当前位置: 文江博客话题详情

当“SSLVerifyClient require”出现时,JkEnvVar SSL_CLIENT_CERT 不起作用(在目录级别设置)

发布于 2024-10-20 21:30:56 字数 3294 浏览 8 评论 0原文

[我的环境是这样的:Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.2.9-2 mod_jk/1.2.31 (尽管我们在具有类似 apache/mod_jk/tomcat 规格的 Ubuntu 10.04.2 LTS 下得到了相同的行为)]

我已经设置了一个用于服务 https 的虚拟主机,我希望那里有两种类型的目录/应用程序:一种通过 ' plain' https 和另一个提供客户端身份验证(带有客户端证书)。

当“SSLVerifyClient require”放置在虚拟主机级别时,相关的 JkEnvVar SSL_CLIENT_CERT 会将信息正确传播到 tomcat。当它被放置在目录级别(虚拟主机内部)时,它就不会。 有什么线索吗??

我的 httpd.conf 包含以下几行:

...
JkWorkersFile conf/workers.properties
JkShmFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.shm"
JkLogFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.log"
JkLogLevel    debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Include conf/extra/httpd-ssl.conf
...

其中 conf/workers.properties 如下:

worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009

并且 conf/extra/httpd-ssl.conf 包含以下几行:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

SSLMutex default

<VirtualHost _default_:443>
    DocumentRoot "C:/https"
    ServerName www.webrep.local
    ServerAdmin [email protected]
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-access.log"

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.key"

SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/ca/myCA.pem"

SSLOptions +StdEnvVars +ExportCertData
Alias /examples/oneway/ "C:/https/oneway/"
<Directory "C:/https/oneway">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /examples/twoway/ "C:/https/twoway/"
<Directory "C:/https/twoway">
    SSLVerifyClient require
    SSLVerifyDepth  10
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

JkMount  /examples/oneway/servlets/* worker1
JkMount  /examples/twoway/servlets/* worker1
JkExtractSSL Off
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar SSL_CLIENT_CERT

</VirtualHost>

在 Tomcat 上,我刚刚添加了一个简单的 servlet 输出:

request.getAttribute("SSL_CLIENT_CERT")

下:

C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\examples\WEB-INF\classes
原文

[My environment is this: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.2.9-2 mod_jk/1.2.31
(although we get the same behavior under an Ubuntu 10.04.2 LTS with similar apache/mod_jk/tomcat specs)]

I have setup a virtual host for serving https and I want to have two types of directories/apps there: one served through 'plain' https and the other served with client authentication (with client certificates).

When "SSLVerifyClient require" is placed on the virtual host level, the relevant JkEnvVar SSL_CLIENT_CERT propagates the info to tomcat correctly. When it is placed on a directory level (inside the virtual host), it doesn't.
Any clues??

my httpd.conf includes the following lines:

...
JkWorkersFile conf/workers.properties
JkShmFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.shm"
JkLogFile     "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.log"
JkLogLevel    debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Include conf/extra/httpd-ssl.conf
...

where conf/workers.properties is just the following:

worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009

and conf/extra/httpd-ssl.conf contains the following lines:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

SSLMutex default

<VirtualHost _default_:443>
    DocumentRoot "C:/https"
    ServerName www.webrep.local
    ServerAdmin [email protected]
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-access.log"

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.key"

SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/ca/myCA.pem"

SSLOptions +StdEnvVars +ExportCertData
Alias /examples/oneway/ "C:/https/oneway/"
<Directory "C:/https/oneway">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /examples/twoway/ "C:/https/twoway/"
<Directory "C:/https/twoway">
    SSLVerifyClient require
    SSLVerifyDepth  10
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

JkMount  /examples/oneway/servlets/* worker1
JkMount  /examples/twoway/servlets/* worker1
JkExtractSSL Off
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar SSL_CLIENT_CERT

</VirtualHost>

On Tomcat I have just added a simple servlet outputting:

request.getAttribute("SSL_CLIENT_CERT")

under:

C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\examples\WEB-INF\classes

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

铜锣湾横着走 2024-10-27 21:30:56

看来问题不在于 JkEnvVar,显然,当 JkMount 和 +Alias 引用相同的 URL 时,JkMount 优先,并且内部指令永远不会生效(例如,尝试使用 ' 限制对整个目录的访问) Deny from All' - 它永远不会生效;servlet/jsps 可以正常访问)。

两种解决方案:

1) 使用指令来控制将在 Tomcat 中运行的代码的访问(即通过 JkMount 映射到 Tomcat)。
2)使用'SetHandler jakarta-servlet'而不是JkMount(参见http:// /tomcat.apache.org/connectors-doc/reference/apache.html 了解更多)。这在里面起作用。我听说它也可以在内部使用,但我还没有检查过。

希望这可以节省我们在这里花费的大量时间来解决这个问题......

It seems that the problem isn't JkEnvVar, it's that, apparently, when JkMount and +Alias refer to the same URL, JkMount takes precedence and the directives inside never come into effect (for example, try restricting access to the whole dir with 'Deny from All' - it never comes into effect; The servlets/jsps get accessed just fine).

Two solutions:

1) Use a directive to control access for code that will run in Tomcat (i.e. mapped to Tomcat through JkMount).
2) Use 'SetHandler jakarta-servlet' instead of JkMount (see end of http://tomcat.apache.org/connectors-doc/reference/apache.html for more). This works inside . I'm told that it also works inside , but I haven't checked this.

Hope this saves somebody the many hours we've spent here in order to solve this...

回复 原文
~没有更多了~

关于作者

蹲墙角沉默

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

西西弗的石头怪

文章 0 评论 0

5397313

文章 0 评论 0

烟沫凡尘

文章 0 评论 0

一个破名字

文章 0 评论 0

萌︼了一个春

文章 0 评论 0

当爱已成负担

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文