Spring 引导 + Apache 反向代理：主机和端口的这种组合需要 TLS

Question

我有的：

• 我在私人注册表中有一个 Spring 启动应用程序作为 docker 映像
• 来自 Let's Encrypt 的 SSL 证书

我运行了这个命令：

• wget https://dl.eff.org/certbot-auto （获取 certbot）
• chmod a+x certbot-auto （使其成为 exec）
• ./certbot-auto （运行它）
• openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root （转换为 Z38008bootECF 兼容密钥 DD81C2F41D78E）

在我的 Spring 启动应用程序中，我将此条目添加到属性中：

security.require-ssl=true
server.ssl.key-store={key_store_location}
server.ssl.key-store-password={key_store_password}
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

此时我可以通过以下方式访问我的应用程序： https://example.com:8080/并且证书有效。

然后我这样做：我的/etc/apache2/sites-enabled/000-default.conf文件如下所示：

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


ServerAdmin webmaster@localhost
ServerName {domain}

SSLEngine on
SSLProxyEngine On
SSLProtocol All -SSLv2 -SSLv3 # Disable SSL versions with POODLE vulnerability

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8080/
ProxyPassReverse / https://localhost:8080/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

在我启动 apache2 并打开https://example.com/我得到

Bad Request
This combination of host and port requires TLS.

但是，如果我输入https://example.com:80/一切正常。

所以我的问题是：我需要做什么才能摆脱端口并让https://example.com/工作？

谢谢你。

编辑：按照建议添加 443 后，问题仍然存在相同的错误。

完整的配置文件：

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        ServerAdmin webmaster@localhost
        ServerName example.com

        SSLEngine on
        SSLProxyEngine On
        SSLProtocol All -SSLv2 -SSLv3

        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / https://localhost:8080/
        ProxyPassReverse / https://localhost:8080/


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<VirtualHost *:443>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        ServerAdmin webmaster@localhost
        ServerName example.com

        SSLEngine on
        SSLProxyEngine On
        SSLProtocol All -SSLv2 -SSLv3

        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / https://localhost:8080/
        ProxyPassReverse / https://localhost:8080/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Answer 1

默认 Https 端口为 443。您能否为 443 创建 SSL VirtualHost 并在 VirtualHost 中添加所有条目并进行测试。

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Listen 443 https
<VirtualHost Apache-IP:443>
ServerAdmin webmaster@localhost
ServerName {domain}

SSLEngine on
SSLProxyEngine On
SSLProtocol All -SSLv2 -SSLv3 # Disable SSL versions with POODLE vulnerability

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8080/
ProxyPassReverse / https://localhost:8080/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>