Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy

From EGIWiki
Revision as of 15:34, 1 March 2012 by Xparak (talk | contribs) (Created page with '== Requirements == == Configuration == This configuration is just an example. For more information you should read the [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html Apach…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Requirements

Configuration

This configuration is just an example. For more information you should read the Apache2 mod_proxy documentation.

Some parts of this example are host-specific, they have been replaced with ##VARIABLE##. 

<VirtualHost ##HOSTNAME##:##PORT##>
	ServerName ##HOSTNAME##
   
	RequestHeader set SSL_CLIENT_S_DN    ""
   	RequestHeader set SSL_CLIENT_I_DN    ""
   	RequestHeader set SSL_SERVER_S_DN_OU ""
   	RequestHeader set SSL_CLIENT_VERIFY  ""
   	RequestHeader set SSL_CLIENT_V_START  ""
  	RequestHeader set SSL_CLIENT_V_END  ""
   	RequestHeader set SSL_CLIENT_M_VERSION  ""
   	RequestHeader set SSL_CLIENT_M_SERIAL  ""
   	RequestHeader set SSL_CLIENT_CERT  ""
   	RequestHeader set SSL_CLIENT_VERIFY  ""
   	RequestHeader set SSL_SERVER_M_SERIAL  ""
   	RequestHeader set SSL_SERVER_M_VERSION  ""
   	RequestHeader set SSL_SERVER_I_DN  ""
   	RequestHeader set SSL_SERVER_CERT  ""
   	
	RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
   	RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
   	RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
   	RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
   	RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
   	RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
   	RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
   	RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
   	RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   	RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
   	RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
   	RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
   	RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
   
	ProxyRequests Off
   	ProxyPreserveHost on
   	ProxyPass / http://localhost:##LOCAL_PORT##/
   	ProxyPassReverse / http://localhost:##LOCAL_PORT##/
   
	SSLEngine on
   	SSLCertificateFile /etc/grid-security/hostcert.pem
   	SSLCertificateKeyFile /etc/grid-security/hostkey.pem
   
	SSLProxyEngine on
   	SSLCACertificatePath /etc/grid-security/certificates
  	SSLCertificateChainFile /etc/grid-security/tcs-ca-bundle.pem
   
	SSLVerifyClient require
   	SSLVerifyDepth 10
   	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   	SSLOptions +StdEnvVars +ExportCertData
   
	<Proxy *>
      		AddDefaultCharset Off
      		Order deny,allow
      		Allow from all

		SSLRequire ( \
                        %{SSL_CLIENT_S_DN} eq "##DN_FROM_ALLOWED_CERT##" \
                or      %{SSL_CLIENT_S_DN} eq "##DN_FROM_ANOTHER_ALLOWED_CERT##")
   	</Proxy>
   	
	LogLevel debug
</VirtualHost>
Retrieved from "https://wiki.egi.eu/w/index.php?title=Fedcloud-tf:WorkGroups:FederatedAAI:Apache2SSLReverseProxy&oldid=33668"