[Pki-devel] restrictive proxy.conf for ipa
Adam Young
ayoung at redhat.com
Thu Aug 25 17:18:25 UTC 2011
On 08/25/2011 12:03 PM, Ade Lee wrote:
> ProxyRequests Off
>
> # matches for ee port
> <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> </LocationMatch>
>
> # matches for admin port
> <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient none
> ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> </LocationMatch>
>
> # matches for agent port and eeca port
> <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> NSSVerifyClient require
> ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> </LocationMatch>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
missing ^/ca/admin/ca/getDomainXML
Change that last LocationMatch to:
<LocationMatch
"^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/admin/ca/getDomainXML">
More information about the Pki-devel
mailing list