![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-07-23
目錄
- proxy_http_module
- ACL (Limit IP Access)
- Backend 會見到的 Header
- 設定 Backend 參數
- Websocket (Apache 2.4)
- ProxyPassMatch
- Chunked Encode
- mod_proxy_html
proxy_http_module
所需 Module: proxy_http. proxy_http depends proxy
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so
vhosts 的設定
<VirtualHost *:80>
ServerName yourdomain
ServerAdmin xxx@yourdomain
# pass the "Host:" line from the incoming request to the proxied host
ProxyPreserveHost On
# Disable forward (standard) proxy requests
ProxyRequests Off
# Keep logs
ErrorLog /home/vhosts/yourdomain/logs/error.log
CustomLog /home/vhosts/yourdomain/logs/access.log combined
# Proxy settings
ProxyPass / http://yourdomain/
ProxyPassReverse / http://yourdomain/
</VirtualHost>ProxyPreserveHost
# Default: Off
When enabled, this option will pass the "Host:" line from the incoming request to the proxied host,
instead of the hostname specified in the ProxyPass line.
It is mostly useful in special configurations like proxied mass name-based virtual hosting,
where the original Host header needs to be evaluated by the backend server.
ProxyRequests
Description: Enables forward (standard) proxy requests
This directive is for creating a proxy server (NOT reverse proxy)
For Reverse proxy/gateway: Off (Default)
ProxyPass
Maps remote servers into the local server URL-space
i.e.
# http://example.com/mirror/foo/bar -> http://backend.example.com/bar
ProxyPass "/mirror/foo/" "http://backend.example.com/"
ProxyPassReverse
Adjusts the URL in HTTP response headers sent from a reverse proxied server
( Location, Content-Location and URI headers on HTTP redirect responses )
* To rewrite HTML content to match the proxy, you must load and enable mod_proxy_html
SSL Setting
SSLProxyEngine
SSLProxyEngine on / off (Default)
This directive toggles the usage of the SSL/TLS Protocol Engine for proxy
ProxyPass "/" "https://backend.example.com/"SSLProxyVerify
Default: none
This directive can be used to configure certificate verification of the remote server.
Troubleshoot
Reason: Error during SSL Handshake with remote server
[Fix]
SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off
<Proxy>
對 Backend 的設定
i.e.
<Proxy "fcgi://localhost:9080" max=10> </Proxy> ... <FilesMatch ".+\.php$"> SetHandler application/x-httpd-php SetHandler "proxy:fcgi://localhost:9080" </FilesMatch>
應用 ACL (Limit IP Access)
# Container for directives applied to proxied resources ( 192.168.88 ) # Apply only to matching proxied content. ( Shell-style wildcards are allowed "*" ) <Proxy "*"> # Control who can access your proxy Require ip 192.168.88 </Proxy>
Backend 會見到的 Header
Reverse Proxy Request Headers
- X-Forwarded-For # Client 的 IP
- X-Forwarded-Host # The original host requested by the client (HTTP request header)
- X-Forwarded-Server # The hostname of the proxy server.
設定 Backend 參數
# Set various Proxy balancer or member parameters
<Proxy "http://backend">
ProxySet keepalive=Off
</Proxy>"<Proxy wildcard-url>...</Proxy>" Container for directives applied to proxied resources
# This directive allows a user to specifiy a timeout on proxy requests.
# This is useful when you have a slow/buggy appserver which hangs
ProxyTimeout 10
Websocket (Apache 2.4)
# Enable modules
/etc/httpd/conf.modules.d/00-proxy.conf
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
# Create new config file
/etc/httpd/conf.d/wstunnel.conf
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
ProxyPass /wss/ ws://localhost:8888/ retry=0 connectiontimeout=3 acquire=3000 disablereuse=on
ProxyPassReverse /wss/ ws://localhost:8888/disablereuse=on
解決了
... [proxy:error] [pid 10382] (32)Broken pipe: [client x.x.x.x:n] AH01084: pass request body failed to 127.0.0.1:8888 (localhost)
ProxyPass Parameter
Syntax:
ProxyPass [path] !|url [key=value [key=value ...]] [nocanon] [interpolate] [noquery]
min 0
Minimum number of connection pool entries, unrelated to the actual number of connections.
