JIRA,第三方SSL,CentOS上的重定向

时间:2016-07-16 23:55:25

标签: tomcat ssl jira

我有以下情况:

  1. JIRA安装在VPS(CentOS 5)
  2. 我可以通过http://www.example.com:8080
    3. 访问jira
  3. https:/www.example.com
    4. 上安装的第三方SSL
  4. 子域名http://jira.example.com

    5. 我想做的是以下内容:

    一个。将所有http重定向到https 湾JIRA(8080)在https上工作 C。 jira.example.com重定向到https://www.example.com:8080

    虽然我遵循了Atlassian的指南,但我可以达到(a)但却失败了(b)和(c)。

    这是server.xml中连接器的代码

        <Connector port="8080"

               maxThreads="150"
               minSpareThreads="25"
               connectionTimeout="20000"

               enableLookups="false"
               maxHttpHeaderSize="8192"
               protocol="HTTP/1.1"
               useBodyEncodingForURI="true"
               redirectPort="8443"
               acceptCount="100"
               disableUploadTimeout="true"

               scheme="https" 
               proxyName="jira.example.com" 
               proxyPort="443" 
               secure="true"

                />

    我还没想到的是如何配置虚拟主机。我需要端口443的VH吗?或80(对于jira.example.com)

    我已阅读Atlassian有关如何使用SSL的指南,但该指南会生成CSR,然后获取SSL。我现在有我的SSL,所以我该如何使用它?我没有指南中显示的所需文件。

    这是我的VH代码(取自jira docs):

    <VirtualHost *:443>
   ServerName jira.example.com

   ProxyRequests Off
   ProxyVia Block
   ProxyPreserveHost On

   <Proxy *>
        Require all granted
   </Proxy>

   ProxyPass / https://www.example.com:8080/     <--- If https works
   ProxyPassReverse / https://www.example.com:8080/
</VirtualHost>

    有什么想法吗?感谢

1 个答案:

答案 0 :(得分:0)

由于您已经将Apache作为反向代理工作,因此您应该使用它来代理对Jira的所有请求并让它处理SSL / TLS。为此,您必须检查证书中包含哪些域:

a)您的证书包含SAN字段中的jira.example.com。在这种情况下,您的配置如下所示:

server.xml中:

<Connector port="8080"

           maxThreads="150"
           minSpareThreads="25"
           connectionTimeout="20000"

           enableLookups="false"
           maxHttpHeaderSize="8192"
           protocol="HTTP/1.1"
           useBodyEncodingForURI="true"
           redirectPort="8443"
           acceptCount="100"
           disableUploadTimeout="true"

           scheme="https" 
           proxyName="jira.example.com" 
           proxyPort="443"

/>

vhost.conf:

<VirtualHost *:80>
    ServerName jira.example.com
    DocumentRoot /var/www/jira/htdocs
    RewriteEngine On
    # strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
    RequestHeader unset Proxy
    RewriteRule /(.*) https://jira.example.com/$1 [R=permanent,L,NC,NE]

    CustomLog /var/www/jira/logs/access.log combined
    ErrorLog /var/www/jira/logs/error.log
</VirtualHost>

<VirtualHost *:443>
    SSLEngine On
    SSLCompression off
    SSLHonorCipherOrder On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    SSLCertificateFile /etc/apache2/ssl/jira.example.com.crt.pem
    SSLCertificateKeyFile /etc/apache2/ssl/jira.example.com.key.pem
    SSLCertificateChainFile /etc/apache2/ssl/jira.example.com.crt_intermediate.pem


    ServerName jira.example.com
    DocumentRoot /var/www/jira/htdocs

    Header always set Strict-Transport-Security "max-age=31536000"
    # strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
    RequestHeader unset Proxy

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^jira.example.com$
    RewriteRule ^/(.*)$ https://jira.example.com/$1 [R=permanent,L,NC,NE]

    CustomLog /var/www/jira/logs/access.log combined
    ErrorLog /var/www/jira/logs/error.log

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
</VirtualHost>

这将代理Apache中的所有请求,并在访问jira.example.com时将它们转发给Jira。当通过纯http访问jira.example.com时,它还会将您重定向到https。

b)您的证书仅包含www.example.com。在这种情况下,您必须通过例如访问jira www.example.com/jira

server.xml中:

<Connector port="8080"

           maxThreads="150"
           minSpareThreads="25"
           connectionTimeout="20000"

           enableLookups="false"
           maxHttpHeaderSize="8192"
           protocol="HTTP/1.1"
           useBodyEncodingForURI="true"
           redirectPort="8443"
           acceptCount="100"
           disableUploadTimeout="true"

           scheme="https" 
           proxyName="www.example.com" 
           proxyPort="443"

/>

[...]

<Context path="/jira" docBase="../jira" debug="0" reloadable="false" useHttpOnly="true">

最后一部分对Jira来说非常重要,可以生成正确的链接。

vhost.conf:

<VirtualHost *:80>
    ServerName www..example.com
    DocumentRoot /var/www/jira/htdocs
    RewriteEngine On
    # strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
    RequestHeader unset Proxy
    RewriteRule /(.*) https://www.example.com/$1 [R=permanent,L,NC,NE]

    CustomLog /var/www/jira/logs/access.log combined
    ErrorLog /var/www/jira/logs/error.log
</VirtualHost>

<VirtualHost *:443>
    SSLEngine On
    SSLCompression off
    SSLHonorCipherOrder On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    SSLCertificateFile /etc/apache2/ssl/www.example.com.crt.pem
    SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key.pem
    SSLCertificateChainFile /etc/apache2/ssl/www.example.com.crt_intermediate.pem


    ServerName www.example.com
    DocumentRoot /var/www/jira/htdocs

    Header always set Strict-Transport-Security "max-age=31536000"
    # strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
    RequestHeader unset Proxy

    RewriteEngine On

    RewriteCond %{HTTP_HOST} !^www.example.com$
    RewriteRule ^/(.*)$ https://www.example.com/$1 [R=permanent,L,NC,NE]

    CustomLog /var/www/jira/logs/access.log combined
    ErrorLog /var/www/jira/logs/error.log

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /jira http://127.0.0.1:8080/jira
    ProxyPassReverse /jira http://127.0.0.1:8080/jira
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
</VirtualHost>

此设置的优点是您不需要在Jira中配置证书,而是可以在Apache中执行所有SSL操作。

相关问题
最新问题