apache 重定向 从 http 到 https 的重定向
apache redirecting a redirect from http to https
我尝试了不同的 apache 配置,但不知何故无法破解。
我正在使用 Redirect permanent / https://jenkins.example.net/
强制将所有 URL 从 http 重定向到 https
但是,存在一个问题,因为源 URL 之一在末尾附加了 /redirect 字符串。我了解到 apache CANNOT redirect 重定向。因为源 URL 在 URL 中有 redirect 字符串,它不会再次重定向到 https 并导致 404 页面。
这是我的虚拟主机配置。
<VirtualHost *:80>
ServerName jenkins.example.net
# Redirects traffic to https
RewriteEngine On
RewriteRule ^(.*)/redirect / [L,NC]
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
<VirtualHost *:443>
proxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ServerName jenkins.example.net
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
我尝试在上面的 RewriteRule 中从 URL 中剥离 /redirect 但它不起作用。
任何帮助将不胜感激..
其他详细信息(curl 的调试输出)::
[root@rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect">here</a>.</p>
</body></html>
* Connection #0 to host jenkins.example.net left intact
curl -vL 调试输出::
[root@rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:*
* start date: Jul 16 06:42:46 2019 GMT
* expire date: Jul 15 06:42:46 2021 GMT
* common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@rhel-7 ~]# echo $?
60
我假设您的 https 重定向首先发生,然后在 https 上 /redirect 变成 404。
最简单的解决方法是将 RewriteRule ^(.*)/redirect / [L,NC] 添加到 <VirtualHost *:443> 块,只是为了确保这样的 url 回到家
可能你的分支包含 /,所以你的 url 是 STUFOP%2Fdeploy_toolchain。 Apache 编码这样 url 最后是 STUFOP%252Fdeploy_toolchain.
为非安全虚拟主机尝试此配置:
<VirtualHost *:80>
ServerName jenkins.example.net
# this prevent encoding
AllowEncodedSlashes on
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
此配置应避免编码,并且根据 Redirect Request to SSL Apache wiki 页面,所有请求都将重定向到安全虚拟主机。
在安全的虚拟主机中,试试这个配置:
<VirtualHost *:443>
ServerName jenkins.example.net
AllowEncodedSlashes on
proxyRequests Off
ProxyPreserveHost On
ProxyPassMatch "^/(.*)/redirect$" "http://127.0.0.1:8080/"
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
此配置应避免编码并使用ProxyPassMatch来操作url。
这是我用过的一些有用的link:%2F slash encoding issues, encode URL wihthin URL - apache mod-proxy (ProxyPass), %2F slash encoding issues #399,
我尝试了不同的 apache 配置,但不知何故无法破解。
我正在使用 Redirect permanent / https://jenkins.example.net/
但是,存在一个问题,因为源 URL 之一在末尾附加了 /redirect 字符串。我了解到 apache CANNOT redirect 重定向。因为源 URL 在 URL 中有 redirect 字符串,它不会再次重定向到 https 并导致 404 页面。
这是我的虚拟主机配置。
<VirtualHost *:80>
ServerName jenkins.example.net
# Redirects traffic to https
RewriteEngine On
RewriteRule ^(.*)/redirect / [L,NC]
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
<VirtualHost *:443>
proxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ServerName jenkins.example.net
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
我尝试在上面的 RewriteRule 中从 URL 中剥离 /redirect 但它不起作用。
任何帮助将不胜感激..
其他详细信息(curl 的调试输出)::
[root@rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect">here</a>.</p>
</body></html>
* Connection #0 to host jenkins.example.net left intact
curl -vL 调试输出::
[root@rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:*
* start date: Jul 16 06:42:46 2019 GMT
* expire date: Jul 15 06:42:46 2021 GMT
* common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@rhel-7 ~]# echo $?
60
我假设您的 https 重定向首先发生,然后在 https 上 /redirect 变成 404。
最简单的解决方法是将 RewriteRule ^(.*)/redirect / [L,NC] 添加到 <VirtualHost *:443> 块,只是为了确保这样的 url 回到家
可能你的分支包含 /,所以你的 url 是 STUFOP%2Fdeploy_toolchain。 Apache 编码这样 url 最后是 STUFOP%252Fdeploy_toolchain.
为非安全虚拟主机尝试此配置:
<VirtualHost *:80>
ServerName jenkins.example.net
# this prevent encoding
AllowEncodedSlashes on
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
此配置应避免编码,并且根据 Redirect Request to SSL Apache wiki 页面,所有请求都将重定向到安全虚拟主机。
在安全的虚拟主机中,试试这个配置:
<VirtualHost *:443>
ServerName jenkins.example.net
AllowEncodedSlashes on
proxyRequests Off
ProxyPreserveHost On
ProxyPassMatch "^/(.*)/redirect$" "http://127.0.0.1:8080/"
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
此配置应避免编码并使用ProxyPassMatch来操作url。
这是我用过的一些有用的link:%2F slash encoding issues, encode URL wihthin URL - apache mod-proxy (ProxyPass), %2F slash encoding issues #399,