当“SSLVerifyClient require”(在目录级别设置)时,JkEnvVar SSL_CLIENT_CERT不起作用

时间:2011-03-08 16:50:51

标签: tomcat apache mod-jk mod-ssl

[我的环境是这样的:Apache / 2.2.17(Win32)mod_ssl / 2.2.17 OpenSSL / 0.9.8o PHP / 5.2.9-2 mod_jk / 1.2.31 (虽然我们在具有类似apache / mod_jk / tomcat规范的Ubuntu 10.04.2 LTS下获得相同的行为)]

我已经设置了一个服务https的虚拟主机,我想在那里有两种类型的目录/应用程序:一个通过'普通'https服务,另一个通过客户端身份验证服务(带有客户端证书)。

当“SSLVerifyClient require”放置在虚拟主机级别上时,相关的JkEnvVar SSL_CLIENT_CERT会正确地将信息传播到tomcat。当它放在目录级别(在虚拟主机内)时,它不会。 任何线索??

我的httpd.conf包含以下几行:

...
JkWorkersFile conf/workers.properties
JkShmFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.shm"
JkLogFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.log"
JkLogLevel    debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Include conf/extra/httpd-ssl.conf
...

其中conf / workers.properties就是以下内容:

worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009

和conf / extra / httpd-ssl.conf包含以下行:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

SSLMutex default

<VirtualHost _default_:443>
    DocumentRoot "C:/https"
    ServerName www.webrep.local
    ServerAdmin webmaster@webrep.local
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-access.log"

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.key"

SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/ca/myCA.pem"

SSLOptions +StdEnvVars +ExportCertData
Alias /examples/oneway/ "C:/https/oneway/"
<Directory "C:/https/oneway">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /examples/twoway/ "C:/https/twoway/"
<Directory "C:/https/twoway">
    SSLVerifyClient require
    SSLVerifyDepth  10
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

JkMount  /examples/oneway/servlets/* worker1
JkMount  /examples/twoway/servlets/* worker1
JkExtractSSL Off
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar SSL_CLIENT_CERT

</VirtualHost>

在Tomcat上我刚刚添加了一个简单的servlet输出:

request.getAttribute("SSL_CLIENT_CERT")

下:

C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\examples\WEB-INF\classes

1 个答案:

答案 0 :(得分:0)

似乎问题不是JkEnvVar,显然,当JkMount和+ Alias引用相同的URL时,JkMount优先,内部的指令永远不会生效(例如,尝试限制访问整个dir与'Deny from All' - 它永远不会生效; servlets / jsps被访问得很好。

两种解决方案:

1)使用指令来控制将在Tomcat中运行的代码的访问(即通过JkMount映射到Tomcat)。 2)使用'SetHandler jakarta-servlet'而不是JkMount(更多信息请参见http://tomcat.apache.org/connectors-doc/reference/apache.html的结尾)。这在里面工作。我被告知它也适用于内部,但我没有检查过这个。

希望这可以节省一些人为了解决这个问题而在这里花了很多时间......

相关问题
最新问题