Apache 代理后面带有嵌入式 Tomcat 的 Spring Boot [英] Spring Boot with embedded Tomcat behind Apache proxy

问题描述

我们有一个 Spring Boot (Spring MVC) 应用程序，在 Apache SSL 代理后面的专用应用程序服务器上嵌入了 Tomcat.

We have a Spring Boot (Spring MVC) app with embedded Tomcat on a dedicated appserver behind an Apache SSL proxy.

代理服务器上的 SSL 端口是 4433，转发到应用服务器上的端口 8080.

The SSL port on the proxy server is 4433, forwarding to port 8080 on the appserver.

因此代理服务器的 URL 转发如下:

So the URL to the proxy server is forwarding like:

https://proxyserver:4433/appname   >>forward>>   http://appserver:8080/

在没有代理的情况下运行时，发生的第一件事是
Spring Security 重定向请求，如:

When running WITHOUT proxy, the first thing that happens is that
Spring Security redirects the request, like:

http://appserver:8080/   >>redirect>>   http://appserver:8080/login

通过使用

  ...
  httpSecurity.formLogin().loginPage("/login") ...
  ...

它在没有代理的情况下工作正常，但使用代理需要更改重定向，
所以 Spring 应该重定向到相应的代理 URL，例如:

It works fine without the proxy, but WITH proxy the redirect needs to be changed,
so Spring should instead redirect to the corresponding proxy URL, like:

http://appserver:8080/   >>redirect>>   https://proxyserver:4433/appname/login

但还没有成功.

我正在尝试应用此解决方案:59.8 在前端代理服务器后面使用Tomcat

I am trying to apply this solution: 59.8 Use Tomcat behind a front-end proxy server

我们已经在 Apache 中配置了 mod_proxy，并验证了它发送预期的标头:

We have configured mod_proxy in Apache, and verified that it sends the expected headers:

X-Forwarded-For: xxx.xxx.xxx.xxx
X-Forwarded-Host: proxyserver
X-Forwarded-Port: 4433
X-Forwarded-Proto: https

应用程序以参数启动:

export ARG1='-Dserver.tomcat.protocol-header=x-forwarded-proto' 
export ARG2='-Dserver.tomcat.remote-ip-header=x-forwarded-for'
java $ARG1 $ARG2 -jar webapp.jar

重定向仍然不起作用.

它将继续在本地重定向到客户端无法使用的 http://appserver:8080/login.

It will keep redirecting locally, to http://appserver:8080/login which is not available to the clients.

我们还需要做些什么才能使这个场景发挥作用?

Is there anything else we need to do to make this scenario work?

另外，我担心/appname"代理 URL 的一部分.在应用程序服务器上，应用程序以/"为根.应该如何指示 Spring 使用/appname"当通过代理时，是否应该包含在发送回客户端的所有 URL 中?

Also, I am concerned about the "/appname" part in the proxy URL. On the appserver the application is rooted at "/". How should Spring be instructed that "/appname" should be included in all URLs sent back to the clients, when going thru the proxy?

推荐答案

前几天我遇到了同样的问题.在对 Spring Boot 1.3 进行一些调试后，我找到了以下解决方案.

I had the same problem the other day. After some debugging of Spring Boot 1.3 I found the following solution.

1.您必须在 Apache 代理上设置标头:

1. You have to setup the headers on your Apache proxy:

<VirtualHost *:443>
    ServerName www.myapp.org
    ProxyPass / http://127.0.0.1:8080/
    RequestHeader set X-Forwarded-Proto https
    RequestHeader set X-Forwarded-Port 443
    ProxyPreserveHost On
    ... (SSL directives omitted for readability)
</VirtualHost>

2. 您必须告诉您的 Spring Boot 应用程序使用这些标头.因此，在您的 application.properties(或 Spring Boots 理解属性的任何其他地方)中添加以下行:

2. You have to tell your Spring Boot app to use these headers. So put the following line in your application.properties (or any other place where Spring Boots understands properties):

server.use-forward-headers=true

如果您正确地做这两件事，您的应用程序发送的每个重定向都不会转到http://127.0.0.1:8080/[path] 但会自动转到 https://www.myapp.com/[路径]

If you do these two things correctly, every redirect your application sends will not go to http://127.0.0.1:8080/[path] but automatically to https://www.myapp.com/[path]

更新 1.关于这个主题的文档是 此处.您至少应该阅读它以了解属性 server.tomcat.internal-proxies，它定义了可以信任的代理服务器的 IP 地址范围.

Update 1. The documentation about this topic is here. You should read it at least to be aware of the property server.tomcat.internal-proxies which defines the range of IP-addresses for proxy servers that can be trusted.

2021 年更新 文档移至 此处.Spring Boot 配置现在有点不同.

Update 2021 The documentation is moved to here. The Spring Boot configuration is a litte different now.

这篇关于Apache 代理后面带有嵌入式 Tomcat 的 Spring Boot的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！