|
|
| (7 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| == Requirements ==
| | For any installation or configuration details, see [[MAN10 | MAN10 - Setting up Cloud Resource Centre]]. |
| *Apache2 has been installed
| |
| *Apache2 modules have been installed (libapache2-mod-<MODULE> in Debian-based distros)
| |
| **proxy
| |
| **proxy_http
| |
| **proxy_connect
| |
| **headers
| |
| **deflate
| |
| **ssl
| |
| *Apache2 modules listed above have been enabled (a2enmod <MODULE>)
| |
| *Apache2 is working properly with its default configuration (virtual hosts default and default-ssl)
| |
| | |
| == Configuration ==
| |
| This configuration is just an example. For more information you should read the [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Apache2 mod_proxy documentation].
| |
| | |
| Some parts of this example are host-specific, they have been replaced with '''##VARIABLE##'''.
| |
| | |
| <pre>
| |
| <VirtualHost ##HOSTNAME##:##PORT##>
| |
| ServerName ##HOSTNAME##
| |
|
| |
| RequestHeader set SSL_CLIENT_S_DN ""
| |
| RequestHeader set SSL_CLIENT_I_DN ""
| |
| RequestHeader set SSL_SERVER_S_DN_OU ""
| |
| RequestHeader set SSL_CLIENT_VERIFY ""
| |
| RequestHeader set SSL_CLIENT_V_START ""
| |
| RequestHeader set SSL_CLIENT_V_END ""
| |
| RequestHeader set SSL_CLIENT_M_VERSION ""
| |
| RequestHeader set SSL_CLIENT_M_SERIAL ""
| |
| RequestHeader set SSL_CLIENT_CERT ""
| |
| RequestHeader set SSL_CLIENT_VERIFY ""
| |
| RequestHeader set SSL_SERVER_M_SERIAL ""
| |
| RequestHeader set SSL_SERVER_M_VERSION ""
| |
| RequestHeader set SSL_SERVER_I_DN ""
| |
| RequestHeader set SSL_SERVER_CERT ""
| |
|
| |
| RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
| |
| RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
| |
| RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
| |
| RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
| |
| RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
| |
| RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
| |
| RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
| |
| RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
| |
| RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
| |
| RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
| |
| RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
| |
| RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
| |
| RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
| |
|
| |
| ProxyRequests Off
| |
| ProxyPreserveHost on
| |
| ProxyPass / http://localhost:##LOCAL_PORT##/
| |
| ProxyPassReverse / http://localhost:##LOCAL_PORT##/
| |
|
| |
| SSLEngine on
| |
| SSLCertificateFile /etc/grid-security/hostcert.pem
| |
| SSLCertificateKeyFile /etc/grid-security/hostkey.pem
| |
|
| |
| SSLProxyEngine on
| |
| SSLCACertificatePath /etc/grid-security/certificates
| |
| SSLCertificateChainFile /etc/grid-security/tcs-ca-bundle.pem
| |
|
| |
| SSLVerifyClient require
| |
| SSLVerifyDepth 10
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
| |
| SSLOptions +StdEnvVars +ExportCertData
| |
|
| |
| <Proxy *>
| |
| AddDefaultCharset Off
| |
| Order deny,allow
| |
| Allow from all
| |
| | |
| SSLRequire ( \
| |
| %{SSL_CLIENT_S_DN} eq "##DN_FROM_ALLOWED_CERT##" \
| |
| or %{SSL_CLIENT_S_DN} eq "##DN_FROM_ANOTHER_ALLOWED_CERT##")
| |
| </Proxy>
| |
|
| |
| LogLevel debug
| |
| </VirtualHost>
| |
| </pre>
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.