[master] Merge branch 'trac5303'

# Conflicts: # src/lib/http/connection.cc
2025-09-01 22:45:18 +00:00 · 2017-06-29 17:53:18 +02:00
parent 48113aba21 547a90cb49
commit b3113da16e
2 changed files with 117 additions and 0 deletions
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -11,6 +11,7 @@ EXTRA_DIST += devel/unit-tests.dox
 nobase_dist_doc_DATA  = examples/agent/simple.json
 nobase_dist_doc_DATA += examples/ddns/sample1.json
 nobase_dist_doc_DATA += examples/ddns/template.json
 nobase_dist_doc_DATA += examples/https/httpd2/kea-httpd2.conf
 nobase_dist_doc_DATA += examples/https/nginx/kea-nginx.conf
 nobase_dist_doc_DATA += examples/kea4/advanced.json
 nobase_dist_doc_DATA += examples/kea4/backends.json
--- a/doc/examples/https/httpd2/kea-httpd2.conf
+++ b/doc/examples/https/httpd2/kea-httpd2.conf
@@ -0,0 +1,116 @@
 #   This file contains a partial Apache2 server configuration which
 #   enables reverse proxy service for Kea RESTful API. An access to
 #   the service is protected by client's certificate verification
 #   mechanism. Before using this configuration a server administrator
 #   must generate server certificate and private key as well as
 #   the certifiate authority (CA). The clients' certificates must
 #   be signed by the CA.
 #
 #   Note that the steps provided below to generate and setup certifcates
 #   are provided as an example for testing purposes only. Always
 #   consider best known security measures to protect your production
 #   environment.
 #
 #   The server certificate and key can be generated as follows:
 #
 #   openssl genrsa -des3 -out kea-proxy.key 4096
 #   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
 #
 #   The CA certificate and key can be generated as follows:
 #
 #   openssl genrsa -des3 -out ca.key 4096
 #   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
 #
 #
 #   The client certifcate needs to be generated and signed:
 #
 #   openssl genrsa -des3 -out kea-client.key 4096
 #   openssl req -new -key kea-client.key -out kea-client.csr
 #   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
 #           -CAkey ca.key -set_serial 01 -out kea-client.crt
 #
 #   Note that the 'common name' value used when generating the client
 #   and the server certificates must differ from the value used
 #   for the CA certificate.
 #
 #   The client certificate must be deployed on the client system.
 #   In order to test the proxy configuration with 'curl' run
 #   command similar to the following:
 #
 #   curl -k --key kea-client.key --cert kea-client.crt -X POST \
 #        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
 #         https://kea.example.org/kea
 #
 #
 #   In order to use this configuration within your Apache2 configuration
 #   put the following line in the main Apache 2 configuration file:
 #
 #   Include /path/to/kea-httpd2.conf
 #
 #   and specify a path appropriate for your system.
 #
 #
 #   Apache2 server configuration starts here.
 #
 #   Address and port that the server should bind to.
 #   Usually an explicit address is specified to avoid binding to
 #   many addresses. For testing https connection on the localhost
 #   use:
 #       Listen [::1]:443         or
 #       Listen 127.0.0.1:443
 Listen *:443
 #   List the ciphers that the client is permitted to negotiate,
 #   and that httpd will negotiate as the client of a proxied server.
 #   See the OpenSSL documentation for a complete list of ciphers, and
 #   ensure these follow appropriate best practices for this deployment.
 #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
 #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this
 #   must be the prerogative of the web server administrator who manages
 #   cpu load versus confidentiality, so enforce the server's cipher order.
 SSLHonorCipherOrder on
 #   List the protocol versions which clients are allowed to connect with.
 #   Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0)
 #   should be disabled as quickly as practical.  By the end of 2016, only
 #   the TLSv1.2 protocol or later should remain in use.
 SSLProtocol all -SSLv2 -SSLv3
 SSLProxyProtocol all -SSLv2 -SSLv3
 #   Semaphore:
 #   Configure the path to the mutual exclusion semaphore the
 #   SSL engine uses internally for inter-process synchronization.
 SSLMutex  "file:/usr/local/var/run/apache2/ssl_mutex"
 <VirtualHost *:443>
    #    For URLs such as https://kea.example.org/kea, forward the requests
    #    to http://127.0.0.1:8080
    ProxyPass /kea http://127.0.0.1:8080/
    ProxyPassReverse /kea http://127.0.0.1:8080/
    #    Disable connection keep alive between the proxy and Kea because
    #    Kea doesn't support this mechanism.
    SetEnv proxy-nokeepalive 1
    #    Set server name.
    ServerName kea.example.org
    #   Enable SSL for this virtual host.
    SSLEngine on
    #   Server certificate and private key.
    SSLCertificateFile "/path/to/kea-proxy.crt"
    SSLCertificateKeyFile "/path/to/kea-proxy.key"
    #   Enable verification of the client certificate.
    SSLVerifyClient require
    #   Certificate Authority. Client certificate must be signed by the CA.
    SSLCACertificateFile "/path/to/ca.crt"
 </VirtualHost>