# VERSION 17 - DO NOT REMOVE THIS LINE ProxyRequests Off # matches for ee port SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate SSLVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET ProxyPassReverse ajp://localhost:$DOGTAG_PORT # matches for admin port and installer SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate SSLVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET ProxyPassReverse ajp://localhost:$DOGTAG_PORT # matches for agent port and eeca port SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate SSLVerifyClient require ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET ProxyPassReverse ajp://localhost:$DOGTAG_PORT # matches for REST API of CA, KRA, and PKI SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate SSLVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET ProxyPassReverse ajp://localhost:$DOGTAG_PORT # Matches for ACME service SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate # RFC 8555 says HTTPS is REQUIRED SSLRequireSSL SSLVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT # Only enable this on servers that are not generating a CRL ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]