具有SSL终止的Apache前向代理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了具有SSL终止的Apache前向代理相关的知识,希望对你有一定的参考价值。

我正在尝试设置一个终止SSL连接的Apache Forward Proxy。我试图这样做的原因是在返回的代码上运行Apache过滤器(特别是mod_pagespeed)。在我处理mod_pagespeed之前,我正在通过尝试在响应中插入一个标头来测试这个POC(这将证明我可以编辑响应),但我遇到了SSL代理问题(非SSL代理工作正常) 。

请注意,我并不担心任何证书错误等 - 这纯粹是为了内部测试。

我已经设置了服务器并在非SSL页面上看到了X-MSCProxy Header:

jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9@localhost:8080 -D - -o /dev/null http://www.slate.com

* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Proxy auth using Basic with user 'pagespeed_proxy'
> GET http://www.slate.com/ HTTP/1.1
> Host: www.slate.com
...
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 30 Oct 2017 18:10:40 GMT
Date: Mon, 30 Oct 2017 18:10:40 GMT
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
...
< Content-Length: 187051
Content-Length: 187051
...
< X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
< Via: 1.1 172.17.0.2:8080
Via: 1.1 172.17.0.2:8080
< X-MSCProxy: SansPS
X-MSCProxy: SansPS

但是当我向Slate的SSL页面发出相同的请求时,我看不到我的代理:

jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9@localhost:8080 -D - -o /dev/null https://www.slate.com

* Connected to localhost (::1) port 8080 (#0)
* Establish HTTP proxy tunnel to www.slate.com:443
* Proxy auth using Basic with user 'pagespeed_proxy'
> CONNECT www.slate.com:443 HTTP/1.1
> Host: www.slate.com:443

< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.25 (Debian)
Proxy-agent: Apache/2.4.25 (Debian)
< 

* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: ssl004.insnw.net
* Server certificate: GlobalSign CloudSSL CA - SHA256 - G3
* Server certificate: GlobalSign Root CA
> GET / HTTP/1.1
> Host: www.slate.com
> User-Agent: curl/7.54.0
> Accept: */*
> 

< Content-Length: 187044
Content-Length: 187044
< Connection: keep-alive
Connection: keep-alive
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
< X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0

我发现很多帖子都说这是可能的(而且,从技术上来说,它应该是)各种httpd.conf建议,但我尝试过的任何东西都没有用。现在我的httpd.conf看起来像:

<VirtualHost *:8080>
  ProxyRequests On
  ProxyVia On

  Header set X-MSCProxy SansPS

  #SSLEngine On
  # suggestion that this allows termination
  ProxyPreserveHost On

  SSLProxyEngine on
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerExpire Off
  SSLProxyCheckPeerName Off

  SSLCertificateFile /etc/apache2/ssl/localhost.crt
  SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

  ModPagespeed Off
</VirtualHost>

FWIW,当我在这个代理上启用SSLEngine时(如建议的那样),那么请求根本无法解决Apache的错误:

[Mon Oct 30 18:20:20.705047 2017] [ssl:info] [pid 372:tid 140147985901312] [client 172.17.0.1:34012] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send html error page
[Mon Oct 30 18:20:20.705107 2017] [ssl:info] [pid 372:tid 140147985901312] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?

我认为这是有意义的,因为代理协议不期望直接与代理建立HTTPS连接。

答案

我会尝试使用apache的输出过滤器功能。

https://www.modpagespeed.com/doc/configuration#apache_specific

AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text / html

以上是关于具有SSL终止的Apache前向代理的主要内容,如果未能解决你的问题,请参考以下文章

来自具有早期 SSL 终止的浏览器的 HTTP2

Elastic Load Balancing 非终止 SSL 连接上的代理协议

Nginx https代理,不要终止ssl

具有基本身份验证的 Apache 和 Tomcat 反向代理:Tomcat 可以接收用户名吗?

如何在 Apache 上默认启用完美前向保密?

使用 SSL 的 Apache 名称虚拟主机