编辑:解决
编辑 :用8043取代8443(以解决潜在的端口号与Shibboleth SP冲突)
我试图改变Apache(Apache 2.4)听8080和8043端口,而不是80和443(所以我不需要sudo / root启动它)。 前面的F5 BigIP负载平衡器设备在80和443上侦听,并且在Web服务器上将最终用户负载平衡到8080和8043。
但是,当Web浏览器访问我们的网站(例如https://foo.bar/ )时,我们的apacheconfiguration会导致它redirect到8043端口号! (例如https://foo.bar:8043/baz/ )。 这当然会超时(因为foo.barparsing为F5 BigIP设备的IP,在端口8043上没有任何东西)。
相关的Apache Config如下所示:
<Proxy balancer://UM> Order deny,allow Allow from all BalancerMember ajp://10.25.145.130:8010 route=a keepalive=On disablereuse=On BalancerMember ajp://10.25.145.131:8010 route=b keepalive=On disablereuse=On ProxySet lbmethod=bybusyness stickysession=UMLB nofailover=Off SetEnvIf Cookie UMLB HAVE_UM_ROUTE Header add Set-Cookie "UMLB=x.%{BALANCER_WORKER_ROUTE}e;path=/;" env=!HAVE_UM_ROUTE </Proxy> <Proxy balancer://IDP> Order deny,allow Allow from all BalancerMember ajp://10.25.145.130:8009 route=a keepalive=On disablereuse=On BalancerMember ajp://10.25.145.131:8009 route=b keepalive=On disablereuse=On ProxySet lbmethod=bybusyness stickysession=IDPLB nofailover=Off SetEnvIf Cookie IDPLB HAVE_IDP_ROUTE Header add Set-Cookie "IDPLB=x.%{BALANCER_WORKER_ROUTE}e;path=/;" env=!HAVE_IDP_ROUTE </Proxy> <VirtualHost *:8043> ServerName foo.bar DocumentRoot /var/www/html ProxyPass /idp balancer://IDP/idp ProxyPass /UserManagement balancer://UM/UserManagement SSLEngine on </VirtualHost> 编辑(附加信息) :
看看HTTP跟踪(铬附加)我看到有几个redirect,一切正常,但一旦到达它失败,并在最后与端口8043redirect(这就是为什么它失败,如果我手动删除:8043在redirect后的URL)
GET https://foo.bar/idp/AuthnEngine Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Referer: https://foo.bar/idp/profile/SAML2/Redirect/SSO?SAMLRequest=blahblahblah Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,de;q=0.6 Cookie: JSESSIONID=blahblahblah; _idp_authn_lc_key=blahblahblah; IDPLB=xb; BIGipServerblahblah=blahblahblah HTTP/1.1 302 Moved Temporarily Redirect to: https://foo.bar:8043/UserManagement/private/Login?redirectURL=blahblahblah Date: Tue, 05 Jan 2016 18:32:32 GMT Expires: 0 Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: _pid_domain=blahblah; Domain=bar.com; Path=/; Secure Location: https://foo.bar:8043/UserManagement/private/Login?redirectURL=blahblahblah Content-Length: 0 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/plain; charset=UTF-8
由于后端的tomcat应用程序在那里给8043redirect,我认为ProxyPassReverse是正确的解决scheme,所以我尝试了以下:(不工作,相同的结果)
ProxyPass /idp balancer://IDP/idp ProxyPassReverse /idp https://foo.bar/idp ProxyPass /UserManagement balancer://UM/UserManagement ProxyPassReverse /UserManagement https://foo.bar/UserManagement
还尝试了以下(相同的结果):
ProxyPass /idp balancer://IDP/idp ProxyPassReverse /idp balancer://IDP/idp ProxyPass /UserManagement balancer://UM/UserManagement ProxyPassReverse /UserManagement balancer://UM/UserManagement
甚至尝试了ProxyPassReverse的一个伪造的URL,只是为了看看它是否有任何效果,而不是! HTTP跟踪结果是一样的,它不会调整后端应用redirect的URL。
这里发生了什么?
谢谢,本
检查您的redirect链接指向foo.bar
然后将您的configuration更改为:
... <VirtualHost *:8443> ServerName foo.bar ...
NameVirtualHost指令不再有任何作用,除了发出警告。 出现在多个虚拟主机中的任何地址/端口组合被隐式地视为基于名称的虚拟主机。
从Apache 2.4更新
并且不要忘记在Apacheconfiguration中监听端口8443
Listen 8443
所以我放弃了让ProxyPassReverse和AJP一起工作。 但是,我发现了一个不同的方式,实际上工作!
<Location "/idp"> ProxyPass balancer://IDP/idp Header edit Location foo.bar:8043 foo.bar </Location>
这将从HTTP头302临时redirect上的位置头去掉:8043。 ProxyPassReverse应该这样做,但显然不能正常使用AJP和平衡器,至less在我的设置。