From 23481b9c36ef17d8c06f44f43132479cd62ebd63 Mon Sep 17 00:00:00 2001 From: Richard Bowen Date: Thu, 25 Jul 2002 00:16:26 +0000 Subject: [PATCH] SSLProxy* directives that exist in mod_ssl for Apache 2 but are not documented anywhere. Submitted by: Daniel Lopez Reviewed by: Rich Bowen git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96180 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_proxy.xml | 3 + docs/manual/mod/mod_ssl.xml | 297 ++++++++++++++++++++++++++++++++++ 2 files changed, 300 insertions(+) diff --git a/docs/manual/mod/mod_proxy.xml b/docs/manual/mod/mod_proxy.xml index f50b542679..eae9fd06b2 100644 --- a/docs/manual/mod/mod_proxy.xml +++ b/docs/manual/mod/mod_proxy.xml @@ -36,6 +36,9 @@ and filter support was enabled.

mod_proxy up to Apache v1.3.x has been removed from mod_proxy and will be incorporated into a new module, mod_cache.

+

If you need to use SSL when contacting remote servers, have a look at the +SSLProxy* directives in mod_ssl.

+

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 75f4262886..5eef98b10f 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1169,4 +1169,301 @@ SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU + +SSLProxyMachineCertificatePath +Directory of PEM-encoded CA certificates for proxy server client certificates +SSLProxyMachineCertificatePath directory +None +server config +Not applicable + + +

+This directive sets the directory where you keep the certificates of +Certification Authorities (CAs) whose proxy client certificates are used for +authentication of the proxy server to remote servers. +

+

The files in this directory must be PEM-encoded and are accessed through +hash filenames. Additionally, you must create symbolic links named +hash-value.N. And you should always make sure this +directory contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task. +

+

+Example:

+ +SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/ + + + + + + +SSLProxyMachineCertificateFile +File of concatenated PEM-encoded CA certificates for proxy server client certificates +SSLProxyMachineCertificateFile filename +None +server config +Not applicable + + +

+This directive sets the directory where you keep the certificates of +Certification Authorities (CAs) whose proxy client certificates are used for +authentication of the proxy server to remote servers. +

+

+This referenced file is simply the concatenation of the various PEM-encoded +certificate files, in order of preference. Use this directive alternatively +or additionally to SSLProxyMachineCertificatePath. +

+

+Example:

+ +SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/ + + + + + +SSLProxyVerify +Type of remote server Certificate verification +SSLProxyVerify level +SSLProxyVerify none +server config +virtual host +directory +.htaccess +AuthConfig + + +

+This directive sets the Certificate verification level for the remote server +Authentication. Notice that this directive can be used both in per-server and +per-directory context. In per-server context it applies to the remote server +authentication process used in the standard SSL handshake when a connection is +established. In per-directory context it forces a SSL renegotation with the +reconfigured remote server verification level after the HTTP request was read but +before the HTTP response is sent.

+

+The following levels are available for level:

+
    +
  • none: + no remote server Certificate is required at all
    • +
  • optional: + the remote server may present a valid Certificate
    • +
  • require: + the remote server has to present a valid Certificate
    • +
  • optional_no_ca: + the remote server may present a valid Certificate
    + but it need not to be (successfully) verifiable.
    • +
+

In practice only levels none and +require are really interesting, because level +optional doesn't work with all servers and level +optional_no_ca is actually against the idea of +authentication (but can be used to establish SSL test pages, etc.)

+Example +SSLProxyVerify require + + + + + +SSLProxyVerifyDepth +Maximum depth of CA Certificates in Remote Server +Certificate verification +SSLVerifyDepth number +SSLVerifyDepth 1 +server config +virtual host +directory +.htaccess +AuthConfig + + +

+This directive sets how deeply mod_ssl should verify before deciding that the +remote server does not have a valid certificate. Notice that this directive can be +used both in per-server and per-directory context. In per-server context it +applies to the client authentication process used in the standard SSL +handshake when a connection is established. In per-directory context it forces +a SSL renegotation with the reconfigured remote server verification depth after the +HTTP request was read but before the HTTP response is sent.

