The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy"
Jump to navigation
Jump to search
(→Configuration: Added explanation for variables) |
|||
| Line 69: | Line 69: | ||
<VirtualHost ##HOSTNAME##:##PORT##> | <VirtualHost ##HOSTNAME##:##PORT##> | ||
ServerName ##HOSTNAME## | ServerName ##HOSTNAME## | ||
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" | RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" | ||
Revision as of 16:03, 23 January 2013
Requirements
- Apache2 has been installed
- Apache2 modules have been installed (libapache2-mod-<MODULE> in Debian-based distros)
- proxy
- proxy_http
- proxy_connect
- headers
- deflate
- ssl
- Apache2 modules listed above have been enabled (a2enmod <MODULE>)
- Apache2 is working properly with its default configuration (virtual hosts default and default-ssl)
- IGTF CA bundle is installed and its CRLs are up-to-date (step-by-step guide for Debian-based distros included below)
wget -q https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 gpg --with-fingerprint GPG-KEY-EUGridPMA-RPM-3 pub 1024D/3CDBBC71 2005-07-12 EUGridPMA Distribution Signing Key 3 <info@eugridpma.org> Key fingerprint = D12E 9228 22BE 64D5 0146 188B C32D 99C8 3CDB BC71
apt-key add GPG-KEY-EUGridPMA-RPM-3 echo "deb http://dist.eugridpma.info/distribution/igtf/current igtf accredited" > /etc/apt/sources.list.d/eugridpma.list apt-get update apt-get install ca-policy-igtf-classic ca-policy-igtf-mics ca-policy-igtf-slcs
apt-get install fetch-crl ## v3.x of fetch-crl has been known not to work properly, please, make sure that you have v2.8.5 installed head /usr/sbin/fetch-crl #!/bin/sh # $Name: $ # $Id: edg-fetch-crl.cin,v 1.30 2010/06/03 09:18:06 pmacvsdg Exp $ ############################################################################### # File: edg-fetch-crl # # # # Version: 2.8.5 #
- Host has a valid server certificate installed in /etc/grid-security/host{cert,key}.pem
Configuration
This configuration is just an example. For more information you should read the Apache2 mod_proxy documentation.
Some parts of this example are host-specific, they have been replaced with ##VARIABLE##:
- ##HOSTNAME## - hostname (e.g. occi.examle.com) as stated in the certificate of the host running Apache
- ##PORT## - public port used by Apache to proxy the OCCI service. Remember to properly configure your firewall for this port as this will be the port for inbound traffic.
- ##LOCAL_PORT## - local port where the OCCI service is running (default is 3000). This port must not be open for public access!
- ##DN_FROM_ALLOWED_CERT## - certificate DN of the user who should be allowed access to the service (e.g. /C=DE/O=GridGermany/OU=Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH/CN=Peter Mustermann )
- ##DN_FROM_ANOTHER_ALLOWED_CERT## - see ##DN_FROM_ALLOWED_CERT##
NOTICE: New VirtualHosts are ignored by default, you have to enable them manually using a2ensite <SITE_NAME> after you have created the <SITE_NAME> file within the sites-available directory, e.g. a2ensite x509proxy
/etc/apache2/ports.conf
NameVirtualHost ##HOSTNAME##:##PORT##
#Listen 80 ## we don't need this
<IfModule mod_ssl.c>
Listen ##PORT##
</IfModule>
## we don't need this
#<IfModule mod_gnutls.c>
# Listen 443
#</IfModule>
/etc/apache2/sites-available/x509proxy
<VirtualHost ##HOSTNAME##:##PORT##>
ServerName ##HOSTNAME##
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
ProxyRequests Off
ProxyPreserveHost on
ProxyPass / http://localhost:##LOCAL_PORT##/
ProxyPassReverse / http://localhost:##LOCAL_PORT##/
SSLEngine on
SSLCertificateFile /etc/grid-security/hostcert.pem
SSLCertificateKeyFile /etc/grid-security/hostkey.pem
SSLProxyEngine on
SSLCACertificatePath /etc/grid-security/certificates
SSLCertificateChainFile /etc/grid-security/tcs-ca-bundle.pem
SSLVerifyClient require
SSLVerifyDepth 10
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
SSLRequire ( \
%{SSL_CLIENT_S_DN} eq "##DN_FROM_ALLOWED_CERT##" \
or %{SSL_CLIENT_S_DN} eq "##DN_FROM_ANOTHER_ALLOWED_CERT##")
</Proxy>
LogLevel debug
</VirtualHost>