使用 Apache 将内部 IP 从 HTTP 重定向到 HTTPS

Posted 2023-02-25

【中文标题】使用 Apache 将内部 IP 从 HTTP 重定向到 HTTPS

【英文标题】：redirect an internal IP from HTTP to HTTPS with Apache

【发布时间】：2011-04-19 02:09:42

【问题描述】：

大家好- 我在这里和谷歌上查过这个，但似乎没有一个建议对我有用。此时我正在处理一个内部站点，因此端点是 IP 与 URL。通过 HTTPS 访问该站点是可行的，但 HTTP 只是说“无法建立连接”。我似乎无法在日志中找到任何解释原因的内容。我有关于我的证书的警告，因为它是自签名的，但我认为这不是导致它的原因。我已经分别尝试了重写和重定向，但没有成功。我在下面将它们都注释掉了，但我已经尝试过其中一个。

#<VirtualHost *:80>
#    RewriteEngine On
#    RewriteCond %HTTPS off
#    RewriteRule (.*) https://%HTTP_HOST%REQUEST_URI
#</VirtualHost>
<VirtualHost *:443>
    ServerName 192.168.xxx.xxx
    ProxyRequests Off
    ProxyPreserveHost On
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile /etc/httpd/ssl/server.key
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
</VirtualHost>
#Redirect permanent http://192.168.xxx.xxx https://192.168.xxx.xxx

这是请求的错误日志。 rewrite_log 保持为空。

[Wed Sep 29 17:22:17 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Sep 29 17:22:17 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Sep 29 17:22:17 2010] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Sep 29 17:22:17 2010] [notice] SSL FIPS mode disabled
[Wed Sep 29 17:22:17 2010] [info] Loading certificate & private key of SSL-aware server
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Sep 29 17:22:17 2010] [info] Configuring server for SSL protocol
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(792): Configuring RSA server certificate
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(831): Configuring RSA server private key
[Wed Sep 29 17:22:17 2010] [info] mod_ssl/2.2.16 compiled against Server: Apache/2.2.16, Library: OpenSSL/1.0.0a-fips
[Wed Sep 29 17:22:17 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Sep 29 17:22:17 2010] [notice] Digest: done
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: 192.168.xxx.xxx
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: jira.test.com
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: jira.test.com
[Wed Sep 29 17:22:17 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Sep 29 17:22:17 2010] [info] LDAP: SSL support available
[Wed Sep 29 17:22:17 2010] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Sep 29 17:22:17 2010] [notice] SSL FIPS mode disabled
[Wed Sep 29 17:22:17 2010] [info] Loading certificate & private key of SSL-aware server
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Wed Sep 29 17:22:17 2010] [info] Shared memory session cache initialised
[Wed Sep 29 17:22:17 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Sep 29 17:22:17 2010] [info] Configuring server for SSL protocol
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(792): Configuring RSA server certificate
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(831): Configuring RSA server private key
[Wed Sep 29 17:22:17 2010] [info] mod_ssl/2.2.16 compiled against Server: Apache/2.2.16, Library: OpenSSL/1.0.0a-fips
[Wed Sep 29 17:22:17 2010] [error] avahi_entry_group_add_service_strlst("192.168.xxx.xxx") failed: Invalid host name
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6661 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6660 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6660 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6660 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6660 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6662 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6661 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6663 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6661 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6663 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6663 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6661 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6663 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6662 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6662 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6662 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6664 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6664 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6664 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6664 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6665 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [notice] Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/1.0.0a-fips configured -- resuming normal operations
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [info] Server built: Jul 27 2010 15:58:08
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6665 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6665 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6665 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6666 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6666 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6666 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6667 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6667 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6666 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6667 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6667 for (localhost)

【参考方案1】：

如果该文件的第一部分被注释掉，Apache 没有任何配置告诉它监听端口 80 (http)。

你需要两个站点都运行，这样它们都会给你一个响应（即使 HTTP 响应只是“转到 HTTPS”）

【讨论】：

对不起，我看到你故意把上面的代码注释掉了。当您没有注释两个 VirtualHost 部分时会发生什么？ HTTP 请求失败，还是重定向到失败的 HTTPS 页面？

当两个 VirtualHost 部分都未注释时，HTTPS 可以正常解析； HTTP 地址返回Firefox can't establish a connection to the server。在这些部分上方我有NameVirtualHost *:80 和NameVirtualHost *:443。

是否有一个日志可以检查 Apache 是否收到了请求以及是否发生了重写？我在 httpd/logs 目录中的任何文件中都没有看到这个。

在一个 HTTP 请求和 loglevel 设置为 debug 之后，这里是 error.log 的转储 .... 嗯 ...我将不得不把它放在下面的答案中

Listen 指令是否也在端口 80 上启用（可能在不同的配置文件中）？