Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos-mynij-dev
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Mynij
slapos-mynij-dev
Commits
c8034ac7
Commit
c8034ac7
authored
May 27, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/apache: support ca-cert-dir and crl-dir in apache-backend.conf.in.
parent
2c6e3c4a
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
32 additions
and
15 deletions
+32
-15
component/apache/apache-backend.conf.in
component/apache/apache-backend.conf.in
+31
-14
component/apache/buildout.hash.cfg
component/apache/buildout.hash.cfg
+1
-1
No files found.
component/apache/apache-backend.conf.in
View file @
c8034ac7
...
@@ -32,6 +32,15 @@
...
@@ -32,6 +32,15 @@
# # empty)
# # empty)
# "crl": "<file_path>",
# "crl": "<file_path>",
#
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert-dir": "<directory_path>",
#
# # The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
# # empty)
# "crl-dir": "<directory_path>",
#
# # The path given to "ErrorLog"
# # The path given to "ErrorLog"
# "error-log": "<file_path>",
# "error-log": "<file_path>",
#
#
...
@@ -83,6 +92,10 @@
...
@@ -83,6 +92,10 @@
# For more details, refer to
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_core_module modules/mod_authz_core.so
...
@@ -133,16 +146,26 @@ SSLProxyEngine On
...
@@ -133,16 +146,26 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
RequestHeader unset Remote-User
{% if
parameter_dict['ca-cert']
-%}
{% if
ca_cert or ca_cert_dir
-%}
SSLVerifyClient optional
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if ca_cert -%}
{% if parameter_dict['crl'] -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
{% if crl -%}
{%- endif %}
SSLCARevocationFile {{ crl }}
{%- endif %}
{% endif -%}
{% if crl_dir -%}
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}"
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
# Default apache log format with request time in microsecond at the end
...
@@ -162,11 +185,8 @@ Listen {{ ip }}:{{ port }}
...
@@ -162,11 +185,8 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
{% endfor -%}
<VirtualHost *:{{ port }}>
<VirtualHost *:{{ port }}>
SSLEngine on
SSLEngine on
{% if enable_authentication and
parameter_dict['ca-cert'] and parameter_dict['crl']
-%}
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
SSLVerifyClient require
SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
@@ -184,11 +204,8 @@ Listen {{ ip }}:{{ port }}
...
@@ -184,11 +204,8 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
SSLEngine on
Timeout 3600
Timeout 3600
{% if enable_authentication and
parameter_dict['ca-cert'] and parameter_dict['crl']
-%}
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
SSLVerifyClient require
SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
component/apache/buildout.hash.cfg
View file @
c8034ac7
...
@@ -14,5 +14,5 @@
...
@@ -14,5 +14,5 @@
# not need these here).
# not need these here).
[template-apache-backend-conf]
[template-apache-backend-conf]
filename = apache-backend.conf.in
filename = apache-backend.conf.in
md5sum =
bb8c175a93336f0e1838fd47225426f9
md5sum =
4a13ad45e38e14ca7027c17192c90205
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment