[Pki-devel] restrictive proxy.conf for ipa

Ade Lee alee at redhat.com
Thu Aug 25 19:06:17 UTC 2011 

Adam, 

Try the following patch.

Ade

On Thu, 2011-08-25 at 13:34 -0400, Ade Lee wrote:
> On Thu, 2011-08-25 at 13:18 -0400, Adam Young wrote:
> > On 08/25/2011 12:03 PM, Ade Lee wrote:
> > >          ProxyRequests Off
> > >
> > >          # matches for ee port
> > >          <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
> > >          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> > >          NSSVerifyClient none
> > >          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          </LocationMatch>
> > >
> > >          # matches for admin port
> > >          <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin">
> > >          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> > >          NSSVerifyClient none
> > >          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          </LocationMatch>
> > >
> > >          # matches for agent port and eeca port
> > >          <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
> > >          NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> > >          NSSVerifyClient require
> > >          ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
> > >          </LocationMatch>
> > >
> > >
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> > 
> > missing ^/ca/admin/ca/getDomainXML
> > 
> > Change that last LocationMatch to:
> > 
> > <LocationMatch 
> > "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/admin/ca/getDomainXML">
> > 
> > 
> > 
> That does not sound right to me -- the getDomainXML should be in the
> second LocationMatch as it does not require client auth.
> 
> 
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ayoung-test.patch
Type: text/x-patch
Size: 4767 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20110825/9ded349c/attachment.bin>

More information about the Pki-devel mailing list