Cert auth to staging koji is now history
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk
parent
c9b0592bff
commit
d15e182de8
1 changed files with 22 additions and 23 deletions
|
|
@ -24,39 +24,38 @@ Alias /kojifiles "/mnt/koji/"
|
||||||
</Directory>
|
</Directory>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if env == "production" %}
|
||||||
SSLVerifyClient optional
|
SSLVerifyClient optional
|
||||||
|
{% endif %}
|
||||||
<Location /kojihub/ssllogin>
|
<Location /kojihub/ssllogin>
|
||||||
{% if env == "production" %}
|
{% if env == "production" %}
|
||||||
SSLVerifyClient require
|
SSLVerifyClient require
|
||||||
SSLVerifyDepth 10
|
SSLVerifyDepth 10
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
{% else %}
|
|
||||||
SSLVerifyClient optional
|
|
||||||
SSLVerifyDepth 1
|
|
||||||
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
|
||||||
|
|
||||||
|
# This complicated ACL stuff is to support both SSL and kerb auth at the same time
|
||||||
|
# To be killed on December 12th, 2016, after which "Require valid-user" remains
|
||||||
|
#SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
|
||||||
|
#SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
|
||||||
|
#SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
|
||||||
|
#SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
|
||||||
|
#<RequireAny>
|
||||||
|
# <RequireAll>
|
||||||
|
# Require env cert_s_o_valid
|
||||||
|
# Require env cert_s_ou_valid
|
||||||
|
# Require env cert_i_o_valid
|
||||||
|
# Require env cert_i_ou_valid
|
||||||
|
# </RequireAll>
|
||||||
|
# Require valid-user
|
||||||
|
# </RequireAny>
|
||||||
|
|
||||||
|
{% else %}
|
||||||
AuthType GSSAPI
|
AuthType GSSAPI
|
||||||
GssapiSSLonly On
|
GssapiSSLonly On
|
||||||
GssapiLocalName On
|
GssapiLocalName On
|
||||||
AuthName "GSSAPI Single Sign On Login"
|
AuthName "GSSAPI Single Sign On Login"
|
||||||
GssapiCredStore keytab:/etc/koji-hub-http.keytab
|
GssapiCredStore keytab:/etc/koji-hub-http.keytab
|
||||||
|
|
||||||
# This complicated ACL stuff is to support both SSL and kerb auth at the same time
|
|
||||||
# To be killed on December 12th, 2016, after which "Require valid-user" remains
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
|
|
||||||
|
|
||||||
<RequireAny>
|
|
||||||
<RequireAll>
|
|
||||||
Require env cert_s_o_valid
|
|
||||||
Require env cert_s_ou_valid
|
|
||||||
Require env cert_i_o_valid
|
|
||||||
Require env cert_i_ou_valid
|
|
||||||
</RequireAll>
|
|
||||||
Require valid-user
|
Require valid-user
|
||||||
</RequireAny>
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue