redirect - Openshift 上的 HAProxy https 在非本地设备上以重定向循环结束

Question

我有一个带有 HAProxy Web 负载均衡器的 Tomcat 7 (JBoss EWS 2.0) 应用程序。当只有一台服务器在运行时，HTTPS 工作正常，但一旦我添加另一台服务器(通过将最小齿轮数设置为 2)，就会出现问题。

我在连接时检查了 GEAR cookie，一旦它是本地齿轮 local-569aaabf0c1e661db1000004连接已建立，但 569aadaa89f5cff3c9000058-petrfox GEAR cookie 制造麻烦。

问题是，每次连接尝试(由负载均衡器)重定向到新启动的设备，都以 302 重定向循环结束(通过访问 https://dftestapp-petrfox.rhcloud.com/ 我得到 302 header Location: https://dftestapp-petrfox.rhcloud.com/ )。

您可以在上面的链接上尝试 - 如果页面加载，只需删除 GEAR cookie 并刷新，这次您很可能会被重定向到另一个齿轮。

生成的HAProxy配置(haproxy.cfg)是

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events.  This is done
#    by adding the '-r' option to the SYSLOGD_OPTIONS in
#    /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
#   file. A line like the following can be added to
#   /etc/sysconfig/syslog
#
#    local2.*                       /var/log/haproxy.log
#
#log         127.0.0.1 local2

maxconn     256

# turn on stats unix socket
stats socket /var/lib/openshift/569aaabf0c1e661db1000004/haproxy//run/stats level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode                    http
log                     global
option                  httplog
option                  dontlognull
option http-server-close
#option forwardfor       except 127.0.0.0/8
option                  redispatch
retries                 3
timeout http-request    10s
timeout queue           1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout http-keep-alive 10s
timeout check           10s
maxconn                 128

listen stats 127.7.244.3:8080
mode http
stats enable
stats uri /

listen express 127.7.244.2:8080

cookie GEAR insert indirect nocache
option httpchk GET /
http-check expect rstatus 2..|3..|401

balance leastconn
server gear-569aadaa89f5cff3c9000058-petrfox ex-std-node827.prod.rhcloud.com:56761 check fall 2 rise 3 inter 2000 cookie 569aadaa89f5cff3c9000058-petrfox
server local-gear 127.7.244.1:8080 check fall 2 rise 3 inter 2000 cookie local-569aaabf0c1e661db1000004

我试图在我的应用程序中关闭强制 https(通过删除 applicationContext-security.xml 中的 <intercept-url pattern="/**" requires-channel="https"/>)，仅使用 http 并且它有效。因此我假设必须需要更多的 https 配置。但我的问题是我需要在哪里配置什么？我觉得奇怪的是它不适用于生成的配置，因为负载平衡是人们选择 Openshift 的原因，而 https 在某些情况下是必须具备的。我也很奇怪，当你被重定向到本地齿轮时一切顺利。

我没有找到任何有帮助的资料。你能帮我解决这个问题吗？

更新:我不知道问题出在哪里，但可能是在服务器的设置中。这是配置文件 server.xml(我从未更改过)

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="-1" shutdown="SHUTDOWN">
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector address="${OPENSHIFT_JBOSSEWS_IP}"
               port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}"
               protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443"/>

    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /-->


    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="false" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- RemoteIp valve, pass protocol header from proxy. -
            http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
        -->

        <Valve
          className="org.apache.catalina.valves.RemoteIpValve"
          protocolHeader="x-forwarded-proto"
        />

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <!--
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
        -->
      </Host>
    </Engine>
  </Service>
</Server>

Answer 1

我在 Too many redirects 和可扩展的 Tomcat 设备方面遇到了类似的问题。您可以尝试配置您的 server.xml 和 web.xml 作为 Tomcat 的技术常见问题建议: How do I redirect traffic to HTTPS .

不幸的是，它对我来说效果不是很好。如果我的应用程序只有一个齿轮，一切都运行正常——http 流量被重定向到 https。但是，当我打开应用程序缩放并启动二档时，每次重新部署后都会出现 Too many redirects 错误。

我无法解决这个问题。我最终使用默认的 Tomcat 配置并将不安全的流量重定向到我应用程序 Controller 中的 https(灵感来自 Node.js 的技术常见问题解答 here )。现在一切正常。