search

uniquejava / blog

My notes regarding the vibrating frontend :boom and the plain old java :rofl.
Creative Commons Zero v1.0 Universal
11 stars 5 forks source link

RHEL7 Apache Https Reverse Proxy #180

Open uniquejava opened 6 years ago

uniquejava commented 6 years ago

需求

有一个后端nodejs项目, 假设通过npm start运行在 http://domain.com:9000/api/cool 有一个前端vuejs项目, 假设通过npm run serve运行在 http://domain.com:3000, 大家通过http://domain.com:3000 可以访问到前台这个SPA应用.

我想:

  1. 把APP改成只能通过https://domain.com 访问
  2. 隐藏后端api.
  3. 在vue内部通过https://domain.com/api 访问后端nodejs api

思路

首先这个npm run dev是vue通过webpack启动的test server(基于expressjs) 以开发模式运行的, 不适合production. 可以通过npm run build将前台的代码编译到dist目录 dist目录中都是静态文件, 随便找个服务器都可以serve. 有nginx和apache可以选择. 出于简单并且用户量不是很大的考虑, 我安装了apache然后配置好了https, 并且所有的http请求自动转向到https. 此时前台可以通过https访问, 但是前台通过ajax调用后台nodejs上的http api时, 出现跨域问题(协议不匹配) 可以改造nodejs, 让其支持https, 更简单的办法是在apache上配置反向代理, 比如将所有的https://domain.com/api的请求映射到http://domain.com:8000/api

参考了下面这多资料:

RHEL7 安装apache server

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-web_servers#s1-The_Apache_HTTP_Server

RHEL7 配置apache https

https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7

配置apache反向代理

https://tecadmin.net/setup-apache-as-reverse-proxy-for-tomcat/

https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension

如果是http就配置到/etc/httpd/conf.d/non-ssl.conf(文件不存在则新建), 如果是https就配置到/etc/httpd/conf.d/ssl.conf,

# Proxy node.js https request to node http
ProxyPass /myapp/api/ http://0.0.0.0:9000/api/
ProxyPassReverse /myapp/api/ http://0.0.0.0:9000/api/

sudo vim /etc/httpd/conf.d/ssl.conf sudo apachectl configtest sudo systemctl restart httpd.service

其它

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_confined_services/chap-managing_confined_services-the_apache_http_server

uniquejava commented 6 years ago

强制https的过程

(Recommended) Modify the Unencrypted Virtual Host File to Redirect to HTTPS

As it stands now, the server will provide both unencrypted HTTP and encrypted HTTPS traffic. For better security, it is recommended in most cases to redirect HTTP to HTTPS automatically. If you do not want or need this functionality, you can safely skip this section.

To redirect all traffic to be SSL encrypted, create and open a file ending in .conf in the /etc/httpd/conf.d directory:

sudo vi /etc/httpd/conf.d/non-ssl.conf

Inside, create a VirtualHost block to match requests on port 80. Inside, use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Make sure to include the trailing slash: /etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
        ServerName www.example.com
        Redirect "/" "https://www.example.com/"
</VirtualHost>

以上配置就是把所有的http://www.example.com重定向为https://www.example.com.

Save and close this file when you are finished.

sudo apachectl configtest

sudo systemctl restart httpd.service