配置一个反向代理服务器与GoCD服务器一起使用

有时候,使用代理服务器来处理GoCD是很有用的。在本节中,我们将给出一些如何实现这一点的技巧和示例

GoCD与Apache

下面展示了如何配置GoCD与Apache的示例。

假设:

  • 您已经安装了Apache mod_proxy模块
  • Apache服务器与GoCD服务器(localhost)位于同一台机器上
Listen nnn.nnn.nnn.nnn:80
NameVirtualHost nnn.nnn.nnn.nnn:80

<VirtualHost nnn.nnn.nnn.nnn:80>
  ServerName go.yourdomain.com
  DocumentRoot /var/www/html

  <IfVersion >= 2.4>
    ProxyPass         /  ws://localhost:8153/
    ProxyPassReverse  /  ws://localhost:8153/
  </IfVersion>

  <IfVersion < 2.4>
    ProxyPass         /  http://localhost:8153/
    ProxyPassReverse  /  http://localhost:8153/
  </IfVersion>

  ProxyPreserveHost On
</VirtualHost>

如果您还使用SSL(强烈推荐),您可以使用以下代码片段 -

Listen nnn.nnn.nnn.nnn:80
NameVirtualHost nnn.nnn.nnn.nnn:80

<VirtualHost nnn.nnn.nnn.nnn:80>
  ServerName gocd.example.com

  # Redirect any http requests to https
  RewriteEngine On
  RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R=permanent,L]
</VirtualHost>

<VirtualHost nnn.nnn.nnn.nnn:443>
  ServerName gocd.example.com

  # Proxy everything over to the GoCD server
  ProxyPass         /  http://localhost:8153/
  ProxyPassReverse  /  http://localhost:8153/
  ProxyPreserveHost On
  RequestHeader set X-Forwarded-Proto "https"

  <Location />
    Order allow,deny
    Allow from all
  </Location>

  # SSL configuration
  SSLEngine on

  SSLCertificateFile /etc/pki/tls/certs/gocd.example.com.pem
  SSLCertificateKeyFile /etc/pki/tls/private/gocd.example.com.key
  SSLCertificateChainFile /etc/pki/tls/certs/gocd.example.com.pem.chained.pem
</VirtualHost>

与NGINX GoCD

server {
  # Redirect any http requests to https
  listen         80;
  server_name    gocd.example.com;
  return 301     https://gocd.example.com$request_uri;
}

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  listen                    443 ssl;
  server_name               gocd.example.com;

  ssl_certificate           /etc/pki/tls/certs/gocd.example.com.chained.pem;
  ssl_certificate_key       /etc/pki/tls/private/gocd.example.com.key;

  # Proxy everything over to the GoCD server
  location / {
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_http_version      1.1;
    proxy_set_header         Upgrade $http_upgrade;
    proxy_set_header         Connection $connection_upgrade;
  }
}

代理和反向代理

GoCD服务器要求代理在执行SSL终止时直接连接到它,而不需要任何反向代理。这是因为GoCD代理服务器通信使用SSL/TLS客户端证书进行身份验证,反向代理将被解释为MITM(中间人攻击),代理将无法连接到服务器。

Also see...

results matching ""

    No results matching ""