问题
I've got Apache OpenMeetings 4.0.4 witch Apache/2.2.22 as proxy.
In OM's conf/red5.properties I've got
http.port=8080
I want to do two things:
Redirect HTTP (80) -> HTTPS (443)
Redirect HTTP (8080) to HTTPS (443)
My /etc/apache2/sites-avilable/default conf is:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
My /etc/apache2/sites-avilable/default-ssl conf is:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
When I type http://domain.test-test.eu/ it redirects me to https://domain.test-test.eu.
When I type http://192.168.XXX.YYY it redirects me to https://192.168.XXX.YYY
But when I type http://192.168.XXX.YYY:8080 or http://domain.test-test.eu:8080 it doesn't redirect me to https://192.168.XXX.YYY or https://domain.test-test.eu/. The page opens up (without HTTPS).
The second problem is, that in OM's log I can see CSRF info and I can't log in through HTTPS.
Info from OM's log:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
How should I change Apache settings to make it work?
回答1:
I'm afraid it would impossible to set up "Redirect HTTP (8080) to HTTPS (443)"
In case you are running OpenMeetings on port 8080, you can't use it for Apache and vise versa. Internet port should be exclusively used by OM or Apache, not both.
I would close port 8080 on FW level to deny direct access to OM. (and please remove rule for <VirtualHost *:8080> otherwise OM will fail to start with Port already in use message)
Now according to CSRF:
You need to modify conf/jee-container.xml and add following property
<property name="secure" value="true" />
To <!-- Tomcat without SSL enabled --> block right before <property name="connectionProperties">
This should fix your issue
BUT OpenMeetings will not work with this config ....
Cause you also need to proxy WebSockets ....
So you additionally need mod_rewrite and mod_proxy_wstunnel
then you need to add following section:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
Additionally you might want to perform tunneling for your RTMP traffic, this will require special rules for open, send, idle and close
below is final configuration for Apache 2.4:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
Work for me as expected :)
回答2:
In 'default' file I have:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
So when smb type http://domain.test-test.eu it'll redirect it to https://domain.test-test.eu
My 'default-ssl' file is almost exact as Yours (I'm using 8080/tcp for OM). And I'm using selfsigned certificated for OM (for now they're not signed for CN=domain.test-test.eu but for CN=testname.eu - I'll change it after OM will works).
Unfortunatly this config doesn't work. I can see two black dots speening around. May it be because of outdated browsers (FF has version 52.4.1 and Chromium 51.0.2704.79) or wrong site certificate?
回答3:
The apache's config given by Maxim is working. Thank you Maxim!
来源:https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass