Re: [Pki-devel] restrictive proxy.conf for ipa

On Thu, 2011-08-25 at 13:18 -0400, Adam Young wrote: > On 08/25/2011 12:03 PM, Ade Lee wrote: > > ProxyRequests Off > > > > # matches for ee port > > <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> > > NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate > > NSSVerifyClient none > > ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > </LocationMatch> > > > > # matches for admin port > > <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin"> > > NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate > > NSSVerifyClient none > > ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > </LocationMatch> > > > > # matches for agent port and eeca port > > <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> > > NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate > > NSSVerifyClient require > > ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ > > </LocationMatch> > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel(a)redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > missing ^/ca/admin/ca/getDomainXML > > Change that last LocationMatch to: > > <LocationMatch > "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/ca/admin/ca/getDomainXML"> > > > That does not sound right to me -- the getDomainXML should be in the second LocationMatch as it does not require client auth. > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel