# VERSION 17 - DO NOT REMOVE THIS LINE
ProxyRequests Off
# matches for ee port
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
# matches for admin port and installer
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
# matches for agent port and eeca port
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient require
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
# matches for REST API of CA, KRA, and PKI
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
# Matches for ACME service
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
# RFC 8555 says HTTPS is REQUIRED
SSLRequireSSL
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
# Only enable this on servers that are not generating a CRL
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]