Revision ec8558b1
Added by Benoît PECCATTE almost 7 years ago
rudder-server-relay/SOURCES/rudder-apache-relay-ssl.conf | ||
---|---|---|
# Provide nodes policies
|
||
# ----------------------
|
||
|
||
# List of allowed certificates
|
||
SSLCACertificateFile /opt/rudder/etc/ssl/ca.cert
|
||
|
||
# Explanation
|
||
# 1. The Rewriterule pattern is matched
|
||
# Yes -> if so the result goes to $0,$1,$2
|
||
# No -> no rewrite, no access to the files
|
||
# 2. The RewriteCond is checked
|
||
# -> Get client uuid from %{SSL:SSL_CLIENT_S_DN_UID}
|
||
# -> Get requested uuid from the Rewriterule pattern ($1)
|
||
# -> Generate a TestString of the form "<client_uuid>=<requested_uuid>"
|
||
# -> Test the string against a regex that check that the left part is identical to the right part
|
||
# 3. The Rewriterule is applied
|
||
# -> final path is generated from the rule pattern
|
||
RewriteCond "%{SSL:SSL_CLIENT_S_DN_UID}=$1" "^(.*?)=\1"
|
||
RewriteRule /policies/(.*?)/(.*) /var/rudder/share/$1/$2
|
||
|
||
# This is the basic configuration for sub-directories of /var/rudder/share
|
||
# The is no Location nor alias because /var/rudder/share is not shared.
|
||
# Only subdirectories are shared (from rudder-share-acl.conf)
|
||
#
|
||
# Warning: Do not create any alias on /var/rudder/share itself !
|
||
#
|
||
<Directory /var/rudder/share>
|
||
SSLVerifyClient require
|
||
SSLUserName SSL_CLIENT_S_DN_CN
|
||
... | ... | |
</IfVersion>
|
||
<IfVersion >= 2.4>
|
||
Include /opt/rudder/etc/rudder-networks-24.conf
|
||
</IfVersion>
|
||
</IfVersion>
|
||
</Directory>
|
||
|
||
# include directory specific authorization
|
||
<IfVersion < 2.4>
|
||
Include /opt/rudder/etc/rudder-share-acl.conf
|
||
</IfVersion>
|
||
<IfVersion >= 2.4>
|
||
Include /opt/rudder/etc/rudder-share-acl-24.conf
|
||
</IfVersion>
|
||
|
rudder-server-relay/SPECS/rudder-server-relay.spec | ||
---|---|---|
Source11: rudder-relay.fc
|
||
Source12: rudder-relay.te
|
||
Source13: rudder-apache-relay-ssl.conf
|
||
Source14: rudder-share-acl.conf
|
||
Source15: rudder-share-acl-24.conf
|
||
|
||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||
|
||
... | ... | |
# Copy stub rudder-networks*.conf
|
||
cp %{SOURCE2} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE3} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE14} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE15} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE7} %{buildroot}%{rudderdir}/etc/
|
||
cp %{SOURCE8} %{buildroot}%{rudderdir}/etc/
|
||
|
||
... | ... | |
%config(noreplace) %{rudderdir}/etc/rudder-apache-relay-ssl.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-networks.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-networks-24.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-share-acl.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-share-acl-24.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-networks-policy-server.conf
|
||
%config(noreplace) %{rudderdir}/etc/rudder-networks-policy-server-24.conf
|
||
%config(noreplace) /etc/sysconfig/rudder-relay-apache
|
rudder-server-relay/debian/rules | ||
---|---|---|
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-24.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-networks-policy-server-24.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-share-acl.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/ rudder-share-acl-24.conf /opt/rudder/etc/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api relay_api/ /opt/rudder/share/relay-api/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api flask/ /opt/rudder/share/relay-api/
|
||
dh_install --SOURCEDIR=$(CURDIR)/SOURCES/relay-api apache/relay-api.wsgi /opt/rudder/share/relay-api/
|
Also available in: Unified diff
Fixes #11033: Use uuid to authenticate windows agents