背景
在Linux系统上运行了httpd和tomcat,又绑定了域名后, 想通过Apache自动转发请求到tomcat
经过
配置Apache转发tomcat共用80端口
这一步比较简单,直接在Apache的配置文件里新增虚拟主机监听80端口,对指定路径下的请求做代理转发就行
这里http请求默认是80端口,而且apache默认监听端口也是80端口,如果特殊配置则对着修改
转发请求给tomcat的是8080端口,如果有额外配置同理
<VirtualHost *:80>ServerName www.domain.comProxyRequests Off# 这里声明默认‘/’ 路径下的请求,映射到project项目路径下Alias / /var/www/html/project/<Location />Satisfy Any</Location># 这里声明/app 路径下的请求,自动转发给tomcat以及返回ProxyPass /app http://localhost:8080/app/ProxyPassReverse /app http://localhost:8080/app/
</VirtualHost>
Apache配置ssl实现https访问
- 启用ssl模块
LoadModule ssl_module modules/mod_ssl.so
- 配置ssl虚拟机(我apache默认没有mod_ssl.so模块,所以通过安装openssl添加,同时也自动生成了ssl.conf文件),具体有三个点需要根据自己实际修改
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512SSLCryptoDevice builtin<VirtualHost _default_:443># 第一个要点ServerName www.domain.comErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warnSSLEngine onSSLProtocol all -SSLv2 -SSLv3SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA# 第二个要点SSLCertificateFile 证书路径SSLCertificateKeyFile 证书key路径SSLCertificateChainFile 如果有chain文件则添加该配置,没有则#注释掉即可<Files ~ "\.(cgi|shtml|phtml|php3?)$">SSLOptions +StdEnvVars</Files><Directory "/var/www/cgi-bin">SSLOptions +StdEnvVars</Directory>BrowserMatch "MSIE [2-5]" \nokeepalive ssl-unclean-shutdown \downgrade-1.0 force-response-1.0CustomLog logs/ssl_request_log \"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"# 这里需要注意的是,路径代表着你请求的映射的根目录# 假设我apache下有a,b两个项目,我可以通过www.domain.com/a,www.domain.com/b分别访问各个项目下的静态文件# 但是如果想要访问/var/www/html/a/index.html文件时,不同配置下的结果是:# DocumentRoot "/var/www/html" www.domain.com/a/index.html# DocumentRoot "/var/www/html/a" www.domain.com/index.html# 具体根据实际需求来# 第三个要点DocumentRoot "/var/www/html/project"
</VirtualHost>
- 重启apache即可
这时候会发现,apache的静态资源可以通过http跟https成功访问了,但是https下请求tomcat动态资源失败,因为https请求是通过443端口请求的,而我们的动态转发只监听了80端口,所以新增一个443端口监听
<VirtualHost *:443>ServerName www.domain.comProxyRequests Off# 静态资源Alias / /var/www/html/project/<Location />Satisfy Any</Location># 动态tomcatProxyPass /app http://localhost:8080/app/ProxyPassReverse /app http://localhost:8080/app/
</VirtualHost>
这时候会提示ERR_SSL_PROTOCOL_ERROR
tomcat配置ssl实现https访问
默认监听的8080端口配置不变动,用于接收http请求,新增监听端口8081(这里使用的是pfx证书)用于接收https请求
<Connector protocol="org.apache.coyote.http11.Http11Protocol"port="8081" SSLEnabled="true" scheme="https" secure="true"keystoreFile="证书路径" keystoreType="PKCS12" keystorePass="证书密码"clientAuth="false"SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"redirectPort="8443"/>
修改apache对于443监听转发的配置,新增ssl代理配置,传递给tomcat
<VirtualHost *:443>ServerName domain.top:443ProxyRequests Off# 静态资源Alias / /var/www/html/project/<Location />Satisfy Any</Location># SSL代理ProxyPreserveHost OnSSLProxyEngine onSSLEngine on# 根据实际配置sslSSLCertificateFile xxx.crtSSLCertificateKeyFile xxx.keySSLCertificateChainFile xxx.crt# 动态tomcatProxyPass /app https://localhost:8081/app/ProxyPassReverse /app https://localhost:8081/app/
</VirtualHost>
总结
- 配置apache和tomcat的ssl证书
- apache新增80端口、443端口的转发监听,443端口需要增加ssl代理配置
