Tomcat JIRA,第三方SSL,在CentOS上重定向
我有以下情况:Tomcat JIRA,第三方SSL,在CentOS上重定向,tomcat,ssl,jira,Tomcat,Ssl,Jira,我有以下情况: JIRA安装在VPS(CentOS 5)上 我可以在 第三方SSL安装在https:/www.example.com上 子域 我想做的是: a。将所有http重定向到https BJIRA(8080上)使用https Cjira.example.com重定向到 我可以达到(a),但(b)和(c)失败,尽管我遵循了阿特拉斯的指导 这是server.xml中连接器的代码 <Connector port="8080" maxThreads=
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
secure="true"
/>
我还没有弄明白如何配置虚拟主机。443端口需要VH吗?或者80(对于jira.example.com)
我已经阅读了Atlassian关于如何使用SSL的指南,但该指南生成CSR,然后获取SSL。我现在有了SSL,如何使用它?我没有指南中所示的所需文件
这是我的VH代码(取自jira文档):
ServerName jira.example.com
代理请求关闭
ProxyVia块
代理主机
要求所有授权
ProxyPass/https://www.example.com:8080/ 由于您已经使用Apache作为反向代理,因此应该使用它将所有请求代理给Jira,并让它处理SSL/TLS。但是,要使其正常工作,您必须检查您的证书中包含哪些域:
a) 您的证书在SAN字段中包含jira.example.com。在这种情况下,您的配置如下所示:
server.xml:
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
/>
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="www.example.com"
proxyPort="443"
/>
[...]
<Context path="/jira" docBase="../jira" debug="0" reloadable="false" useHttpOnly="true">
vhost.conf:
<VirtualHost *:80>
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/jira.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/jira.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/jira.example.com.crt_intermediate.pem
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^jira.example.com$
RewriteRule ^/(.*)$ https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost *:80>
ServerName www..example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/www.example.com.crt_intermediate.pem
ServerName www.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.example.com$
RewriteRule ^/(.*)$ https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira http://127.0.0.1:8080/jira
ProxyPassReverse /jira http://127.0.0.1:8080/jira
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
ServerName jira.example.com
DocumentRoot/var/www/jira/htdocs
重新启动发动机
#剥离代理标头以减轻CGI漏洞(https://httpoxy.org)
请求头未设置代理
重写规则/(*))https://jira.example.com/$1[R=永久性,左,北,北]
CustomLog/var/www/jira/logs/access.log
ErrorLog/var/www/jira/logs/error.log
斯伦金安
SSL压缩关闭
SSLHonorCipherOrder开启
SSLProtocol all-SSLv2-SSLv3
SSLCipherSuiteECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA228-SHA256:ECDHE-ECDHE-ECDSA-RSA-AES128-SHA:ECDHE-ECDSA-128-ESA256:ECDHE-ECAESSA-384E-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES256-SHA256:AES256:AES256-SHA:CAMELLIA:DES-CBC3-SHA:!阿努尔:!埃努尔:!出口:!德斯:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf用户代理“*MSIE.*”无保留ssl未清理关闭
SSLOptions+FakeBasicAuth+ExportCertData+StrictRequire
SSLCertificateFile/etc/apache2/ssl/jira.example.com.crt.pem
SSLCertificateKeyFile/etc/apache2/ssl/jira.example.com.key.pem
SSLCertificateChainFile/etc/apache2/ssl/jira.example.com.crt_intermediate.pem
ServerName jira.example.com
DocumentRoot/var/www/jira/htdocs
标头始终设置严格的传输安全性“最大年龄=31536000”
#剥离代理标头以减轻CGI漏洞(https://httpoxy.org)
请求头未设置代理
重新启动发动机
重写cond%{HTTP_HOST}^jira.example.com$
重写规则^/(.*)$https://jira.example.com/$1[R=永久性,左,北,北]
CustomLog/var/www/jira/logs/access.log
ErrorLog/var/www/jira/logs/error.log
代理请求关闭
代理主机
ProxyPass/http://127.0.0.1:8080/
ProxyPassReverse/http://127.0.0.1:8080/
命令拒绝,允许
通融
这将代理Apache中的所有请求,并在访问Jira.example.com时将它们转发给Jira。当通过普通http访问jira.example.com时,它还会将您重定向到https
b) 您的证书仅包括www.example.com。在这种情况下,您必须通过www.example.com/jira访问jira
server.xml:
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
/>
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="www.example.com"
proxyPort="443"
/>
[...]
<Context path="/jira" docBase="../jira" debug="0" reloadable="false" useHttpOnly="true">
[...]
最后一部分对于Jira生成正确的链接非常重要
vhost.conf:
<VirtualHost *:80>
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/jira.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/jira.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/jira.example.com.crt_intermediate.pem
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^jira.example.com$
RewriteRule ^/(.*)$ https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost *:80>
ServerName www..example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/www.example.com.crt_intermediate.pem
ServerName www.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.example.com$
RewriteRule ^/(.*)$ https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira http://127.0.0.1:8080/jira
ProxyPassReverse /jira http://127.0.0.1:8080/jira
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
服务器名www.example.com
DocumentRoot/var/www/jira/htdocs
重新启动发动机
#剥离代理标头以减轻CGI漏洞(https://httpoxy.org)
请求头未设置代理
重写规则/(*))https://www.example.com/$1[R=永久性,左,北,北]
CustomLog/var/www/jira/logs/access.log
ErrorLog/var/www/jira/logs/error.log
斯伦金安
SSL压缩关闭
SSLHonorCipherOrder开启
SSLProtocol all-SSLv2-SSLv3
SSLCipherSuiteECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA228-SHA256:ECDHE-ECDHE-ECDSA-RSA-AES128-SHA:ECDHE-ECDSA-128-ESA256:ECDHE-ECAESSA-384E-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES256-SHA256:AES256:AES256-SHA:CAMELLIA:DES-CBC3-SHA:!阿努尔:!埃努尔:!出口:!德斯:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf用户代理“*MSIE.*”无保留ssl未清理关闭
SSLOptions+FakeBasicAuth+ExportCertData+StrictRequire
SSLCertificateFile/etc/apache2/ssl/www.example.com.crt.pem
SSLCertificateKeyFile/etc/apache2/ssl/www.example.com.key.pem
SSLCertificateChainFile/etc/apache2/ssl/www.example.com.crt_intermediate.pem
服务器名www.example.com
DocumentRoot/var/www/jira/htdocs
标头始终设置严格的传输安全性“最大年龄=31536000”
#剥离代理标头以减轻CGI漏洞(https://httpoxy.org)
请求人