Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy"

From EGIWiki
Jump to navigation Jump to search
(Removing outdated and misleading information)
 
Line 1: Line 1:
== Requirements ==
For any installation or configuration details, see [[MAN10 | MAN10 - Setting up Cloud Resource Centre]].
*Apache2 has been installed
*Apache2 modules have been installed (libapache2-mod-<MODULE> in Debian-based distros)
**proxy
**proxy_http
**proxy_connect
**headers
**deflate
**ssl
*Apache2 modules listed above have been enabled (a2enmod <MODULE>)
*Apache2 is working properly with its default configuration (virtual hosts default and default-ssl)
*IGTF CA bundle is installed and its CRLs are up-to-date (step-by-step guide for Debian-based distros included below)
wget -q https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3
 
gpg --with-fingerprint GPG-KEY-EUGridPMA-RPM-3
pub  1024D/3CDBBC71 2005-07-12 EUGridPMA Distribution Signing Key 3 <info@eugridpma.org>
      Key fingerprint = D12E 9228 22BE 64D5 0146  188B C32D 99C8 3CDB BC71
 
apt-key add GPG-KEY-EUGridPMA-RPM-3
echo "deb http://dist.eugridpma.info/distribution/igtf/current igtf accredited" > /etc/apt/sources.list.d/eugridpma.list
apt-get update
apt-get install ca-policy-igtf-classic ca-policy-igtf-mics ca-policy-igtf-slcs
 
apt-get install fetch-crl  ## v3.x of fetch-crl has been known not to work properly, please, make sure that you have v2.8.5 installed
head /usr/sbin/fetch-crl
#!/bin/sh
# $Name:  $
# $Id: edg-fetch-crl.cin,v 1.30 2010/06/03 09:18:06 pmacvsdg Exp $
###############################################################################
# File:        edg-fetch-crl                                                  #
#                                                                            #
# Version:    2.8.5                                                          #
 
*Host has a valid server certificate installed in /etc/grid-security/host{cert,key}.pem
 
== Configuration ==
This configuration is just an example. For more information you should read the [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Apache2 mod_proxy documentation].
 
Some parts of this example are host-specific, they have been replaced with '''##VARIABLE##''':
* ##HOSTNAME## - hostname (e.g. occi.examle.com) as stated in the certificate of the host running Apache
* ##PORT## - public port used by Apache to proxy the OCCI service. Remember to properly configure your firewall for this port as this will be the port for inbound traffic.
* ##LOCAL_PORT## - local port where the OCCI service is running (default is 3000). This port must not be open for public access!
* ##DN_FROM_ALLOWED_CERT## - certificate DN of the user who should be allowed access to the service (e.g. /C=DE/O=GridGermany/OU=Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH/CN=Peter Mustermann )
* ##DN_FROM_ANOTHER_ALLOWED_CERT## - see ##DN_FROM_ALLOWED_CERT##
 
'''NOTICE:''' New VirtualHosts are ignored by default, you have to enable them manually using a2ensite <SITE_NAME> after you have created the <SITE_NAME> file within the sites-available directory, e.g. a2ensite x509proxy
 
=== /etc/apache2/ports.conf ===
<pre>
  NameVirtualHost ##HOSTNAME##:##PORT##
  #Listen 80  ## we don't need this
 
  <IfModule mod_ssl.c>
      Listen ##PORT##
  </IfModule>
 
  ## we don't need this
  #<IfModule mod_gnutls.c>
  #    Listen 443
  #</IfModule>
</pre>
 
=== /etc/apache2/sites-available/x509proxy ===
<pre>
<VirtualHost ##HOSTNAME##:##PORT##>
ServerName ##HOSTNAME##
 
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
  RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
  RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
  RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
  RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
  RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
  RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
  RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
  RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
 
ProxyRequests Off
  ProxyPreserveHost on
  ProxyPass / http://localhost:##LOCAL_PORT##/
  ProxyPassReverse / http://localhost:##LOCAL_PORT##/
 
SSLEngine on
  SSLCertificateFile /etc/grid-security/hostcert.pem
  SSLCertificateKeyFile /etc/grid-security/hostkey.pem
 
SSLProxyEngine on
  SSLCACertificatePath /etc/grid-security/certificates
  SSLCertificateChainFile /etc/grid-security/tcs-ca-bundle.pem
 
SSLVerifyClient require
  SSLVerifyDepth 10
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLOptions +StdEnvVars +ExportCertData
 
<Proxy *>
      AddDefaultCharset Off
      Order deny,allow
      Allow from all
 
SSLRequire ( \
                        %{SSL_CLIENT_S_DN} eq "##DN_FROM_ALLOWED_CERT##" \
                or      %{SSL_CLIENT_S_DN} eq "##DN_FROM_ANOTHER_ALLOWED_CERT##")
  </Proxy>
 
LogLevel debug
</VirtualHost>
</pre>

Latest revision as of 18:23, 17 September 2015

For any installation or configuration details, see MAN10 - Setting up Cloud Resource Centre.

Retrieved from "https://wiki.egi.eu/w/index.php?title=Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy&oldid=83712"