0

语境

我需要在 Windows Server 2008 上的 IIS 7.5(http 端口 80,https 443)后面放置一个 Java 应用服务器(http 端口 8080,https 8181)。

脚步

我使用IIS ARR了启用代理的模块,以便将一些请求路由到 Java 应用程序服务器。为此,我还制定了一些URL Rewrite规则。使用http,一切正常。

使用的规则规定,当请求的 URL 与 pattern 匹配时(MyAppContextRoot.+),要采取的操作是 Rewrite: http://localhost:8080/{R:0}

对于另一个使用 https 的应用程序,重写规则是:https://localhost:8181/{R:0}

为了路由 https 请求,我在某处读到我需要在 IIS 和 Java 之间共享相同的证书,因为 IIS 加密/解密请求/答案。如果我错了,请纠正我。

由于我仍处于开发阶段,我决定共享一个自签名证书。我已经创建了它,并使用以下方法SelfSSL7导入了 java :keystorekeytool

selfSSL7 /Q /T /I "Default web site" /N cn=myDomain.com /X /F MyCertificate.pfx /W myPassword

keytool -importkeystore -srckeystore C:\myPath\MyCertificate.pfx -srcstoretype pkcs12 -srcalias my -deststoretype jks -deststorepass myPassword -destalias MyAlias

问题

两个证书都完成了它们的工作:https://myDomain.com并且https://myDomain.com:8181已经启动并运行,但是在尝试路由时,我得到了错误:

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

然而,查看证书,在以下方面存在差异:颁发给、颁发者、有效性、签名算法、密钥大小。特别是SelfSSL7创建的算法是sha1RSA(1024 Bits key),keytool创建的算法是sha256RSA(2048 Bits key)。

4

1 回答 1

3

It sounds like what you're trying to do is a reverse proxy setup, not a redirection to the Java server, in which case the Java server should never be accessed directly, but only via IIS. It would therefore be "invisible" to the client (so you shouldn't even see a different URL with a different port). It sounds like your rewrite rules are just redirections (not reverse proxy rewrite rules).

  • If you don't need the connection between IIS and your Java container to be protected with SSL/TLS (only the connection from external clients to IIS), you don't need to configure the Java container for SSL/TLS. IIS will be a client for your Java container, using plain HTTP.

  • If you want the connection between IIS and your Java container to be protected with SSL/TLS, you'll need the certificate to be valid for the host where the Java container is hosted, as seen by IIS. This is unlikely to be the same certificate as the one used on IIS, since the one used by IIS is a public facing certificate, whereas the one for the Java container would only be for internal use (you could probably use a self-signed certificate or your own CA, depending on what the IIS reverse proxy module can be configured to accept).

于 2012-05-31T21:50:15.953 回答