Re: [pkg-discuss] Simple Reverse Proxy conf for an IPS repo

Tue, 26 Jul 2011 16:55:48 -0700 

On 07/25/11 10:31, Erik Trauschke wrote:

On Sat, 2011-07-23 at 11:16 -0700, Amol Chiplunkar wrote:
--8<--

Can that verification happen even through the remote proxy ?
I presume yes, and the cert has to be configured at the actual IPS repository 
level.
Is that right ?


No, if you run the depot behind apache you'd have to do the SSL
verification in apache. Apache then proxies request to the depot in
http.

  

Right.
How do I get the pkg to use the Apache cert ?

Here is what I tried:
openssl s_client -connect <myhost>:<myport>

Copy pasted the cert and made sure it matches the one on the web server 
side.


Then copied it to /etc/certs/CA
Created a symlinc pointing to it with hash value inside /etc/openssl/certs

But it still says
Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.

Framework error: code: 60 reason: SSL certificate problem, verify that 
the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

URL: 'https://xvm-4150-9:8002/IPS'.








So you'd create a httpd.conf like this:
---
SSLEngine On

# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key

# intermediate CA cert
SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem


# CA certs for client verification (concatenated in one file) 
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem


# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem

<Location /private>
        SSLVerifyClient require
        SSLVerifyDepth 1
        # example: only certs with subject [email protected] are allowed
        SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
        ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---

Erik


  

Thanks
Amol


    

Brock


      

However, I would now expect
pkg set-publisher -G '*' -g https://Host:<secure http port>   solaris
to work !
But it errors out saying
Framework error: code: 35 reason: error:140770FC:SSL 
routines:SSL23_GET_SERVER_HELLO:unknown protocol

Wondering if it's the right set of commands ?
Is the approved-ca-cert meant to work with a reverse proxy in the first place ??
Because looking at the doc, it seems the cert has to be configured with the 
actual IPS repo.


please suggest

thx
- Amol





        

Erik



          

[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] proxy:
http: found worker http://oc-4200m2-42:11000/IPS for
http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running scheme http
handler (attempt 0)
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: HTTP:
serving URL http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: HTTP: has
acquired connection for (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: connecting
http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: connected
/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: HTTP: fam
2 socket created to connect to oc-4200m2-42
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: HTTP:
connection complete to X.X.X.X:11000 (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [error] an unknown filter was not added: DEFLATE
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: start
body send
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: end
body send
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: HTTP: has
released connection for (oc-4200m2-42)



_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

            

          

_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

        

_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

      

_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

    




  


_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss






















					Reply via email to