如何使用 apache web 服务器反向代理到谷歌云运行服务？

Question

I have got some google cloud run service endpoints that are secured by HTTPS. I want to set up my apache webserver to reverse proxy into the services so that people using my defined URL get back the service response. I have tried to use mod_proxy and mod_rewrite to proxy the service endpoint but it gives me 500 internal server error. How can it be done? Worst case please share an nginx solution for this. Config I tried:

<VirtualHost *:80>
ServerName hello.world.com
ServerAlias hello.world.com
RewriteEngine On
RewriteRule ^ https://helloworld-zxtb3wfs2a-de.a.run.app [P]
</VirtualHost>

BTW the endpoint is a website and not just a simple JSON response. Though even JSON responses are not working for me either.

Answer 1

While rewriting the query back to the Cloud Run endpoint (*.run.app), you need to make sure you update Host header to match to that.run.app domain name as well. Otherwise, Cloud Run's frontend IP won't know where to send that.

Check this question this question on how to do this with mod_rewrite, and make sure you use ProxyPreserveHost Off .

Also since you're getting HTTP 500, make sure you check the application logs to see if there's something wrong with how the app handles this request.

Answer 2

I assume that you have already deployed your cloud run service with --ingress internal option, so that no one can access Cloud Run without the reverse proxy.

Follow the below steps to create a reverse proxy in front of the cloud run service. You can skip Steps 2 - 5 if you are not installing self-signed SSL and you have your own SSL configured

1. Launch a Ubuntu Compute Engine and install apache2
2. Install self-signed SSL using

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

3. Update the SSL conf by replacing the below two lines in /etc/apache2/sites-available/default-ssl.conf

SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

4. Enable necessary modules

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl

5. Check the config and restart the server, then check whether you can load the https URL https://your-server-public-ip

sudo apache2ctl configtest
sudo systemctl restart apache2

6. Update /etc/apache2/sites-available/000-default.conf with this content, Don't forget to replace the CLOUD-RUN-URL

<VirtualHost *:80>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ProxyPreserveHost On
    ProxyPass / https://CLOUD-RUN-URL-as.a.run.app/
    ProxyPassReverse / https:///CLOUD-RUN-URL-as.a.run.app/
</VirtualHost>

7. Update /etc/apache2/sites-available/default-ssl.conf with this content, Don't forget to replace the CLOUD-RUN-URL

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLProxyEngine On
                ProxyPass / https://CLOUD-RUN-URL-as.a.run.app/
                ProxyPassReverse / https://CLOUD-RUN-URL-as.a.run.app/

                SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

8. Enable few more modules

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod ssl

9. Check the config and restart the server

sudo apache2ctl configtest
sudo systemctl restart apache2

10. Now load the https URL https://your-server-public-ip again, this time you will get the response from cloud run