Difference between revisions of "Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy"
Jump to navigation
Jump to search
m (→Configuration) |
(→Configuration: Added explanation for variables) |
||
Line 41: | Line 41: | ||
This configuration is just an example. For more information you should read the [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Apache2 mod_proxy documentation]. | This configuration is just an example. For more information you should read the [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Apache2 mod_proxy documentation]. | ||
Some parts of this example are host-specific, they have been replaced with '''##VARIABLE##'''. | Some parts of this example are host-specific, they have been replaced with '''##VARIABLE##''': | ||
* ##HOSTNAME## - hostname (e.g. occi.examle.com) as stated in the certificate of the host running Apache | |||
* ##PORT## - public port used by Apache to proxy the OCCI service. Remember to properly configure your firewall for this port as this will be the port for inbound traffic. | |||
* ##LOCAL_PORT## - local port where the OCCI service is running (default is 3000). This port must not be open for public access! | |||
* ##DN_FROM_ALLOWED_CERT## - certificate DN of the user who should be allowed access to the service (e.g. /C=DE/O=GridGermany/OU=Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH/CN=Peter Mustermann ) | |||
* ##DN_FROM_ANOTHER_ALLOWED_CERT## - see ##DN_FROM_ALLOWED_CERT## | |||
'''NOTICE:''' New VirtualHosts are ignored by default, you have to enable them manually using a2ensite <SITE_NAME> after you have created the <SITE_NAME> file within the sites-available directory, e.g. a2ensite x509proxy | '''NOTICE:''' New VirtualHosts are ignored by default, you have to enable them manually using a2ensite <SITE_NAME> after you have created the <SITE_NAME> file within the sites-available directory, e.g. a2ensite x509proxy |
Revision as of 14:37, 19 March 2012
Requirements
- Apache2 has been installed
- Apache2 modules have been installed (libapache2-mod-<MODULE> in Debian-based distros)
- proxy
- proxy_http
- proxy_connect
- headers
- deflate
- ssl
- Apache2 modules listed above have been enabled (a2enmod <MODULE>)
- Apache2 is working properly with its default configuration (virtual hosts default and default-ssl)
- IGTF CA bundle is installed and its CRLs are up-to-date (step-by-step guide for Debian-based distros included below)
wget -q https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 gpg --with-fingerprint GPG-KEY-EUGridPMA-RPM-3 pub 1024D/3CDBBC71 2005-07-12 EUGridPMA Distribution Signing Key 3 <info@eugridpma.org> Key fingerprint = D12E 9228 22BE 64D5 0146 188B C32D 99C8 3CDB BC71
apt-key add GPG-KEY-EUGridPMA-RPM-3 echo "deb http://dist.eugridpma.info/distribution/igtf/current igtf accredited" > /etc/apt/sources.list.d/eugridpma.list apt-get update apt-get install ca-policy-igtf-classic ca-policy-igtf-mics ca-policy-igtf-slcs
apt-get install fetch-crl ## v3.x of fetch-crl has been known not to work properly, please, make sure that you have v2.8.5 installed head /usr/sbin/fetch-crl #!/bin/sh # $Name: $ # $Id: edg-fetch-crl.cin,v 1.30 2010/06/03 09:18:06 pmacvsdg Exp $ ############################################################################### # File: edg-fetch-crl # # # # Version: 2.8.5 #
- Host has a valid server certificate installed in /etc/grid-security/host{cert,key}.pem
Configuration
This configuration is just an example. For more information you should read the Apache2 mod_proxy documentation.
Some parts of this example are host-specific, they have been replaced with ##VARIABLE##:
- ##HOSTNAME## - hostname (e.g. occi.examle.com) as stated in the certificate of the host running Apache
- ##PORT## - public port used by Apache to proxy the OCCI service. Remember to properly configure your firewall for this port as this will be the port for inbound traffic.
- ##LOCAL_PORT## - local port where the OCCI service is running (default is 3000). This port must not be open for public access!
- ##DN_FROM_ALLOWED_CERT## - certificate DN of the user who should be allowed access to the service (e.g. /C=DE/O=GridGermany/OU=Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH/CN=Peter Mustermann )
- ##DN_FROM_ANOTHER_ALLOWED_CERT## - see ##DN_FROM_ALLOWED_CERT##
NOTICE: New VirtualHosts are ignored by default, you have to enable them manually using a2ensite <SITE_NAME> after you have created the <SITE_NAME> file within the sites-available directory, e.g. a2ensite x509proxy
/etc/apache2/ports.conf
NameVirtualHost ##HOSTNAME##:##PORT## #Listen 80 ## we don't need this <IfModule mod_ssl.c> Listen ##PORT## </IfModule> ## we don't need this #<IfModule mod_gnutls.c> # Listen 443 #</IfModule>
/etc/apache2/sites-available/x509proxy
<VirtualHost ##HOSTNAME##:##PORT##> ServerName ##HOSTNAME## RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" RequestHeader set SSL_SERVER_S_DN_OU "" RequestHeader set SSL_CLIENT_VERIFY "" RequestHeader set SSL_CLIENT_V_START "" RequestHeader set SSL_CLIENT_V_END "" RequestHeader set SSL_CLIENT_M_VERSION "" RequestHeader set SSL_CLIENT_M_SERIAL "" RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_VERIFY "" RequestHeader set SSL_SERVER_M_SERIAL "" RequestHeader set SSL_SERVER_M_VERSION "" RequestHeader set SSL_SERVER_I_DN "" RequestHeader set SSL_SERVER_CERT "" RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s" RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s" RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s" RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s" RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s" RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s" ProxyRequests Off ProxyPreserveHost on ProxyPass / http://localhost:##LOCAL_PORT##/ ProxyPassReverse / http://localhost:##LOCAL_PORT##/ SSLEngine on SSLCertificateFile /etc/grid-security/hostcert.pem SSLCertificateKeyFile /etc/grid-security/hostkey.pem SSLProxyEngine on SSLCACertificatePath /etc/grid-security/certificates SSLCertificateChainFile /etc/grid-security/tcs-ca-bundle.pem SSLVerifyClient require SSLVerifyDepth 10 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLOptions +StdEnvVars +ExportCertData <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all SSLRequire ( \ %{SSL_CLIENT_S_DN} eq "##DN_FROM_ALLOWED_CERT##" \ or %{SSL_CLIENT_S_DN} eq "##DN_FROM_ANOTHER_ALLOWED_CERT##") </Proxy> LogLevel debug </VirtualHost>