Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Xiaowu Zhang
slapos
Commits
9e7758fa
Commit
9e7758fa
authored
Jun 15, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.
parent
757c1a4d
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
6 additions
and
27 deletions
+6
-27
component/apache/apache-backend.conf.in
component/apache/apache-backend.conf.in
+5
-26
component/apache/buildout.hash.cfg
component/apache/buildout.hash.cfg
+1
-1
No files found.
component/apache/apache-backend.conf.in
View file @
9e7758fa
...
@@ -23,15 +23,6 @@
...
@@ -23,15 +23,6 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>",
# "ssl-session-cache": "<folder_path>",
#
#
# # The path given to "SSLCACertificateFile" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>",
#
# # The path given to "SSLCARevocationFile" (used if ca-cert is not
# # empty)
# "crl": "<file_path>",
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# # (Enabling "SSLVerifyClient require")
...
@@ -78,7 +69,7 @@
...
@@ -78,7 +69,7 @@
# From to `backend-list`:
# From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert
-dir
`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client.
# accepting requests from any client.
...
@@ -92,9 +83,7 @@
...
@@ -92,9 +83,7 @@
# For more details, refer to
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule access_compat_module modules/mod_access_compat.so
...
@@ -146,24 +135,14 @@ SSLProxyEngine On
...
@@ -146,24 +135,14 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
RequestHeader unset Remote-User
{% if ca_cert
or ca_cert
_dir -%}
{% if ca_cert_dir -%}
SSLVerifyClient optional
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if ca_cert -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl_dir -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationCheck chain
{% if crl -%}
SSLCARevocationFile {{ crl }}
{% endif -%}
{% if crl_dir -%}
SSLCARevocationPath {{ crl_dir }}
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
{% endif -%}
{% endif -%}
...
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
...
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
{% endfor -%}
<VirtualHost *:{{ port }}>
<VirtualHost *:{{ port }}>
SSLEngine on
SSLEngine on
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
...
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
SSLEngine on
Timeout 3600
Timeout 3600
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
component/apache/buildout.hash.cfg
View file @
9e7758fa
...
@@ -14,5 +14,5 @@
...
@@ -14,5 +14,5 @@
# not need these here).
# not need these here).
[template-apache-backend-conf]
[template-apache-backend-conf]
filename = apache-backend.conf.in
filename = apache-backend.conf.in
md5sum =
4a13ad45e38e14ca7027c17192c90205
md5sum =
a169c1d6b0f2636f21f180e8a0b52137
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment