Resolves #712931 - CS requires too many ports to be open in the FW

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

4 files changed, 68 insertions, 4 deletions

diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 289f65147..e3447bbc8 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -20,6 +20,8 @@ preop.product.name=CS
 preop.product.version=@VERSION@
 preop.system.name=CA
 preop.system.fullname=Certificate Authority
+proxy.securePort=[PKI_PROXY_SECURE_PORT]
+proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT]
 cs.state._000=##
 cs.state._001=## cs.state=0 (pre-operational)
 cs.state._002=## cs.state=1 (running)
diff --git a/pki/base/ca/shared/conf/proxy.conf b/pki/base/ca/shared/conf/proxy.conf
new file mode 100644
index 000000000..663ba5722
--- /dev/null
+++ b/pki/base/ca/shared/conf/proxy.conf
@@ -0,0 +1,34 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for admin port 
+<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
+# static content
+<LocationMatch "^/graphics/*">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+    ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/
+</LocationMatch>
+
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml
index 07f4a4060..5984d4919 100644
--- a/pki/base/ca/shared/conf/server.xml
+++ b/pki/base/ca/shared/conf/server.xml
@@ -209,10 +209,10 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
                clientAuth="false" sslProtocol="TLS" />
     -->
 
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-<!--
-    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--->
+    <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
+[PKI_OPEN_AJP_PORT_COMMENT]
+    <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" />
+[PKI_CLOSE_AJP_PORT_COMMENT]
 
 
     <!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 43223c661..5e91977aa 100644
--- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -10,6 +10,12 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+        <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
         <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
@@ -23,6 +29,12 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+        <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
         <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
@@ -40,6 +52,16 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+        <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>proxy_http_port</param-name>
+            <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
         <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>
@@ -53,6 +75,12 @@
             <param-name>https_port</param-name>
             <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value>
         </init-param>
+[PKI_OPEN_ENABLE_PROXY_COMMENT]
+        <init-param>
+            <param-name>proxy_port</param-name>
+            <param-value>[PKI_PROXY_SECURE_PORT]</param-value>
+        </init-param>
+[PKI_CLOSE_ENABLE_PROXY_COMMENT]
         <init-param>
             <param-name>active</param-name>
             <param-value>true</param-value>