Apache 从SSLVerifyClient请求中排除路径_Apache_Ssl Certificate_Jira_Ca

Apache 从SSLVerifyClient请求中排除路径

apache jira

Apache 从SSLVerifyClient请求中排除路径,apache,ssl-certificate,jira,ca,Apache,Ssl Certificate,Jira,Ca,我让Apache2.4.18（Ubuntu）作为反向代理运行。为了保护我的个人环境，我添加了一个SSLVERYCLIENT require，到目前为止没有问题但是，Jira希望访问自己以加载某些语言字符串。根据Jira的日志记录，它是https://{DOMAIN\u URL}/rest/gadgets/1.0/g/messagebundle/nl\u nl/gadget.common%2Cgadget.project其中gadget.common%2Cgadget.project可以不同，这

我让Apache2.4.18（Ubuntu）作为反向代理运行。为了保护我的个人环境，我添加了一个

SSLVERYCLIENT require

，到目前为止没有问题

但是，Jira希望访问自己以加载某些语言字符串。根据Jira的日志记录，它是https://{DOMAIN\u URL}/rest/gadgets/1.0/g/messagebundle/nl\u nl/gadget.common%2Cgadget.project其中

gadget.common%2Cgadget.project

可以不同，这取决于它需要一些翻译字符串的模块

好的。所以为了解决这个问题，我想让Jira可以使用这个URL，因此只跳过这个特定URL的SSLVerifyClient

我的当前配置：

<VirtualHost *:80>
    ServerName {DOMAIN}
    Redirect permanent / https://{DOMAIN}
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin info@{DOMAIN}
        ServerName {DOMAIN}

        <Location / >
            Options FollowSymLinks
                AllowOverride None
        </Location>

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        SSLEngine       on
        SSLCompression      Off
        SSLProtocol         ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     On
        SSLCipherSuite      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLCertificateFile  {SSL}/fullchain.pem
        SSLCertificateKeyFile   {SSL}/privkey.pem

        SSLCACertificateFile    {PATH}/ca.crt
        SSLVerifyClient     require
        SSLStrictSNIVHostCheck  on
        SSLVerifyDepth      1

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://localhost/
        ProxyPassReverse / http://localhost/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

及


SSLVERIFYCLENT无

不过，我确实检查了（客户端身份验证和访问控制），但两者都不起作用。我不太确定，但我可能在

位置

和

目录

中指定的路径不正确。我想让它具有通用性，只需检查URL的第一部分是否包含

/rest/gadgets

我希望我的问题有点清楚。

这似乎是对我问题的回答：

<VirtualHost *:80>
    ServerName {DOMAIN}
    Redirect permanent / https://{DOMAIN}
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin info@{DOMAIN}
        ServerName {DOMAIN}

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        SSLEngine       on
        SSLCompression      Off
        SSLProtocol         ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     On
        SSLCipherSuite      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLCertificateFile  {SSL}/fullchain.pem
            SSLCertificateKeyFile   {SSL}/privkey.pem

        SSLCACertificateFile    {PATH}/ca.crt
        SSLStrictSNIVHostCheck  on

        <Location / >
            SSLVerifyClient     require 
            SSLVerifyDepth      1

            Options FollowSymLinks
                AllowOverride None
        </Location>     

        <Location /rest/gadgets>
                SSLVerifyClient none
        </Location>

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://localhost/
        ProxyPassReverse / http://localhost/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>


服务器名{DOMAIN}
重定向永久/https://{DOMAIN}
服务器管理信息@{DOMAIN}
服务器名{DOMAIN}
标头始终设置严格的传输安全性“最大年龄=63072000；包括子域
斯伦金安
SSL压缩关闭
SSLProtocol ALL-SSLv2-SSLv3
SSLHonorCipherOrder开启
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile{SSL}/fullchain.pem
SSLCertificateKeyFile{SSL}/privkey.pem
SSLCACertificateFile{PATH}/ca.crt
SSLStrictSNIVHostCheck on
SSLVerifyClient要求
SSLVerifyDepth 1
选项如下符号链接
不允许超限
SSLVERIFYCLENT无
代理主机
代理请求关闭
ProxyPass/http://localhost/
ProxyPassReverse/http://localhost/
ErrorLog${APACHE_LOG_DIR}/error.LOG
CustomLog${APACHE\u LOG\u DIR}/access.LOG组合
#vim:syntax=apachets=4sw=4sts=4srnoet

诀窍是扩展当前的

位置

并移动

SSLVerifyClient

。然后添加一个额外的

Location

-指令，其中包含排除的路径，在本例中为

rest/gadgets

<Location /rest/gadgets>
        SSLVerifyClient none
</Location>

<VirtualHost *:80>
    ServerName {DOMAIN}
    Redirect permanent / https://{DOMAIN}
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin info@{DOMAIN}
        ServerName {DOMAIN}

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        SSLEngine       on
        SSLCompression      Off
        SSLProtocol         ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     On
        SSLCipherSuite      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLCertificateFile  {SSL}/fullchain.pem
            SSLCertificateKeyFile   {SSL}/privkey.pem

        SSLCACertificateFile    {PATH}/ca.crt
        SSLStrictSNIVHostCheck  on

        <Location / >
            SSLVerifyClient     require 
            SSLVerifyDepth      1

            Options FollowSymLinks
                AllowOverride None
        </Location>     

        <Location /rest/gadgets>
                SSLVerifyClient none
        </Location>

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://localhost/
        ProxyPassReverse / http://localhost/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>