apache ProxyPass 也處理 websocket 的 tls 嗎?

tag-icon tag-icon reverse-proxy apache2 websocket
apache ProxyPass 也處理 websocket 的 tls 嗎?

我是 proxypass 的新手,假設這是我們的設定:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName www.xzos.net
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias xzos.net
SSLCertificateFile /etc/letsencrypt/live/www.xzos.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.xzos.net/privkey.pem

<LocationMatch "/ray/">
        ProxyPass ws://127.0.0.1:1080/ray/ upgrade=WebSocket
        ProxyAddHeaders Off
        ProxyPreserveHost On
        RequestHeader set Host %{HTTP_HOST}s
        RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</LocationMatch>
</VirtualHost>
</IfModule

由於我們將這些提供給 apache

SSLCertificateFile /etc/letsencrypt/live/www.xzos.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.xzos.net/privkey.pem

我們不需要在運行的 websocket 伺服器中使用它們ws://127.0.0.1:1080/ray/,對嗎?

即使我們可以做到這一點,但 apache 處理得對嗎?我猜,因為這是本地伺服器,所以專門執行兩次是多餘的。我認為如果我們這樣做,那麼我們ws://127.0.0.1:1080/ray/需要wss://127.0.0.1:1080/ray/在該 websocket 伺服器內部提供相同的憑證金鑰。

答案1

使用 proxyPass 代理程式到本機上不安全的偵聽器仍然可能會暴露攻擊面。您是否擔心有人嗅探本地主機上的流量?如果我是一個具有適當存取權限的邪惡人士,我可以在連接埠 1080 上的環回介面上進行 tcpdump 並讀取流量。如果您使用 wss:// 那麼這樣做會更困難。我會在兩個連結上使用 TLS,除非有技術原因不這樣做,或者我正在調試應用程式並且需要在此過程中獲取更多資訊。

答案2

我可以添加我的兩分錢。

讓我們重點關註一下<LocationMatch "/ray/">/ray/如果路徑封裝在 TLS 加密通道中,Apache 如何辨識路徑?當然,Apache 必須處理 TLS 才能解密 http 握手並查看GET /whatever/,然後決定它是否與位置相符。

相關內容