我有以下情况:
- JIRA 安装在 VPS (CentOS 5) 上
- 我可以通过 http://www.example.com:8080 访问 jira
- 在 https:/www.example.com 上安装了第三方 SSL
- 一个子域 http://jira.example.com
我想做的是:
一个。将所有 http 重定向到 https b. JIRA(在 8080 上)在 https 上工作 C。 jira.example.com 重定向到 https://www.example.com:8080
虽然我遵循了 Atlassian 的指南,但我可以实现 (a) 但无法实现 (b) 和 (c)。
这是 server.xml 中连接器的代码
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
secure="true"
/>
我还没有弄明白的是如何配置虚拟主机。我需要 VH 端口 443 吗?或 80(对于 jira.example.com)
我已阅读 Atlassian 的有关如何使用 SSL 的指南,但该指南会生成 CSR,然后获取 SSL。我现在有了 SSL,那么我该如何使用它呢?我没有指南中显示的所需文件。
这是我的 VH 代码(取自 jira 文档):
<VirtualHost *:443>
ServerName jira.example.com
ProxyRequests Off
ProxyVia Block
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
ProxyPass / https://www.example.com:8080/ <--- If https works
ProxyPassReverse / https://www.example.com:8080/
</VirtualHost>
有什么想法吗?谢谢
最佳答案
由于您已经将 Apache 用作反向代理,因此您应该使用它来代理对 Jira 的所有请求,并让它处理 SSL/TLS。不过,要使其正常工作,您必须检查您的证书中包含哪些域:
a) 您的证书在 SAN 字段中包含 jira.example.com。在这种情况下,您的配置将如下所示:
服务器.xml:
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
/>
虚拟主机配置文件:
<VirtualHost *:80>
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/jira.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/jira.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/jira.example.com.crt_intermediate.pem
ServerName jira.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^jira.example.com$
RewriteRule ^/(.*)$ https://jira.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
这将代理 Apache 中的所有请求,并在访问 jira.example.com 时将它们转发给 Jira。当通过纯 http 访问 jira.example.com 时,它还会将您重定向到 https。
b) 您的证书仅包含 www.example.com。在这种情况下,您必须通过例如访问 jira www.example.com/jira
服务器.xml:
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
scheme="https"
proxyName="www.example.com"
proxyPort="443"
/>
[...]
<Context path="/jira" docBase="../jira" debug="0" reloadable="false" useHttpOnly="true">
最后一部分对于 Jira 生成正确的链接很重要。
虚拟主机配置文件:
<VirtualHost *:80>
ServerName www..example.com
DocumentRoot /var/www/jira/htdocs
RewriteEngine On
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteRule /(.*) https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCompression off
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/www.example.com.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/www.example.com.crt_intermediate.pem
ServerName www.example.com
DocumentRoot /var/www/jira/htdocs
Header always set Strict-Transport-Security "max-age=31536000"
# strip Proxy header to mitigate CGI vuln (https://httpoxy.org)
RequestHeader unset Proxy
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.example.com$
RewriteRule ^/(.*)$ https://www.example.com/$1 [R=permanent,L,NC,NE]
CustomLog /var/www/jira/logs/access.log combined
ErrorLog /var/www/jira/logs/error.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira http://127.0.0.1:8080/jira
ProxyPassReverse /jira http://127.0.0.1:8080/jira
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
此设置的优点是您无需在 Jira 中配置证书,而是可以在 Apache 中执行所有 SSL 操作。
关于tomcat - JIRA、第三方 SSL、在 CentOS 上重定向,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38416684/