Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
Kea
Commits
b3113da1
Commit
b3113da1
authored
Jun 29, 2017
by
Marcin Siodelski
Browse files
[master] Merge branch 'trac5303'
# Conflicts: # src/lib/http/connection.cc
parents
48113aba
547a90cb
Changes
2
Hide whitespace changes
Inline
Side-by-side
doc/Makefile.am
View file @
b3113da1
...
...
@@ -11,6 +11,7 @@ EXTRA_DIST += devel/unit-tests.dox
nobase_dist_doc_DATA
=
examples/agent/simple.json
nobase_dist_doc_DATA
+=
examples/ddns/sample1.json
nobase_dist_doc_DATA
+=
examples/ddns/template.json
nobase_dist_doc_DATA
+=
examples/https/httpd2/kea-httpd2.conf
nobase_dist_doc_DATA
+=
examples/https/nginx/kea-nginx.conf
nobase_dist_doc_DATA
+=
examples/kea4/advanced.json
nobase_dist_doc_DATA
+=
examples/kea4/backends.json
...
...
doc/examples/https/httpd2/kea-httpd2.conf
0 → 100644
View file @
b3113da1
# This file contains a partial Apache2 server configuration which
# enables reverse proxy service for Kea RESTful API. An access to
# the service is protected by client's certificate verification
# mechanism. Before using this configuration a server administrator
# must generate server certificate and private key as well as
# the certifiate authority (CA). The clients' certificates must
# be signed by the CA.
#
# Note that the steps provided below to generate and setup certifcates
# are provided as an example for testing purposes only. Always
# consider best known security measures to protect your production
# environment.
#
# The server certificate and key can be generated as follows:
#
# openssl genrsa -des3 -out kea-proxy.key 4096
# openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
#
# The CA certificate and key can be generated as follows:
#
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
#
#
# The client certifcate needs to be generated and signed:
#
# openssl genrsa -des3 -out kea-client.key 4096
# openssl req -new -key kea-client.key -out kea-client.csr
# openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
# -CAkey ca.key -set_serial 01 -out kea-client.crt
#
# Note that the 'common name' value used when generating the client
# and the server certificates must differ from the value used
# for the CA certificate.
#
# The client certificate must be deployed on the client system.
# In order to test the proxy configuration with 'curl' run
# command similar to the following:
#
# curl -k --key kea-client.key --cert kea-client.crt -X POST \
# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
# https://kea.example.org/kea
#
#
# In order to use this configuration within your Apache2 configuration
# put the following line in the main Apache 2 configuration file:
#
# Include /path/to/kea-httpd2.conf
#
# and specify a path appropriate for your system.
#
#
# Apache2 server configuration starts here.
#
# Address and port that the server should bind to.
# Usually an explicit address is specified to avoid binding to
# many addresses. For testing https connection on the localhost
# use:
# Listen [::1]:443 or
# Listen 127.0.0.1:443
Listen
*:
443
# List the ciphers that the client is permitted to negotiate,
# and that httpd will negotiate as the client of a proxied server.
# See the OpenSSL documentation for a complete list of ciphers, and
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite
HIGH
:
MEDIUM
:!
MD5
:!
RC4
SSLProxyCipherSuite
HIGH
:
MEDIUM
:!
MD5
:!
RC4
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder
on
# List the protocol versions which clients are allowed to connect with.
# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0)
# should be disabled as quickly as practical. By the end of 2016, only
# the TLSv1.2 protocol or later should remain in use.
SSLProtocol
all
-
SSLv2
-
SSLv3
SSLProxyProtocol
all
-
SSLv2
-
SSLv3
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex
"file:/usr/local/var/run/apache2/ssl_mutex"
<
VirtualHost
*:
443
>
# For URLs such as https://kea.example.org/kea, forward the requests
# to http://127.0.0.1:8080
ProxyPass
/
kea
http
://
127
.
0
.
0
.
1
:
8080
/
ProxyPassReverse
/
kea
http
://
127
.
0
.
0
.
1
:
8080
/
# Disable connection keep alive between the proxy and Kea because
# Kea doesn't support this mechanism.
SetEnv
proxy
-
nokeepalive
1
# Set server name.
ServerName
kea
.
example
.
org
# Enable SSL for this virtual host.
SSLEngine
on
# Server certificate and private key.
SSLCertificateFile
"/path/to/kea-proxy.crt"
SSLCertificateKeyFile
"/path/to/kea-proxy.key"
# Enable verification of the client certificate.
SSLVerifyClient
require
# Certificate Authority. Client certificate must be signed by the CA.
SSLCACertificateFile
"/path/to/ca.crt"
</
VirtualHost
>
\ No newline at end of file
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment