我有Apache 2.4.18(Ubuntu)作为反向代理运行。为了保护我的个人环境,我添加了SSLVerifyClient require,到目前为止没有问题。
但是,Jira希望访问自身以加载一些语言字符串。根据Jira的记录,https://{DOMAIN_URL}/rest/gadgets/1.0/g/messagebundle/nl_NL/gadget.common%2Cgadget.project可能与gadget.common%2Cgadget.project不同,这取决于它需要哪个翻译字符串的模块。
好的,很好。因此,为解决该解决方案,我想到了使该URL可供Jira使用,因此仅对此特定URL跳过SSLVerifyClient。
我当前的配置:
<VirtualHost *:80>
ServerName {DOMAIN}
Redirect permanent / https://{DOMAIN}
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info@{DOMAIN}
ServerName {DOMAIN}
<Location / >
Options FollowSymLinks
AllowOverride None
</Location>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLEngine on
SSLCompression Off
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile {SSL}/fullchain.pem
SSLCertificateKeyFile {SSL}/privkey.pem
SSLCACertificateFile {PATH}/ca.crt
SSLVerifyClient require
SSLStrictSNIVHostCheck on
SSLVerifyDepth 1
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost/
ProxyPassReverse / http://localhost/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
我尝试在SSLVerifyDepth 1之后添加以下两个摘要
<Directory "/rest/gadgets">
SSLVerifyClient none
</Directory>
和
<Location /rest/gadgets>
SSLVerifyClient none
</Location>
但是,我确实检查了https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html(客户端身份验证和访问控制),但是两者均无法正常工作。我不太确定,但是我也许在Location和Directory中指定的路径不是正确的路径。我想使其通用,只是检查URL的第一部分是否包含/rest/gadgets。
我希望我的问题很清楚。
答案 0 :(得分:0)
这似乎是我的问题的答案:
<VirtualHost *:80>
ServerName {DOMAIN}
Redirect permanent / https://{DOMAIN}
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info@{DOMAIN}
ServerName {DOMAIN}
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLEngine on
SSLCompression Off
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile {SSL}/fullchain.pem
SSLCertificateKeyFile {SSL}/privkey.pem
SSLCACertificateFile {PATH}/ca.crt
SSLStrictSNIVHostCheck on
<Location / >
SSLVerifyClient require
SSLVerifyDepth 1
Options FollowSymLinks
AllowOverride None
</Location>
<Location /rest/gadgets>
SSLVerifyClient none
</Location>
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost/
ProxyPassReverse / http://localhost/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
诀窍是扩展当前的Location并移动SSLVerifyClient。然后再添加一个带有排除路径的Location伪指令,在这种情况下为rest/gadgets。