(preallocated or retained)
max 1...n
The number of threads per process in the active MPM. In the Prefork MPM, this is always 1s
Retained connection pool entries above this limit are freed during certain operations
if they have been unused for longer than the time to live, controlled by the ttl parameter.
If the connection pool entry has an associated connection, it will be closed.
This only needs to be modified from the default for special circumstances where connection pool entries and
any associated connections which have exceeded the time to live need to be freed or closed more aggressively.
ttl -
Unit: seconds
Time to live for inactive connections and associated connection pool entries,
Once reaching this limit, a connection will not be used again;
(it will be closed at some later time)
retry 60
Unit: seconds
If the connection pool worker to the backend server is in the error state,
Apache httpd will not forward any requests to that server until the timeout expires.
This enables to shut down the backend server for maintenance and bring it back online later.
A value of 0 means always retry workers in an error state with no timeout.
acquire - # Unit: ms
the maximum time to wait for a free connection in the connection pool
If there are no free connections in the pool, the Apache httpd will return SERVER_BUSY status to the client.
timeout n # Unit: seconds
Default: Value of ProxyTimeout
The number of seconds Apache httpd waits for data sent by / to the backend.
connectiontimeout n # Unit: seconds
The number of seconds Apache httpd waits for the creation of a connection to the backend to complete.
disablereuse Off
force mod_proxy to immediately close a connection to the backend after being used,
and thus, disable its persistent connection and pool for that backend.
This helps in various situations where a firewall between Apache httpd and the backend server
tends to silently drop connections or when backends themselves may be under round-robin DNS.
flushpackets off
Determines whether the proxy module will auto-flush the output brigade after each "chunk" of data.
'off' means that it will flush only when needed;
'on' means after each chunk is sent;
'auto' means poll/wait for a period of time and flush if no input has been received for 'flushwait' milliseconds.
Currently, this is in effect only for mod_proxy_ajp and mod_proxy_fcgi.
keepalive Off
This parameter should be used when you have a firewall between your Apache httpd and the backend server,
which tends to drop inactive connections.
This flag will tell the Operating System to send KEEP_ALIVE messages on inactive connections and
thus prevent the firewall from dropping the connection.
upgrade WebSocket
Protocol accepted in the Upgrade header by mod_proxy_wstunnel.
interpolate
causes the ProxyPass to interpolate environment variables, using the syntax ${VARNAME}
i.e.
# 透過 mod_rewrite 設定 environment variables
RewriteEngine On
RewriteCond "%{HTTPS}" =off
RewriteRule "." "-" [E=protocol:http]
RewriteCond "%{HTTPS}" =on
RewriteRule "." "-" [E=protocol:https]
RewriteRule "^/mirror/foo/(.*)" "%{ENV:protocol}://backend.example.com/$1" [P]noquery
Normally, mod_proxy will include the query string when generating the SCRIPT_FILENAME environment variable.
The optional no query prevents this.
Usage
以下 3 個設定是相等的
ProxyPass "/example" "http://backend.example.com" connectiontimeout=5 timeout=30
Or
ProxySet "http://backend.example.com" connectiontimeout=5 timeout=30
Or
<Proxy "http://backend.example.com"> ProxySet connectiontimeout=5 timeout=30 </Proxy>
ProxyPassMatch
This directive is equivalent to ProxyPass but makes use of regular expressions instead of simple prefix matching.
ProxyPassMatch [regex] !|URL [key=value [key=value ...]]
i.e.
# 訪問 fcgi://
ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ fcgi://127.0.0.1:9013/var/www/clients/client2/web4/web/$1
# 訪問 backend
ProxyPassMatch ^/(.*) https://backend/folder/$1
* When the URL parameter doesn't use any backreferences ($1, $2 ...) into the regular expression,
the original URL will be appended to the URL parameter
i.e.
datahunter.org/test/test.txt -> backend/folder/test/test.txt
# 如想不 append ProxyPassMatch ^/.* https://backend/folder$1
* When used inside a <LocationMatch> section, the first argument is omitted and the regexp is obtained from the <LocationMatch>.
