Para utilizar la autenticación basada en un certificado de cliente para su repositorio, defina primero una configuración Apache para el servidor de depósitos genérica como se describe en Configuración Apache para el servidor de depósitos. Luego, agregue la siguiente configuración de SSL al final de su archivo httpd.conf:
# Let Apache listen on the standard HTTPS port
Listen 443
# VirtualHost configuration for request on port 443
<VirtualHost 0.0.0.0:443>
# DNS domain name of the server, needs to match your server certificate
ServerName pkg-sec.example.com
# enable SSL
SSLEngine On
# Location of the server certificate and key.
# You either have to get one from a certificate signing authority like
# VeriSign or create your own CA for testing purposes (see "Creating a
# Self-Signed CA for Testing Purposes")
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
# Intermediate CA certificate file. Required if your server certificate
# is not signed by a top-level CA directly but an intermediate authority
# Comment out this section if you are using a test certificate or your
# server certificate doesn't require it.
# For more info:
# http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
SSLCertificateChainFile /path/to/ca_intermediate.pem
# CA certs for client verification.
# This is where the CA certificate created in step 3 needs to go.
# If you have multiple CAs for multiple repos, just concatenate the
# CA certificate files
SSLCACertificateFile /path/to/ca_cert.pem
# If the client presents a certificate, verify it here. If it doesn't,
# ignore.
# This is required to be able to use client-certificate based and
# anonymous SSL traffic on the same VirtualHost.
# This statement could also go into the <Location> tags but putting it
# here avoids re-negotiation which can cause security issues with older
# servers/clients:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
SSLVerifyClient optional
<Location /repo>
SSLVerifyDepth 1
# This is the SSL requirement for this location.
# Requirements can be made based on various information encoded
# in the certificate. Two variants are the most useful for use
# with IPS repositories:
# a) SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/reponame/ )
# only allow access if the CN in the client certificate matches
# "reponame", useful for different certificates for different
# repos
#
# b) SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
# grant access if clients certificate is signed by one of the
# CAs specified in SSLCACertificateFile
SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
# proxy request to depot running at internal.example.com:12345
ProxyPass http://internal.example.com:12345 nocanon max=500
</Location>
</VirtualHost>