|
|
@@ -0,0 +1,111 @@
|
|
|
+# This file contains a partial Apache2 server configuration which
|
|
|
+# enables reverse proxy service for Kea RESTful API. An access to
|
|
|
+# the service is protected by client's certificate verification
|
|
|
+# mechanism. Before using this configuration a server administrator
|
|
|
+# must generate server certificate and private key as well as
|
|
|
+# the certifiate authority (CA). The clients' certificates must
|
|
|
+# be signed by the CA.
|
|
|
+#
|
|
|
+# The server certificate and key can be generated as follows:
|
|
|
+#
|
|
|
+# openssl genrsa -des3 -out kea-proxy.key 4096
|
|
|
+# openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
|
|
|
+#
|
|
|
+# The CA certificate and key can be generated as follows:
|
|
|
+#
|
|
|
+# openssl genrsa -des3 -out ca.key 4096
|
|
|
+# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
|
|
|
+#
|
|
|
+#
|
|
|
+# The client certifcate needs to be generated and signed:
|
|
|
+#
|
|
|
+# openssl genrsa -des3 -out kea-client.key 4096
|
|
|
+# openssl req -new -key kea-client.key -out kea-client.csr
|
|
|
+# openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
|
|
|
+# -CAkey ca.key -set_serial 01 -out kea-client.crt
|
|
|
+#
|
|
|
+# Note that the 'common name' value used when generating the client
|
|
|
+# and the server certificates must differ from the value used
|
|
|
+# for the CA certificate.
|
|
|
+#
|
|
|
+# The client certificate must be deployed on the client system.
|
|
|
+# In order to test the proxy configuration with 'curl' run
|
|
|
+# command similar to the following:
|
|
|
+#
|
|
|
+# curl -k --key kea-client.key --cert kea-client.crt -X POST \
|
|
|
+# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
|
|
|
+# https://kea.example.org/kea
|
|
|
+#
|
|
|
+#
|
|
|
+# In order to use this configuration within your Apache2 configuration
|
|
|
+# put the following line in the main Apache 2 configuration file:
|
|
|
+#
|
|
|
+# Include /path/to/kea-httpd2.conf
|
|
|
+#
|
|
|
+# and specify a path appropriate for your system.
|
|
|
+#
|
|
|
+#
|
|
|
+# Apache2 server configuration starts here.
|
|
|
+#
|
|
|
+# Address and port that the server should bind to.
|
|
|
+# Usually an explicit address is specified to avoid binding to
|
|
|
+# many addresses. For testing https connection on the localhost
|
|
|
+# use:
|
|
|
+# Listen [::1]:443 or
|
|
|
+# Listen 127.0.0.1:443
|
|
|
+Listen *:443
|
|
|
+
|
|
|
+# List the ciphers that the client is permitted to negotiate,
|
|
|
+# and that httpd will negotiate as the client of a proxied server.
|
|
|
+# See the OpenSSL documentation for a complete list of ciphers, and
|
|
|
+# ensure these follow appropriate best practices for this deployment.
|
|
|
+# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
|
|
|
+# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
|
|
|
+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
|
|
|
+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
|
|
|
+
|
|
|
+# User agents such as web browsers are not configured for the user's
|
|
|
+# own preference of either security or performance, therefore this
|
|
|
+# must be the prerogative of the web server administrator who manages
|
|
|
+# cpu load versus confidentiality, so enforce the server's cipher order.
|
|
|
+SSLHonorCipherOrder on
|
|
|
+
|
|
|
+# List the protocol versions which clients are allowed to connect with.
|
|
|
+# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0)
|
|
|
+# should be disabled as quickly as practical. By the end of 2016, only
|
|
|
+# the TLSv1.2 protocol or later should remain in use.
|
|
|
+SSLProtocol all -SSLv2 -SSLv3
|
|
|
+SSLProxyProtocol all -SSLv2 -SSLv3
|
|
|
+
|
|
|
+# Semaphore:
|
|
|
+# Configure the path to the mutual exclusion semaphore the
|
|
|
+# SSL engine uses internally for inter-process synchronization.
|
|
|
+SSLMutex "file:/usr/local/var/run/apache2/ssl_mutex"
|
|
|
+
|
|
|
+<VirtualHost *:443>
|
|
|
+ # For URLs such as https://kea.example.org/kea, forward the requests
|
|
|
+ # to http://127.0.0.1:8080
|
|
|
+ ProxyPass /kea http://127.0.0.1:8080/
|
|
|
+ ProxyPassReverse /kea http://127.0.0.1:8080/
|
|
|
+
|
|
|
+ # Disable connection keep alive between the proxy and Kea because
|
|
|
+ # Kea doesn't support this mechanism.
|
|
|
+ SetEnv proxy-nokeepalive 1
|
|
|
+
|
|
|
+ # Set server name.
|
|
|
+ ServerName kea.example.org
|
|
|
+
|
|
|
+ # Enable SSL for this virtual host.
|
|
|
+ SSLEngine on
|
|
|
+
|
|
|
+ # Server certificate and private key.
|
|
|
+ SSLCertificateFile "/path/to/kea-proxy.crt"
|
|
|
+ SSLCertificateKeyFile "/path/to/kea-proxy.key"
|
|
|
+
|
|
|
+ # Enable verification of the client certificate.
|
|
|
+ SSLVerifyClient require
|
|
|
+
|
|
|
+ # Certificate Authority. Client certificate must be signed by the CA.
|
|
|
+ SSLCACertificateFile "/path/to/ca.crt"
|
|
|
+
|
|
|
+</VirtualHost>
|
Marcin Siodelski