使用Jenkins和Sonar的SSL正确的Apache反向代理配置

11

我正在Apache服务器后面运行两项服务:Jenkins(端口8080)和SonarQube(端口9000)。

我的Apache配置看起来像这样:

<VirtualHost *:80>
  ServerName server
  Redirect permanent / https://server.domain.com/
</VirtualHost>

<VirtualHost *:80>
  ServerName server.domain.com
  Redirect permanent / https://server.domain.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName server.domain.com

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/server.crt
  SSLCertificateKeyFile /etc/ssl/private/server.key

  ProxyPass        /jenkins http://localhost:8080/jenkins nocanon
  ProxyPassReverse /jenkins http://localhost:8080/jenkins
  ProxyPassReverse /jenkins http://server.domain.com/jenkins
  ProxyPassReverse /jenkins https://server.domain.com/jenkins

  ProxyPass        /sonar http://localhost:9000/sonar nocanon
  ProxyPassReverse /sonar http://localhost:9000/sonar

  AllowEncodedSlashes NoDecode
  ProxyRequests Off
  ProxyPreserveHost On
  <Proxy http://localhost:8080/*>
    Order deny,allow
    Allow from all
  </Proxy>
</VirtualHost>

除了Jenkins抱怨此消息外,一切似乎都工作正常:反向代理设置似乎已损坏。

当我运行Jenkins提供的ReverseProxySetupMonitor测试时,错误消息表明未正确设置带有反向代理的内容,因为不会将https替换为https:

$ curl -iLk -e https://server.domain.com/jenkins/manage https://server.domain.com/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
[...]
404 http://server.domain.com/jenkins/manage vs. https://server.domain.com/jenkins/manage
[...]

这仅我在服务器上启用SSL(现在正在使用自签名证书)之后出现。

问题: 如何解决反向代理设置,让詹金斯感到高兴?奖励积分,提供有关如何改善apache配置文件的提示。

我已经检查了以下两个相关问题:

apache-2.2  ssl  ssl-certificate  apache-2.4  jenkins 
Friederbluemle
source

Answers:

9

Wiki Jenkins上的此页面提到,截至2014年7月,Jenkins反向代理的推荐配置。缺少的参数是RequestHeader set X-Forwarded-Proto "https"RequestHeader set X-Forwarded-Port "443"

所以配置变成

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/cert.pem
    ServerAdmin  webmaster@localhost
    ProxyRequests     Off
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass         /  http://localhost:8080/ nocanon
    ProxyPassReverse  /  http://localhost:8080/
    ProxyPassReverse  /  http://www.example.com/
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
Masegaloeh
source
2
太棒了,效果很好!我还必须做sudo a2enmod headers,否则我会得到Invalid command 'RequestHeader'
friederbluemle 2014年
您能解释一下为什么ProxyPassReverse对同一路径(/)使用两个指令吗?
Ortomala Lokni'3
1

Jenkins的Windows Apache前端设置

这里的主要区别是:

  • 如何设置临时证书
  • 停止关于没有任何SSL缓存的Apache机翼

我的设置:

  • 安装到d:\(不是c:\-使其适应您的需求)

  • 詹金斯(Jenkins)位于8080端口

  • 将Apache httpd-2.4.18-win64-VC14.zip(从http://www.apachelounge.com/download/)解压缩到d:\。

  • 将OpenSSL Win64OpenSSL_Light-1_0_2f.exe(http://slproweb.com/products/Win32OpenSSL.html)安装到d:\ OpenSSL-Win64

  • 创建ssl证书:

    • cd到OpenSSL bin目录并运行魔术:

       pushd d:\OpenSSL-Win64\bin
 set OPENSSL_CONF=openssl.cfg
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

  • 将server。*文件从d:\ OpenSSL-Win64 \ bin复制到D:\ Apache24 \ conf

  • 编辑d:\ Apache24 \ conf \ httpd.conf:

    • 搜索并将“ c:/”替换为“ d:/”

    • 在“ Listen 80”行之后更改,添加“ Listen 443”:

      Listen 80
Listen 443

    • 取消注释以下行:

      LoadModule headers_module modules/mod_headers.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so

    • 将“ #ServerName www.example.com:80”更新为:

      ServerName myserver.mydomain:80

    • 最后添加:

      <IfModule socache_shmcb_module>
SSLSessionCache "shmcb:logs/ssl_scache(512000)"
</IfModule>

<VirtualHost *:80>
  ServerName myserver
  Redirect permanent / https://myserver.mydomain/
</VirtualHost>

<VirtualHost *:80>
  ServerName myserver.mydomain
  Redirect permanent / https://myserver.mydomain/
</VirtualHost>

<VirtualHost *:443>
            SSLEngine on
            SSLCertificateFile conf/server.crt
            SSLCertificateKeyFile conf/server.key
            ServerAdmin  me@mydomain
            ProxyRequests             Off
            ProxyPreserveHost On
            AllowEncodedSlashes NoDecode
            <Proxy *>
                        Order deny,allow
                        Allow from all
            </Proxy>
            ProxyPass         /  http://localhost:8080/ nocanon
            ProxyPassReverse  /  http://localhost:8080/
            ProxyPassReverse  /  http://myserver.mydomain/
            RequestHeader set X-Forwarded-Proto "https"
            RequestHeader set X-Forwarded-Port "443"
</VirtualHost>

我没有停止Jenkins在端口8080上监听,因此如果apache失败,我仍然可以连接。我使用https的目的是隐藏参数。

大卫·罗布森
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.