarded-Proto "https" DocumentRoot /var/www/html/samplefolder ServerName www.sample.com ServerAlias www.sample1.com <Directory /var/www/html/samplefolder> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <Proxy *> Order deny,allow Allow from all </Proxy> #### 如ali云申请时,会提供现成的Apache配置细腻 SSLEngine On SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/certs/public.pem SSLCertificateKeyFile /etc/httpd/certs/XXXXX.key SSLCertificateChainFile /etc/httpd/certs/chain.pem ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ ProxyPreserveHost On ErrorLog logs/error.log LogLevel warn CustomLog logs/access.log combined </VirtualHost>
Tomcat的conf/service.xml文件内,申明提取Head信息,适用于服务端重定向时,继续回述到https域名
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host>