* If you require a more flexible reverse-proxy configuration, use RewriteRule directive with the [P] flag.
某些 Folder 問 Backend
ProxyPassMatch ^/favicon.ico$ https://backend/ ProxyPassMatch ^/.* https://backend/folder
Don't want to reverse-proxy a subdirectory
The ! directive is useful in situations where you don't want to reverse-proxy a subdirectory.
ProxyPassMatch [regex] !
i.e.
ProxyPassMatch ^/favicon.ico$ ! ProxyPassMatch ^/(.*) https://datahunter.org/FTC
touch /home/vhosts/datahunter.org/public_html/favicon.ico
Chunked Encode
test
curl -XPOST -H "Transfer-Encoding: chunked" -d 'test' http://datahunter.org/debug.php
當在 Apache + php-fpm 的情況下係 POST 了的內容為空
Fix 1: fell-back back to mod_php
Fix2: proxy-sendcl
在 mod_proxy_fcgi 上傳 Chunked Data
"cl" for content length, apache v2.4.47
The apache will unchunk the request before forwarding it locally.
ensures maximum compatibility with upstream servers by always sending the Content-Length
SetEnv proxy-sendcl 1
proxy-sendchunked
minimizes resource usage by using chunked encoding.
mod_proxy_html
Module: mod_proxy_html
Default: Off
功能: Fixing HTML Links
filter will only act on HTML data (Content-Type text/html or application/xhtml+xml) and when the data are proxied.
Install
yum install mod_proxy_html # C7
基本設定
- ProxyHTMLURLMap
- ProxyHTMLLinks
- ProxyHTMLBufSize
ProxyHTMLURLMap
Defines a rule to rewrite HTML links
ProxyHTMLURLMap from-pattern to-pattern [flags] [cond]
flags
^
Match at start only.
This applies only to string matching (not regexps) and is irrelevant to HTML links.
$
Match at end only.
This applies only to string matching (not regexps) and is irrelevant to HTML links.
R
Use Regular Expression matching-and-replace. from-pattern is a regexp,
and to-pattern a replacement string that may be based on the regexp.
i
Case-insensitive matching. Only applicable with R.
n
Disable regexp memory (for speed). Only applicable with R.
i.e.
ProxyHTMLURLMap https://www. https://www.
* pattern 必須由"頭開始打", 因為有 ^ 效果
ProxyHTMLLinks
Specifies elements that have URL attributes that should be rewritten using standard ProxyHTMLURLMaps.
Normally you'll set this globally.
If you set ProxyHTMLLinks in more than one scope so that one overrides the other,
you'll need to specify a complete set in each of those scopes.
ProxyHTMLLinks element attribute [attribute2 ...]
proxy-html.conf
# Here's the declaration for W3C HTML 4.01 and XHTML 1.0 ProxyHTMLLinks a href ProxyHTMLLinks area href ProxyHTMLLinks link href ProxyHTMLLinks img src longdesc usemap ProxyHTMLLinks object classid codebase data usemap ProxyHTMLLinks q cite ProxyHTMLLinks blockquote cite ProxyHTMLLinks ins cite ProxyHTMLLinks del cite ProxyHTMLLinks form action ProxyHTMLLinks input src usemap ProxyHTMLLinks head profile ProxyHTMLLinks base href ProxyHTMLLinks script src for # To support scripting events (with ProxyHTMLExtended On), # you'll need to declare them too. ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \ onmouseover onmousemove onmouseout onkeypress \ onkeydown onkeyup onfocus onblur onload \ onunload onsubmit onreset onselect onchange
ProxyHTMLBufSize
Default: 8192
It will be more efficient to set a larger buffer size and avoid the need to resize the buffer dynamically during a request.
查看 Page size
curl https://datahunter.org/ > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10264 0 10264 0 0 33003 0 --:--:-- --:--:-- --:--:-- 32897
其他設定
ProxyHTMLExtended
Default: Off
Determines whether to fix links in inline scripts, stylesheets, and scripting events.
Debugging your Proxy Configuration
ProxyHTMLLogVerbose On LogLevel Info
Other