+

+The depth actually is the maximum number of intermediate certificate issuers, +i.e. the number of CA certificates which are max allowed to be followed while +verifying the remote server certificate. A depth of 0 means that self-signed +remote server certificates are accepted only, the default depth of 1 means +the remote server certificate can be self-signed or has to be signed by a CA +which is directly known to the server (i.e. the CA's certificate is under +SSLProxyCACertificatePath), etc.

+Example +SSLProxyVerifyDepth 10 + + + + + +SSLProxyEngine +SSL Proxy Engine Operation Switch +SSLProxyEngine on|off +SSLProxyEngine off +server config +virtual host + + +

+This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This +is usually used inside a VirtualHost section to enable SSL/TLS for proxy +usage in a particular virtual host. By default the SSL/TLS Protocol Engine is +disabled for proxy image both for the main server and all configured virtual hosts.

+Example +<VirtualHost _default_:443>
+SSLProxyEngine on
+...
+</VirtualHost> + + + + + +SSLProxyProtocol +Configure usable SSL protocol flavors for proxy usage +SSLProxyProtocol [+|-]protocol ... +SSLProxyProtocol all +server config +virtual host +Options + + + +

+This directive can be used to control the SSL protocol flavors mod_ssl should +use when establishing its server environment for proxy . It will only connect +to servers using one of the provided protocols.

+

Please refer to SSLProtocol +for additional information. +

+ + + + +SSLProxyCipherSuite +Cipher Suite available for negotiation in SSL +proxy handshake +SSLProxyCipherSuite cipher-spec +SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP +server config +virtual host +directory +.htaccess +AuthConfig + +

Equivalent to SSLCipherSuite, but for the proxy connection. +Please refer to SSLCipherSuite +for additional information. + + + + +SSLProxyCACertificatePath +Directory of PEM-encoded CA Certificates for +Remote Server Auth +SSLProxyCACertificatePath directory-path +server config +virtual host + + +

+This directive sets the directory where you keep the Certificates of +Certification Authorities (CAs) whose remote servers you deal with. These are used to +verify the remote server certificate on Remote Server Authentication.

+

+The files in this directory have to be PEM-encoded and are accessed through +hash filenames. So usually you can't just place the Certificate files +there: you also have to create symbolic links named +hash-value.N. And you should always make sure this directory +contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task.

+Example +SSLProxyCACertificatePath /usr/local/apache/conf/ssl.crt/ + + + + + +SSLProxyCACertificateFile +File of concatenated PEM-encoded CA Certificates +for Remote Server Auth +SSLProxyCACertificateFile file-path +server config +virtual host + + +

+This directive sets the all-in-one file where you can assemble the +Certificates of Certification Authorities (CA) whose remote servers you deal +with. These are used for Remote Server Authentication. Such a file is simply the +concatenation of the various PEM-encoded Certificate files, in order of +preference. This can be used alternatively and/or additionally to +SSLProxyCACertificatePath.

+Example +SSLProxyCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle-remote-server.crt + + + + + +SSLProxyCARevocationPath +Directory of PEM-encoded CA CRLs for +Remote Server Auth +SSLProxyCARevocationPath directory-path +server config +virtual host + + +

+This directive sets the directory where you keep the Certificate Revocation +Lists (CRL) of Certification Authorities (CAs) whose remote servers you deal with. +These are used to revoke the remote server certificate on Remote Server Authentication.

+

+The files in this directory have to be PEM-encoded and are accessed through +hash filenames. So usually you have not only to place the CRL files there. +Additionally you have to create symbolic links named +hash-value.rN. And you should always make sure this directory +contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task.

+Example +SSLProxyCARevocationPath /usr/local/apache/conf/ssl.crl/ + + + + + +SSLProxyCARevocationFile +File of concatenated PEM-encoded CA CRLs for +Remote Server Auth +SSLProxyCARevocationFile file-path +server config +virtual host + + +

+This directive sets the all-in-one file where you can +assemble the Certificate Revocation Lists (CRL) of Certification +Authorities (CA) whose remote servers you deal with. These are used +for Remote Server Authentication. Such a file is simply the concatenation of +the various PEM-encoded CRL files, in order of preference. This can be +used alternatively and/or additionally to SSLProxyCARevocationPath.

+Example +SSLProxyCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle-remote-server.crl + + + + + + -- 2.50.1