diff options
author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-23 18:37:28 +0000 |
---|---|---|
committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-23 18:37:28 +0000 |
commit | dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad (patch) | |
tree | ddaeb25344e5e2c1379cd588632a1a926de577ff /pki/base/ca | |
parent | 216293aca940f20c72ad5a388f2926657acabe03 (diff) | |
download | pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.gz pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.xz pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.zip |
Resolves #712931 - CS requires too many ports to be open in the FW
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ca')
-rw-r--r-- | pki/base/ca/shared/conf/CS.cfg.in | 2 | ||||
-rw-r--r-- | pki/base/ca/shared/conf/proxy.conf | 34 | ||||
-rw-r--r-- | pki/base/ca/shared/conf/server.xml | 8 | ||||
-rw-r--r-- | pki/base/ca/shared/webapps/ca/WEB-INF/web.xml | 28 |
4 files changed, 68 insertions, 4 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 289f65147..e3447bbc8 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -20,6 +20,8 @@ preop.product.name=CS preop.product.version=@VERSION@ preop.system.name=CA preop.system.fullname=Certificate Authority +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] cs.state._000=## cs.state._001=## cs.state=0 (pre-operational) cs.state._002=## cs.state=1 (running) diff --git a/pki/base/ca/shared/conf/proxy.conf b/pki/base/ca/shared/conf/proxy.conf new file mode 100644 index 000000000..663ba5722 --- /dev/null +++ b/pki/base/ca/shared/conf/proxy.conf @@ -0,0 +1,34 @@ +ProxyRequests Off + +# matches for ee port +<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for admin port +<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for agent port and eeca port +<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# static content +<LocationMatch "^/graphics/*"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 07f4a4060..5984d4919 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -209,10 +209,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) clientAuth="false" sslProtocol="TLS" /> --> - <!-- Define an AJP 1.3 Connector on port 8009 --> -<!-- - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ---> + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index 43223c661..5e91977aa 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -10,6 +10,12 @@ <param-name>https_port</param-name> <param-value>[PKI_AGENT_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -23,6 +29,12 @@ <param-name>https_port</param-name> <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -40,6 +52,16 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>proxy_http_port</param-name> + <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -53,6 +75,12 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> |