On Sat, 2011-07-23 at 11:16 -0700, Amol Chiplunkar wrote:
--8<--
> Can that verification happen even through the remote proxy ?
> I presume yes, and the cert has to be configured at the actual IPS repository
> level.
> Is that right ?
No, if you run the depot behind apache you'd have to do the SSL
verification in apache. Apache then proxies request to the depot in
http.
So you'd create a httpd.conf like this:
---
SSLEngine On
# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key
# intermediate CA cert
SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem
# CA certs for client verification (concatenated in one file)
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem
<Location /private>
SSLVerifyClient require
SSLVerifyDepth 1
# example: only certs with subject [email protected] are allowed
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---
Erik
>
> Thanks
> Amol
>
> >
> > Brock
> >
> >> However, I would now expect
> >> pkg set-publisher -G '*' -g https://Host:<secure http port> solaris
> >> to work !
> >> But it errors out saying
> >> Framework error: code: 35 reason: error:140770FC:SSL
> >> routines:SSL23_GET_SERVER_HELLO:unknown protocol
> >>
> >> Wondering if it's the right set of commands ?
> >> Is the approved-ca-cert meant to work with a reverse proxy in the first
> >> place ??
> >> Because looking at the doc, it seems the cert has to be configured with
> >> the actual IPS repo.
> >>
> >>
> >> please suggest
> >>
> >> thx
> >> - Amol
> >>
> >>
> >>
> >>
> >>> Erik
> >>>
> >>>
> >>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
> >>>> canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] proxy:
> >>>> http: found worker http://oc-4200m2-42:11000/IPS for
> >>>> http://oc-4200m2-42:11000/IPSversions/0/
> >>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running scheme http
> >>>> handler (attempt 0)
> >>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: HTTP:
> >>>> serving URL http://oc-4200m2-42:11000/IPSversions/0/
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: HTTP: has
> >>>> acquired connection for (oc-4200m2-42)
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: connecting
> >>>> http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: connected
> >>>> /IPSversions/0/ to oc-4200m2-42:11000
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: HTTP: fam
> >>>> 2 socket created to connect to oc-4200m2-42
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: HTTP:
> >>>> connection complete to X.X.X.X:11000 (oc-4200m2-42)
> >>>> [Mon Jul 18 17:24:01 2011] [error] an unknown filter was not added:
> >>>> DEFLATE
> >>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: start
> >>>> body send
> >>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: end
> >>>> body send
> >>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: HTTP: has
> >>>> released connection for (oc-4200m2-42)
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> pkg-discuss mailing list
> >>>> [email protected]
> >>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> >>>
> >>>
> >>
> >> _______________________________________________
> >> pkg-discuss mailing list
> >> [email protected]
> >> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> >
> > _______________________________________________
> > pkg-discuss mailing list
> > [email protected]
> > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> _______________________________________________
> pkg-discuss mailing list
> [email protected]
> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
