实现Apache前置机,反向代理到Tomcat服务,附带https的启用和转发配置。
使用环境:Centos6.9、Tomcat 7
80端口配置,设置强制转发至https端口,采用Rewrite方式
<VirtualHost *:80> DocumentRoot /var/www/html/samplefolder ServerName www.sample.com ServerAlias www.sample1.com <Directory /var/www/html/samplefolder> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <Proxy *> Order deny,allow Allow from all </Proxy> RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] ErrorLog logs/error.log LogLevel warn CustomLog logs/access.log combined </VirtualHost>
https的443端口配置,设置Request Header头部信息为https,用于tomcat内进行识别
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
DocumentRoot /var/www/html/samplefolder
ServerName www.sample.com
ServerAlias www.sample1.com
<Directory /var/www/html/samplefolder>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#### 如ali云申请时,会提供现成的Apache配置细腻
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLHonorCipherOrder on
SSLCertificateFile /etc/httpd/certs/public.pem
SSLCertificateKeyFile /etc/httpd/certs/XXXXX.key
SSLCertificateChainFile /etc/httpd/certs/chain.pem
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On
ErrorLog logs/error.log
LogLevel warn
CustomLog logs/access.log combined
</VirtualHost>
Tomcat的conf/service.xml文件内,申明提取Head信息,适用于服务端重定向时,继续回述到https域名
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host>