[Pki-devel] restrictive proxy.conf for ipa

Thu Aug 25 16:03:17 UTC 2011

        ProxyRequests Off
         
        # matches for ee port
        <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
        NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
        NSSVerifyClient none
        ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        </LocationMatch>
         
        # matches for admin port 
        <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin">
        NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
        NSSVerifyClient none
        ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        </LocationMatch>
         
        # matches for agent port and eeca port
        <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
        NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
        NSSVerifyClient require
        ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
        </LocationMatch>