Apache 中用于 REST API 的 HTTPS 代理

在 Apache HTTPD 中基本上是这样的：

<VirtualHost *:80>
ServerName publicname.example.com
Redirect / https://publicname.example.com/
</VirtualHost>

<VirtualHost *:443>
ServerName publicname.example.com
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
ErrorLog /path/to/logs/publicaname.example.com-ssl-error.log
CustomLog /path/to/logs/publicaname.example.com-ssl.log combined

ProxyPass /api/input http://127.0.0.1:8080/api/input
ProxyPassReverse /api/input http://127.0.0.1:8080/api/input
</VirtualHost>

注意：您需要先加载mod_proxy和mod_proxy_http模块。

感谢@ezra-s，我能够发送数据。但是在做的时候，我有点挣扎，所以我只想分享一些信息。

1.sudo apt-get install -y libapache2-mod-proxy-html libxml2-dev apache2-prefork-dev libxml2-dev

2.启用模块

sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_htm ssl

3.生成的自签名证书这里是指南

4.添加配置到/etc/apache2/sites-enabled/000-default.conf

5.我尝试重新启动sudo service apache2 restart。但我得到了错误

 * Starting web server apache2                                                                                                                  * 
 * The apache2 configtest failed.
Output of config test was:
[Mon Feb 13 02:31:06.772053 2017] [proxy_html:notice] [pid 8060] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
AH00526: Syntax error on line 39 of /etc/apache2/sites-enabled/000-default.conf:
ProxyPass Unable to parse URL
Action 'configtest' failed.
The Apache error log may have more information.

经过长时间的互联网搜索，我发现了 mod_xml2enc 不可用的错误。所以，我从源代码构建了这个模块

sudo apt-get install apache2-prefork-dev libxml2 libxml2-dev
mkdir ~/modbuild/ && cd ~/modbuild/
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h
sudo apxs2 -aic -I/usr/include/libxml2 ./mod_xml2enc.c
cd ~
rm -rfd ~/modbuild/
sudo service apache2 restart
 * Restarting web server apache2                                                                                                               AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
                                                                                                                                        [ OK ]

谢谢您的帮助！

有很多方法可以达到你想要的结果。

让你的 Tomcat 监听 127.0.0.1:8080 并在它之前设置一些前端服务器。您的前端服务器将侦听 *:80 和 *:443 并将所有请求转发到隐藏的 Tomcat。

有很多前端服务器。它可以是 Apache（如您提供的那样）、nginx（消耗更少的内存）或 haproxy（提供出色的统计数据以及几乎恒定的内存占用）。

一种可能的 nginx 配置片段可以是：

server {
    listen 443 ssl;

    server_name your.hostname.com; 
    access_log  .../access_log main;
    error_log .../error_log;

    ssl_certificate      /.../fullchain.pem;
    ssl_certificate_key  /.../key.pem;

    # some TLS config should be here

    # forward all requests to Tomcat 8080
    location / {
      proxy_pass      http://127.0.0.1:8080/;
      client_max_body_size    128m;  # limit POST size
    }
}

server {
    listen 80;
    server_name your.hostname.com; 

    access_log  /.../80-access_log main;
    error_log /.../80-error_log;

    location / {
        # redirect everython to HTTPS
        return 301 https://$host$request_uri;
    }
}

对于生成 TLS 配置，我推荐Mozilla SSL 配置生成器