[Pki-devel] restrictive proxy.conf for ipa

Adam Young ayoung at redhat.com
Thu Aug 25 17:18:25 UTC 2011


On 08/25/2011 12:03 PM, Ade Lee wrote:
>          ProxyRequests Off
>
>          # matches for ee port
>          <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
>          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
>          NSSVerifyClient none
>          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          </LocationMatch>
>
>          # matches for admin port
>          <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin">
>          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
>          NSSVerifyClient none
>          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          </LocationMatch>
>
>          # matches for agent port and eeca port
>          <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
>          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
>          NSSVerifyClient require
>          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
>          </LocationMatch>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

missing ^/ca/admin/ca/getDomainXML

Change that last LocationMatch to:

<LocationMatch 
"^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/admin/ca/getDomainXML">






More information about the Pki-devel mailing list