diff options
Diffstat (limited to '')
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-ssl-conf | 32 |
1 files changed, 9 insertions, 23 deletions
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 5f1058ea75..94352ca344 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -51,7 +51,7 @@ AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 -SSLMutex "file:$root/logs/ssl_mutex" +Mutex "file:$root/logs" ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin @@ -68,7 +68,6 @@ Include conf/svhost-ssl.conf <Location /server-status> SetHandler server-status HostnameLookups on -Allow from all Require user admin </Location> @@ -114,10 +113,10 @@ UseCanonicalName Off SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 -SSLOptions -StrictRequire +OptRenegotiate +SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth # Verify client certificates -SSLVerifyClient none +SSLVerifyClient optional SSLVerifyDepth 1 # Enable SSL proxy engine @@ -143,19 +142,13 @@ cat >>$root/conf/vhost-ssl.conf <<EOF <Location /> # Require clients to use SSL and authenticate SSLRequireSSL - -# Also accept other forms of authentication (e.g. HTTP basic -# authentication, or OpenID authentication) -Satisfy Any +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 EOF proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` if [ "$proxyconf" != "" ]; then cat >>$root/conf/vhost-ssl.conf <<EOF -# In an proxy, only require a 128+ cipher key -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - # Forward received SSL client certificate info in proxied requests RewriteEngine on RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] @@ -184,18 +177,6 @@ RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU EOF else cat >>$root/conf/vhost-ssl.conf <<EOF -# In a server, require a 128+ cipher key and one of the following -# - another server's certificate issued by our certificate authority -# - a proxy certificate + forwarded info on the client request certificate, -# both signed by our certificate authority -# - OpenID authentication (set by mod_auth_openid in the auth_type) -# - another valid form of authentication as per the Satisfy directive -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \ -( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \ -( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "tunnel" ) or \ -( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \ - %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \ -%{REQUEST_URI} =~ m/^.(login|logout|openid|public|ui).*$/ ) # Record received SSL client certificate info in environment vars RewriteEngine on @@ -270,3 +251,8 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" EOF +# Configure user for HTTP fake basic auth +cat >$root/conf/httpd.passwd <<EOF +/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +EOF + |