背景
在Linux系统上运行了httpd和tomcat,又绑定了域名后, 想通过Apache自动转发请求到tomcat
经过
配置Apache转发tomcat共用80端口
这一步比较简单,直接在Apache的配置文件里新增虚拟主机监听80端口,对指定路径下的请求做代理转发就行
这里http请求默认是80端口,而且apache默认监听端口也是80端口,如果特殊配置则对着修改
转发请求给tomcat的是8080端口,如果有额外配置同理
<VirtualHost *:80>
ServerName www.domain.com
ProxyRequests Off
# 这里声明默认‘/’ 路径下的请求,映射到project项目路径下
Alias / /var/www/html/project/
<Location />
Satisfy Any
</Location>
# 这里声明/app 路径下的请求,自动转发给tomcat以及返回
ProxyPass /app http://localhost:8080/app/
ProxyPassReverse /app http://localhost:8080/app/
</VirtualHost>
Apache配置ssl实现https访问
- 启用ssl模块
LoadModule ssl_module modules/mod_ssl.so
- 配置ssl虚拟机(我apache默认没有mod_ssl.so模块,所以通过安装openssl添加,同时也自动生成了ssl.conf文件),具体有三个点需要根据自己实际修改
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
<VirtualHost _default_:443>
# 第一个要点
ServerName www.domain.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
# 第二个要点
SSLCertificateFile 证书路径
SSLCertificateKeyFile 证书key路径
SSLCertificateChainFile 如果有chain文件则添加该配置,没有则#注释掉即可
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# 这里需要注意的是,路径代表着你请求的映射的根目录
# 假设我apache下有a,b两个项目,我可以通过www.domain.com/a,www.domain.com/b分别访问各个项目下的静态文件
# 但是如果想要访问/var/www/html/a/index.html文件时,不同配置下的结果是:
# DocumentRoot "/var/www/html" www.domain.com/a/index.html
# DocumentRoot "/var/www/html/a" www.domain.com/index.html
# 具体根据实际需求来
# 第三个要点
DocumentRoot "/var/www/html/project"
</VirtualHost>
- 重启apache即可
这时候会发现,apache的静态资源可以通过http跟https成功访问了,但是https下请求tomcat动态资源失败,因为https请求是通过443端口请求的,而我们的动态转发只监听了80端口,所以新增一个443端口监听
<VirtualHost *:443>
ServerName www.domain.com
ProxyRequests Off
# 静态资源
Alias / /var/www/html/project/
<Location />
Satisfy Any
</Location>
# 动态tomcat
ProxyPass /app http://localhost:8080/app/
ProxyPassReverse /app http://localhost:8080/app/
</VirtualHost>
这时候会提示ERR_SSL_PROTOCOL_ERROR
tomcat配置ssl实现https访问
默认监听的8080端口配置不变动,用于接收http请求,新增监听端口8081(这里使用的是pfx证书)用于接收https请求
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8081" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="证书路径" keystoreType="PKCS12" keystorePass="证书密码"
clientAuth="false"
SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
redirectPort="8443"
/>
修改apache对于443监听转发的配置,新增ssl代理配置,传递给tomcat
<VirtualHost *:443>
ServerName domain.top:443
ProxyRequests Off
# 静态资源
Alias / /var/www/html/project/
<Location />
Satisfy Any
</Location>
# SSL代理
ProxyPreserveHost On
SSLProxyEngine on
SSLEngine on
# 根据实际配置ssl
SSLCertificateFile xxx.crt
SSLCertificateKeyFile xxx.key
SSLCertificateChainFile xxx.crt
# 动态tomcat
ProxyPass /app https://localhost:8081/app/
ProxyPassReverse /app https://localhost:8081/app/
</VirtualHost>
总结
- 配置apache和tomcat的ssl证书
- apache新增80端口、443端口的转发监听,443端口需要增加ssl代理配置