我有Apache OpenMeetings 4.0.4交换机Apache/2.2.22作为代理。
在OM的conf/red5.properties中,我得到了
http.port=8080
我想做两件事:
重定向HTTP(80(->HTTPS(443(
将HTTP(8080(重定向到HTTPS(443(
My/etc/apache2/sites-aviable/default-conf是:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
我的/etc/apache2/sites-aviable/default-ssl-conf是:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
当我键入http://domain.test-test.eu/它将我重定向到https://domain.test-test.eu.
当我键入http://192.168.XXX.YYY它将我重定向到https://192.168.XXX.YYY
但是当我打字的时候http://192.168.XXX.YYY:8080或http://domain.test-test.eu:8080它不会将我重定向到https://192.168.XXX.YYY或https://domain.test-test.eu/.页面打开(不带HTTPS(。
第二个问题是,在OM的日志中,我可以看到CSRF信息,但我不能通过HTTPS登录。
OM日志中的信息:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
我应该如何更改Apache设置以使其正常工作?
恐怕无法设置"重定向HTTP(8080(到HTTPS(443(">
如果您在8080端口上运行OpenMeetings,则不能将其用于Apache,反之亦然。Internet端口应该只由OM或Apache使用,而不是两者都使用。
我会关闭FW级别的8080端口以拒绝直接访问OM。(请删除<VirtualHost *:8080>的规则,否则OM将无法用Port already in use消息启动(
现在根据CSRF:
您需要修改conf/jee-container.xml并添加以下属性
<property name="secure" value="true" />
至<property name="connectionProperties">前的<!-- Tomcat without SSL enabled -->块
这应该可以解决你的问题
但是OpenMeetings无法使用此配置。。。。
因为您还需要代理WebSockets。。。。
因此,您还需要mod_rewrite和mod_proxy_stunnel
然后你需要添加以下部分:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
此外,您可能希望为RTMP流量执行隧道传输,这将需要open, send, idle and close的特殊规则
以下是Apache 2.4的最终配置:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
按预期为我工作:(
在"默认"文件中,我有:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
所以当smb类型http://domain.test-test.eu它将重定向到https://domain.test-test.eu
我的"默认ssl"文件几乎与Yours完全相同(我使用8080/tcp作为OM(。我正在为OM使用自签名证书(目前他们不是为CN=domain.test-test.eu签名,而是为CN=testname.eu签名-我会在OM工作后更改它(。
不幸的是,这个配置不起作用。我可以看到周围有两个黑点。可能是因为过时的浏览器(FF版本52.4.1和Chromium版本51.0.2704.79(或错误的站点证书?
Maxim提供的apache配置正在运行。谢谢你,马克西姆!