freeipa-health-metrics/test/ipa-pki-proxy.conf

# VERSION 14 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:8009 secret=testSecret
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:8009 secret=testSecret
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:8009 secret=testSecret
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for CA REST API
<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient optional
    ProxyPassMatch ajp://localhost:8009 secret=testSecret
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for KRA REST API
<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient optional
    ProxyPassMatch ajp://localhost:8009 secret=testSecret
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# Only enable this on servers that are not generating a CRL
RewriteRule ^/ipa/crl/MasterCRL.bin http://ipa1.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
First commit 2023-09-05 11:46:19 -05:00			`# VERSION 14 - DO NOT REMOVE THIS LINE`

			`ProxyRequests Off`

			`# matches for ee port`
			`<LocationMatch "^/ca/ee/ca/checkRequest\|^/ca/ee/ca/getCertChain\|^/ca/ee/ca/getTokenInfo\|^/ca/ee/ca/tokenAuthenticate\|^/ca/ocsp\|^/ca/ee/ca/updateNumberRange\|^/ca/ee/ca/getCRL\|^/ca/ee/ca/profileSubmit">`
			`NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate`
			`NSSVerifyClient none`
			`ProxyPassMatch ajp://localhost:8009 secret=testSecret`
			`ProxyPassReverse ajp://localhost:8009`
			`</LocationMatch>`

			`# matches for admin port and installer`
			`<LocationMatch "^/ca/admin/ca/getCertChain\|^/ca/admin/ca/getConfigEntries\|^/ca/admin/ca/getCookie\|^/ca/admin/ca/getStatus\|^/ca/admin/ca/securityDomainLogin\|^/ca/admin/ca/getDomainXML\|^/ca/admin/ca/updateNumberRange\|^/ca/admin/ca/tokenAuthenticate\|^/ca/admin/ca/updateNumberRange\|^/ca/admin/ca/updateDomainXML\|^/ca/admin/ca/updateConnector\|^/ca/admin/ca/getSubsystemCert\|^/kra/admin/kra/updateNumberRange\|^/kra/admin/kra/getConfigEntries">`
			`NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate`
			`NSSVerifyClient none`
			`ProxyPassMatch ajp://localhost:8009 secret=testSecret`
			`ProxyPassReverse ajp://localhost:8009`
			`</LocationMatch>`

			`# matches for agent port and eeca port`
			`<LocationMatch "^/ca/agent/ca/displayBySerial\|^/ca/agent/ca/doRevoke\|^/ca/agent/ca/doUnrevoke\|^/ca/agent/ca/updateDomainXML\|^/ca/eeca/ca/profileSubmitSSLClient\|^/kra/agent/kra/connector">`
			`NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate`
			`NSSVerifyClient require`
			`ProxyPassMatch ajp://localhost:8009 secret=testSecret`
			`ProxyPassReverse ajp://localhost:8009`
			`</LocationMatch>`

			`# matches for CA REST API`
			`<LocationMatch "^/ca/rest/account/login\|^/ca/rest/account/logout\|^/ca/rest/installer/installToken\|^/ca/rest/securityDomain/domainInfo\|^/ca/rest/securityDomain/installToken\|^/ca/rest/profiles\|^/ca/rest/authorities\|^/ca/rest/certrequests\|^/ca/rest/admin/kraconnector/remove\|^/ca/rest/certs/search">`
			`NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate`
			`NSSVerifyClient optional`
			`ProxyPassMatch ajp://localhost:8009 secret=testSecret`
			`ProxyPassReverse ajp://localhost:8009`
			`</LocationMatch>`

			`# matches for KRA REST API`
			`<LocationMatch "^/kra/rest/config/cert/transport\|^/kra/rest/account\|^/kra/rest/agent/keyrequests\|^/kra/rest/agent/keys">`
			`NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate`
			`NSSVerifyClient optional`
			`ProxyPassMatch ajp://localhost:8009 secret=testSecret`
			`ProxyPassReverse ajp://localhost:8009`
			`</LocationMatch>`

			`# Only enable this on servers that are not generating a CRL`
			`RewriteRule ^/ipa/crl/MasterCRL.bin http://ipa1.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]`