[My environment is this: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.2.9-2 mod_jk/1.2.31 (although we get the same behavior under an Ubuntu 10.04.2 LTS with similar apache/mod_jk/tomcat specs)]
I have setup a virtual host for serving https and I want to have two types of directories/apps there: one served through 'plain' https and the other served with client authentication (with client certificates).
When "SSLVerifyClient require" is placed on the virtual host level, the relevant JkEnvVar SSL_CLIENT_CERT propagates the info to tomcat correctly. When it is placed on a directory level (inside the virtual host), it doesn't. Any clues??
my httpd.conf includes the following lines:
...
JkWorkersFile conf/workers.properties
JkShmFile "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.shm"
JkLogFile "C:/Program Files/Apache Software Foundation/Apache2.2/logs/mod_jk.log"
JkLogLevel debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
Include conf/extra/httpd-ssl.conf
...
where conf/workers.properties is just the following:
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
and conf/extra/httpd-ssl.conf contains the following lines:
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex default
<VirtualHost _default_:443>
DocumentRoot "C:/https"
ServerName www.webrep.local
ServerAdmin webmaster@webrep.local
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/https-access.log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/my-server.key"
SSLCACertificateFile "C:/Program Fil开发者_如何转开发es/Apache Software Foundation/Apache2.2/conf/ssl/ca/myCA.pem"
SSLOptions +StdEnvVars +ExportCertData
Alias /examples/oneway/ "C:/https/oneway/"
<Directory "C:/https/oneway">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /examples/twoway/ "C:/https/twoway/"
<Directory "C:/https/twoway">
SSLVerifyClient require
SSLVerifyDepth 10
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
JkMount /examples/oneway/servlets/* worker1
JkMount /examples/twoway/servlets/* worker1
JkExtractSSL Off
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar SSL_CLIENT_CERT
</VirtualHost>
On Tomcat I have just added a simple servlet outputting:
request.getAttribute("SSL_CLIENT_CERT")
under:
C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\examples\WEB-INF\classes
It seems that the problem isn't JkEnvVar, it's that, apparently, when JkMount and +Alias refer to the same URL, JkMount takes precedence and the directives inside never come into effect (for example, try restricting access to the whole dir with 'Deny from All' - it never comes into effect; The servlets/jsps get accessed just fine).
Two solutions:
1) Use a directive to control access for code that will run in Tomcat (i.e. mapped to Tomcat through JkMount). 2) Use 'SetHandler jakarta-servlet' instead of JkMount (see end of http://tomcat.apache.org/connectors-doc/reference/apache.html for more). This works inside . I'm told that it also works inside , but I haven't checked this.
Hope this saves somebody the many hours we've spent here in order to solve this...
精彩评论