mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
f3636c6afa
The access to /kra/admin/kra/getStatus will be needed in order to fix pki-healthcheck. Note that this commit is a pre-requisite for the fix to be done on PKI side. No test added since the full integration test already exists in test_replica_promotion.py, in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica Fixes: https://pagure.io/freeipa/issue/9099 Related: https://pagure.io/freeipa/issue/8582 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
49 lines
2.5 KiB
Plaintext
49 lines
2.5 KiB
Plaintext
# VERSION 17 - DO NOT REMOVE THIS LINE
|
|
|
|
ProxyRequests Off
|
|
|
|
# matches for ee port
|
|
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
|
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
SSLVerifyClient none
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# matches for admin port and installer
|
|
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
|
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
SSLVerifyClient none
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# matches for agent port and eeca port
|
|
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
|
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
SSLVerifyClient require
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# matches for REST API of CA, KRA, and PKI
|
|
<LocationMatch "^/(ca|kra|pki)/rest/">
|
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
SSLVerifyClient optional
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# Matches for ACME service
|
|
<LocationMatch "^/acme">
|
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
# RFC 8555 says HTTPS is REQUIRED
|
|
SSLRequireSSL
|
|
SSLVerifyClient none
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# Only enable this on servers that are not generating a CRL
|
|
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin http://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
|