利用httpd实现基于http协议的反向代理至后端Tomcat服务器
httpd也提供了反向代理功能,也可以实现tomcat的反向代理功能
范例:查看代理相关模块
[root@centos8 ~]#httpd -M|grep proxy
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using centos8.localdomain. Set the 'ServerName' directive globally to suppress this message
proxy_module (shared)
proxy_ajp_module (shared)
proxy_balancer_module (shared)
proxy_connect_module (shared)
proxy_express_module (shared)
proxy_fcgi_module (shared)
proxy_fdpass_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
proxy_hcheck_module (shared)
proxy_scgi_module (shared)
proxy_uwsgi_module (shared)
proxy_wstunnel_module (shared)
proxy_http2_module (shared)
proxy_http_module模块代理配置
vim /etc/httpd/conf.d/http-tomcat.conf
<VirtualHost *:80>
ServerName node1.magedu.com
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
- ProxyRequests:Off 关闭正向代理功能
- ProxyPass:反向代理指令
- ProxyPassReverse:保留代理的response头不重写(个别除外)
- ProxyPreserveHost:On时让反向代理保留原请求的Host首部转发给后端服务器,off 时则删除host首部转发
- ProxyVia:On开启。代理的请求响应时提供一个response的via首部,默认值off
http://httpd服务IP/
http://node1.magedu.com/
http://node1.magedu.com/index.jsp
以上3个URL看到了不同的页面,说明ProxyPreserveHost On起了作用
设置ProxyPreserveHost Off再看效果,说明什么?
范例:
#对不同的虚拟主机生成页面文件
[root@centos8 ~]#echo /usr/local/tomcat/webapps/ROOT/test.html > /usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#echo /data/node1/ROOT/test.html > /data/node1/ROOT/test.html
[root@centos8 ~]#echo /data/node2/ROOT/test.html > /data/node2/ROOT/test.html
#修改httpd配置
[root@centos8 ~]#vim /etc/httpd/conf.d/tomcat.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/tomcat.conf
<VirtualHost *:80>
ServerName node1.magedu.org
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
[root@centos8 ~]#systemctl restart httpd
#用下面不同URL访问,可以看不同结果
[root@centos8 ~]#curl http://node1.magedu.org/test.html
/data/node1/ROOT/test.html
[root@centos8 ~]#curl http://node2.magedu.org/test.html
/data/node2/ROOT/test.html
[root@centos8 ~]#curl http://127.0.0.1/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://10.0.0.8/test.html
/usr/local/tomcat/webapps/ROOT/test.html
#修改配置
[root@centos8 ~]#vim /etc/httpd/conf.d/tomcat.conf
#只修改下面一行
ProxyPreserveHost Off [root@centos8 ~]#systemctl restart httpd
#再次用用下面不同URL访问,可以看相同结果
[root@centos8 ~]#curl http://node1.magedu.org/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://node2.magedu.org/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://10.0.0.8/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://127.0.0.1/test.html
/usr/local/tomcat/webapps/ROOT/test.html
实现AJP协议
AJP(Apache JServ Protocol)是定向包协议,是一个二进制的TCP传输协议,相比HTTP这种纯文本的协议来说,效率和性能更高,也做了很多优化。但是浏览器并不能直接支持AJP13协议,只支持HTTP协议。所以实际情况是,通过Apache的proxy_ajp模块进行反向代理,暴露成http协议给客户端访问
proxy_ajp_module模块代理配置
<VirtualHost *:80>
ServerName node1.magedu.com
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
ProxyPass / ajp://127.0.0.1:8009/
</VirtualHost>
查看Server Status可以看到确实使用的是ajp连接了。
相对来讲,AJP协议基于二进制比使用HTTP协议的连接器效率高些。
范例:启用httpd的AJP反向代理功能
[root@centos8 ~]#vim /etc/httpd/conf.d/tomcat.conf
[root@centos8 ~]#cat /etc/httpd/conf.d/tomcat.conf
<VirtualHost *:80>
ServerName node1.magedu.com
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
ProxyPass / ajp://127.0.0.1:8009/
</VirtualHost>
[root@centos8 ~]#systemctl restart httpd
#再次用用下面不同URL访问,可以看以下结果
[root@centos8 ~]#curl http://node1.magedu.org/test.html
/data/node1/ROOT/test.html
[root@centos8 ~]#curl http://node2.magedu.org/test.html
/data/node2/ROOT/test.html
[root@centos8 ~]#curl http://10.0.0.8/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://127.0.0.1/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#vim /etc/httpd/conf.d/tomcat.conf
#只修改下面一行,关闭向后端转发请求的host首部
ProxyPreserveHost Off
#再次用用下面不同URL访问,可以看到和上面一样的结果,说明AJP协议和Http不同,自动转发所有首部信息
[root@centos8 ~]#curl http://node1.magedu.org/test.html
/data/node1/ROOT/test.html
[root@centos8 ~]#curl http://node2.magedu.org/test.html
/data/node2/ROOT/test.html
[root@centos8 ~]#curl http://10.0.0.8/test.html
/usr/local/tomcat/webapps/ROOT/test.html
[root@centos8 ~]#curl http://127.0.0.1/test.html
/usr/local/tomcat/webapps/ROOT/test.html
可以通过status页面看到下面AJP的信息
#用iptables禁用AJP的访问
[root@centos8 ~]#iptables -A INPUT -p tcp --dport 8009 -j REJECT
[root@centos8 ~]#curl http://node1.magedu.org/test.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
除httpd外,其它支持AJP代理的服务器非常少,比如Nginx就不支持AJP,所以目前一般都禁用AJP协议端口
范例:禁用AJP协议
#默认支持AJP协议
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:*
LISTEN 0 100 *:8009 *:*
#配置tomcat配置文件,删除下面一行
[root@centos8 ~]#vim /usr/local/tomcat/conf/server.xml
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
[root@centos8 ~]#systemctl restart tomcat
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:*
本文链接:https://www.yunweipai.com/35154.html
网友评论comments