Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
HongzheWang
slapos
Commits
c8034ac7
Commit
c8034ac7
authored
May 27, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/apache: support ca-cert-dir and crl-dir in apache-backend.conf.in.
parent
2c6e3c4a
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
32 additions
and
15 deletions
+32
-15
component/apache/apache-backend.conf.in
component/apache/apache-backend.conf.in
+31
-14
component/apache/buildout.hash.cfg
component/apache/buildout.hash.cfg
+1
-1
No files found.
component/apache/apache-backend.conf.in
View file @
c8034ac7
...
@@ -32,6 +32,15 @@
...
@@ -32,6 +32,15 @@
# # empty)
# # empty)
# "crl": "<file_path>",
# "crl": "<file_path>",
#
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert-dir": "<directory_path>",
#
# # The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
# # empty)
# "crl-dir": "<directory_path>",
#
# # The path given to "ErrorLog"
# # The path given to "ErrorLog"
# "error-log": "<file_path>",
# "error-log": "<file_path>",
#
#
...
@@ -83,6 +92,10 @@
...
@@ -83,6 +92,10 @@
# For more details, refer to
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_core_module modules/mod_authz_core.so
...
@@ -133,16 +146,26 @@ SSLProxyEngine On
...
@@ -133,16 +146,26 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
RequestHeader unset Remote-User
{% if
parameter_dict['ca-cert']
-%}
{% if
ca_cert or ca_cert_dir
-%}
SSLVerifyClient optional
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if ca_cert -%}
{% if parameter_dict['crl'] -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
{% if crl -%}
{%- endif %}
SSLCARevocationFile {{ crl }}
{%- endif %}
{% endif -%}
{% if crl_dir -%}
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}"
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
# Default apache log format with request time in microsecond at the end
...
@@ -162,11 +185,8 @@ Listen {{ ip }}:{{ port }}
...
@@ -162,11 +185,8 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
{% endfor -%}
<VirtualHost *:{{ port }}>
<VirtualHost *:{{ port }}>
SSLEngine on
SSLEngine on
{% if enable_authentication and
parameter_dict['ca-cert'] and parameter_dict['crl']
-%}
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
SSLVerifyClient require
SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
@@ -184,11 +204,8 @@ Listen {{ ip }}:{{ port }}
...
@@ -184,11 +204,8 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
SSLEngine on
Timeout 3600
Timeout 3600
{% if enable_authentication and
parameter_dict['ca-cert'] and parameter_dict['crl']
-%}
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
SSLVerifyClient require
SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
component/apache/buildout.hash.cfg
View file @
c8034ac7
...
@@ -14,5 +14,5 @@
...
@@ -14,5 +14,5 @@
# not need these here).
# not need these here).
[template-apache-backend-conf]
[template-apache-backend-conf]
filename = apache-backend.conf.in
filename = apache-backend.conf.in
md5sum =
bb8c175a93336f0e1838fd47225426f9
md5sum =
4a13ad45e38e14ca7027c17192c90205
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment