从 SSLVerifyClient 要求中排除路径

Exclude path from SSLVerifyClient require

我有 Apache 2.4.18 (Ubuntu) 运行 作为反向代理。为了保护我的个人环境,我添加了一个SSLVerifyClient require,到目前为止没有问题。

但是,Jira 想要访问自身以加载一些语言字符串。根据 Jira 的日志记录,它是 https://{DOMAIN_URL}/rest/gadgets/1.0/g/messagebundle/nl_NL/gadget.common%2Cgadget.project,其中 gadget.common%2Cgadget.project 可以不同,具体取决于哪个模块需要一些翻译字符串。

好的,好的。因此,为了解决此解决方案,我考虑让 Jira 可以使用此 URL,因此仅针对此特定 URL.

跳过 SSLVerifyClient

我当前的配置:

<VirtualHost *:80>
    ServerName {DOMAIN}
    Redirect permanent / https://{DOMAIN}
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin info@{DOMAIN}
        ServerName {DOMAIN}

        <Location / >
            Options FollowSymLinks
                AllowOverride None
        </Location>

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        SSLEngine       on
        SSLCompression      Off
        SSLProtocol         ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     On
        SSLCipherSuite      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLCertificateFile  {SSL}/fullchain.pem
        SSLCertificateKeyFile   {SSL}/privkey.pem

        SSLCACertificateFile    {PATH}/ca.crt
        SSLVerifyClient     require
        SSLStrictSNIVHostCheck  on
        SSLVerifyDepth      1

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://localhost/
        ProxyPassReverse / http://localhost/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

我尝试在 SSLVerifyDepth 1

之后添加以下两个片段
<Directory "/rest/gadgets">
    SSLVerifyClient      none
</Directory>

<Location /rest/gadgets>
        SSLVerifyClient none
</Location>

不过我确实检查了 https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html(客户端身份验证和访问控制),但是两者都不起作用。我不太确定,但我可能 LocationDirectory 中指定的路径不正确。我想让它通用,只检查 URL 的第一部分是否包含 /rest/gadgets.

希望我的问题比较清楚。

看来这是对我的问题的回答:

<VirtualHost *:80>
    ServerName {DOMAIN}
    Redirect permanent / https://{DOMAIN}
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin info@{DOMAIN}
        ServerName {DOMAIN}

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

        SSLEngine       on
        SSLCompression      Off
        SSLProtocol         ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder     On
        SSLCipherSuite      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLCertificateFile  {SSL}/fullchain.pem
            SSLCertificateKeyFile   {SSL}/privkey.pem

        SSLCACertificateFile    {PATH}/ca.crt
        SSLStrictSNIVHostCheck  on

        <Location / >
            SSLVerifyClient     require 
            SSLVerifyDepth      1

            Options FollowSymLinks
                AllowOverride None
        </Location>     

        <Location /rest/gadgets>
                SSLVerifyClient none
        </Location>

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://localhost/
        ProxyPassReverse / http://localhost/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

诀窍是扩展当前 Location 并移动 SSLVerifyClient。然后添加一个带有排除路径的额外 Location 指令,在本例中为 rest/gadgets