我正尝试按照这篇文章 Celery Flower Security in Production 中的概述为 apache2 后面的花设置一个反向代理.
来自 flower 的 HTTPS 页面加载通过代理工作得很好,但它打开的用于更新仪表板的 websocket 却没有——ssl 握手失败并且没有返回任何响应。我在 ubuntu 12.04 上使用 apache2 2.2.22 并且我通过一个常用的补丁添加了 mod_proxy_wstunnel 以隧道 websocket 连接。我在 127.0.0.1:5555 上通过 supervisord 运行 flower。
这是我的 apache.conf 的相关部分
SSLProxyEngine On
SSLProxyVerify none
ProxyRequests Off
ProxyPass /update-dashboard wss://127.0.0.1:5555/update-dashboard
ProxyPassReverse /update-dashboard wss://127.0.0.1:5555/update-dashboard
ProxyPass / http://127.0.0.1:5555/
ProxyPassReverse / http://127.0.0.1:5555/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
这是最终超时后的请求
"GET /update-dashboard HTTP/1.1"
500 419 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36"
这是 apache2 错误日志的输出
[Fri Jun 12 16:44:28 2015] [info] Initial (No.1) HTTPS request received for child 195 (server demoflower.eatthismuch.com:80)
[Fri Jun 12 16:44:28 2015] [debug] mod_proxy_wstunnel.c(377): [client 71.189.228.118] canonicalising URL //127.0.0.1:5555/update-dashboard
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(1509): [client 71.189.228.118] proxy: wss: found worker wss://127.0.0.1:5555/update-dashboard for wss://127.0.0.1:5555/update-dashboard
[Fri Jun 12 16:44:28 2015] [debug] mod_proxy.c(1020): Running scheme wss handler (attempt 0)
[Fri Jun 12 16:44:28 2015] [debug] mod_proxy_http.c(1978): proxy: HTTP: declining URL wss://127.0.0.1:5555/update-dashboard
[Fri Jun 12 16:44:28 2015] [debug] mod_proxy_wstunnel.c(659): [client 71.189.228.118] AH02451: serving URL wss://127.0.0.1:5555/update-dashboard
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(2014): proxy: WSS: has acquired connection for (127.0.0.1)
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(2070): proxy: connecting wss://127.0.0.1:5555/update-dashboard to 127.0.0.1:5555
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(2196): proxy: connected /update-dashboard to 127.0.0.1:5555
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(2447): proxy: WSS: fam 2 socket created to connect to 127.0.0.1
[Fri Jun 12 16:44:28 2015] [debug] proxy_util.c(2579): proxy: WSS: connection complete to 127.0.0.1:5555 (127.0.0.1)
[Fri Jun 12 16:44:28 2015] [info] [client 127.0.0.1] Connection to child 0 established (server demoflower.eatthismuch.com:80)
[Fri Jun 12 16:44:28 2015] [info] Seeding PRNG with 656 bytes of entropy
[Fri Jun 12 16:44:28 2015] [debug] mod_proxy_wstunnel.c(518): [client 71.189.228.118] sending request
[Fri Jun 12 16:44:28 2015] [debug] ssl_engine_kernel.c(1819): OpenSSL: Handshake: start
[Fri Jun 12 16:44:28 2015] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: before/connect initialization
[Fri Jun 12 16:44:28 2015] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: unknown state
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b6c001650 [mem: 7f0b68006f83]
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b60001650 [mem: 7f0b60006f83]
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jun 12 13:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b70001650 [mem: 7f0b70006f83]
[Fri Jun 12 13:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b6c001650 [mem: 7f0b70006f83]
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b60001650 [mem: 7f0b70006f83]
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f0b64001650 [mem: 7f0b70006f83]
[Fri Jun 12 16:44:32 2015] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
任何想法可能出了什么问题?我尝试了很多不同的 apache2 设置都无济于事。感谢阅读!
最佳答案
我有一个类似的 apache 配置文件,但它无法正常工作,我看到了 OpenSSL error 5 bytes expected 消息。
我添加了以下内容:
ProxyPreserveHost On
现在应用程序可以正常工作了。 我仍然看到 OpenSSL 错误,但这似乎不是问题。
请注意,下降的 http URL 只是 mod_proxy 的正常操作,以指定的顺序尝试所有较低级别的代理模块,直到找到匹配的模块。
此外,我使用 ws: 协议(protocol)而不是 ws: 与 Tomcat 8 后端通信。
关于apache - 具有 apache2 反向代理 ssl 握手的 celery 花对于 websocket 失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30812023/