acme: ipa-pki-proxy: proxy /acme to Dogtag

Update ipa-pki-proxy.conf to proxy requests to the /acme resource namespace to Dogtag. Part of: https://pagure.io/freeipa/issue/4751 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-02-20 18:26:08 +11:00
parent 7cc977b993
commit 2b6faa362f
1 changed files with 11 additions and 1 deletions
--- a/install/share/ipa-pki-proxy.conf.template
+++ b/install/share/ipa-pki-proxy.conf.template
@@ -1,4 +1,4 @@
-# VERSION 15 - DO NOT REMOVE THIS LINE
+# VERSION 16 - DO NOT REMOVE THIS LINE

 ProxyRequests Off

@@ -34,5 +34,15 @@ ProxyRequests Off
    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>

+# Matches for ACME service
+<LocationMatch "^/acme">
+    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    # RFC 8555 says HTTPS is REQUIRED
+    SSLRequireSSL
+    SSLVerifyClient none
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
 # Only enable this on servers that are not generating a CRL
 ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]