Commit 9e7758fa authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.

parent 757c1a4d
......@@ -23,15 +23,6 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>",
#
# # The path given to "SSLCACertificateFile" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>",
#
# # The path given to "SSLCARevocationFile" (used if ca-cert is not
# # empty)
# "crl": "<file_path>",
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
......@@ -78,7 +69,7 @@
# From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client.
......@@ -92,9 +83,7 @@
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
......@@ -146,26 +135,16 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
{% if ca_cert or ca_cert_dir -%}
{% if ca_cert_dir -%}
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if ca_cert -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
{% if crl -%}
SSLCARevocationFile {{ crl }}
{% endif -%}
{% if crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
......@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
<VirtualHost *:{{ port }}>
SSLEngine on
{% if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%}
{% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
......@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
Timeout 3600
{% if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%}
{% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
......
......@@ -14,5 +14,5 @@
# not need these here).
[template-apache-backend-conf]
filename = apache-backend.conf.in
md5sum = 4a13ad45e38e14ca7027c17192c90205
md5sum = a169c1d6b0f2636f21f180e8a0b52137
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment