Resolves #712931 - CS requires too many ports to be open in the FW. added proxy-ipa.conf

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2179 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

1 files changed, 26 insertions, 0 deletions

diff --git a/pki/base/ca/shared/conf/proxy-ipa.conf b/pki/base/ca/shared/conf/proxy-ipa.conf
new file mode 100644
index 000000000..b619b551d
--- /dev/null
+++ b/pki/base/ca/shared/conf/proxy-ipa.conf
@@ -0,0 +1,26 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for admin port 
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+