我安装了在 Jetty 9 上运行的 Shiboleth。通过 Apache,我有一个反向代理到 Jetty 的 8080 端口,该端口为 Shiboleth 实例提供服务。
当我在控制台中 curl http://localhost:8080/idp/shibboleth 时,正确生成了实例响应。
但是,当我在浏览器https://idp.example.com/idp/shibboleth上执行相同操作时,我收到 404 错误。
这表明反向代理无法正常工作?
这是我的 apache conf
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:80>
ServerName "idp.spectrum.com.cy"
Redirect permanent "/" "https://idp.spectrum.com.cy/"
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName idp.spectrum.com.cy:443
ServerAdmin [email protected]
# Debian
CustomLog /var/log/apache2/idp.spectrum.com.cy.log combined
ErrorLog /var/log/apache2/idp.spectrum.com.cy.org-error.log
# Centos
#CustomLog /var/log/httpd/idp.example.org.log combined
#ErrorLog /var/log/httpd/idp.example.org-error.log
DocumentRoot /var/www/html/idp.spectrum.com.cy
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLHonorCipherOrder on
# Disallow embedding your IdP's login page within an iframe and
# Enable HTTP Strict Transport Security with a 2 year duration
<IfModule headers_module>
Header set X-Frame-Options DENY
Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
</IfModule>
# Debian
SSLCertificateFile /etc/ssl/certs/idp.spectrum.com.cy.crt
SSLCertificateKeyFile /etc/ssl/private/idp.spectrum.com.cy.key
# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
#SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem
# Centos
#SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt
#SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key
# ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
#SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
#SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem
<IfModule mod_proxy.c>
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ProxyPass /idp http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
<Location /idp>
Require all granted
</Location>
</IfModule>
</VirtualHost>
</IfModule>
<VirtualHost 127.0.0.1:80>
ProxyPass /idp http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
<Location /idp>
Require all granted
</Location>
</VirtualHost>
我已经简化了我的 conf 文件以删除 https。下面的配置工作正常,但仅适用于 http。我将调查为什么 https 配置会产生 404 错误。
<VirtualHost *:80>
ServerName idp.spectrum.com.cy
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPass /idp/ http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp/ http://localhost:8080/idp/ retry=5
<Location /idp>
Require all granted
</Location>
</IfModule>
# This virtualhost is only here to handle administrative commands
for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
ProxyPass /idp http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
<Location /idp>
Require all granted
</Location>
</VirtualHost>
尝试从
ServerName指令中删除端口。IE,根据https://httpd.apache.org/docs/2.4/mod/core.html#servername,端口是可选的并且是允许的,但是文档中的以下提及听起来可能是该
VirtualHost配置未生效的原因(浏览器不会在Host:标头中发送端口号)。它应该是
ProxyPass请注意命令的第一个参数中的尾部斜杠。始终对齐两个参数中的尾部斜杠。我的
VirtualHost声明非常基本,只包含最低限度的工作:这是我的 IDP
/etc/httpd/conf.d/idp.conf: