zorun
/
kea


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
							#   This file contains a partial Apache2 server configuration which
#   enables reverse proxy service for Kea RESTful API. An access to
#   the service is protected by client's certificate verification
#   mechanism. Before using this configuration a server administrator
#   must generate server certificate and private key as well as
#   the certificate authority (CA). The clients' certificates must
#   be signed by the CA.
#
#   Note that the steps provided below to generate and setup certificates
#   are provided as an example for testing purposes only. Always
#   consider best known security measures to protect your production
#   environment.
#
#   The server certificate and key can be generated as follows:
#
#   openssl genrsa -des3 -out kea-proxy.key 4096
#   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
#
#   The CA certificate and key can be generated as follows:
#
#   openssl genrsa -des3 -out ca.key 4096
#   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
#
#
#   The client certificate needs to be generated and signed:
#
#   openssl genrsa -des3 -out kea-client.key 4096
#   openssl req -new -key kea-client.key -out kea-client.csr
#   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
#           -CAkey ca.key -set_serial 10 -out kea-client.crt
#
#   Note that the 'common name' value used when generating the client
#   and the server certificates must differ from the value used
#   for the CA certificate.
#
#   The client certificate must be deployed on the client system.
#   In order to test the proxy configuration with 'curl' run
#   command similar to the following:
#
#   curl -k --key kea-client.key --cert kea-client.crt -X POST \
#        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
#         https://kea.example.org/kea
#
#   On some curl running on macOS the crypto library requires a PKCS#12
#   bundle with the private key and the certificate as the cert argument.
#   The PKCS#12 file can be generated by:
#
#   openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \
#           -out kea-client.p12
#
#   If the password is kea, curl command becomes:
#
#   curl -k --cert kea-client.p12:kea -X POST \
#        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
#         https://kea.example.org/kea
#
#
#   In order to use this configuration within your Apache2 configuration
#   put the following line in the main Apache 2 configuration file:
#
#   Include /path/to/kea-httpd2.conf
#
#   and specify a path appropriate for your system.
#
#
#   Apache2 server configuration starts here.
#
#   Address and port that the server should bind to.
#   Usually an explicit address is specified to avoid binding to
#   many addresses. For testing https connection on the localhost
#   use:
#       Listen [::1]:443         or
#       Listen 127.0.0.1:443
Listen *:443

#   List the ciphers that the client is permitted to negotiate,
#   and that httpd will negotiate as the client of a proxied server.
#   See the OpenSSL documentation for a complete list of ciphers, and
#   ensure these follow appropriate best practices for this deployment.
#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   List the protocol versions which clients are allowed to connect with.
#   Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0)
#   should be disabled as quickly as practical.  By the end of 2016, only
#   the TLSv1.2 protocol or later should remain in use.
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex  "file:/usr/local/var/run/apache2/ssl_mutex"

<VirtualHost *:443>
    #    For URLs such as https://kea.example.org/kea, forward the requests
    #    to http://127.0.0.1:8080
    ProxyPass /kea http://127.0.0.1:8080/
    ProxyPassReverse /kea http://127.0.0.1:8080/

    #    Disable connection keep alive between the proxy and Kea because
    #    Kea doesn't support this mechanism.
    SetEnv proxy-nokeepalive 1

    #    Set server name.
    ServerName kea.example.org

    #   Enable SSL for this virtual host.
    SSLEngine on

    #   Server certificate and private key.
    SSLCertificateFile "/path/to/kea-proxy.crt"
    SSLCertificateKeyFile "/path/to/kea-proxy.key"

    #   Enable verification of the client certificate.
    SSLVerifyClient require

    #   Certificate Authority. Client certificate must be signed by the CA.
    SSLCACertificateFile "/path/to/ca.crt"

</VirtualHost>