Commit 7906b01c authored by Titouan Soulard's avatar Titouan Soulard

software/slapos-master: allow disabling CRL check

parent 31c5f124
Pipeline #33033 failed with stage
in 0 seconds
...@@ -163,13 +163,15 @@ Listen {{ ip }}:{{ port }} ...@@ -163,13 +163,15 @@ Listen {{ ip }}:{{ port }}
{% endfor -%} {% endfor -%}
<VirtualHost *:{{ port }}> <VirtualHost *:{{ port }}>
SSLEngine on SSLEngine on
{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%} {% if enable_authentication and parameter_dict['shared-ca-cert'] -%}
SSLVerifyClient require SSLVerifyClient require
# Custom block we use for now different parameters. # Custom block we use for now different parameters.
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }} SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
{% if parameter_dict['shared-crl'] -%}
SSLCARevocationCheck chain SSLCARevocationCheck chain
SSLCARevocationPath {{ parameter_dict['shared-crl'] }} SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
{% endif -%}
LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service
......
...@@ -18,11 +18,11 @@ md5sum = 15744bc9aa87585a64cb0050263e3142 ...@@ -18,11 +18,11 @@ md5sum = 15744bc9aa87585a64cb0050263e3142
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = da8399562377b472c9488a337d0230dc md5sum = e5f505b65e15346c4ea9a8c73796c1f1
[template-apache-backend-conf] [template-apache-backend-conf]
filename = apache-backend.conf.in filename = apache-backend.conf.in
md5sum = 6cf13e8f5545d241e6514503f9824b02 md5sum = 596309dd5d1a9e16f9fc95354bbfc515
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
......
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%} {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%} {% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
{% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%} {% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
{% set check_crl = slapparameter_dict.get('check-crl', True) -%}
{# {#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
per partition. No more (undefined result), no less (IndexError). per partition. No more (undefined result), no less (IndexError).
...@@ -174,8 +175,10 @@ crl = ${apache-conf-ssl:crl} ...@@ -174,8 +175,10 @@ crl = ${apache-conf-ssl:crl}
{% if shared_ca_path -%} {% if shared_ca_path -%}
shared-ca-cert = {{ shared_ca_path }}/cacert.pem shared-ca-cert = {{ shared_ca_path }}/cacert.pem
{% if check_crl -%}
shared-crl = {{ shared_ca_path }}/crl shared-crl = {{ shared_ca_path }}/crl
{%- endif %} {%- endif %}
{%- endif %}
[apache-conf] [apache-conf]
< = jinja2-template-base < = jinja2-template-base
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment