リポジトリでクライアント証明書ベースの認証を使用するには、集積サーバーの Apache 構成の説明に従って、最初に汎用の集積サーバーの Apache の構成を設定します。httpd.conf ファイルの最後に次の SSL 構成を追加します。
# Let Apache listen on the standard HTTPS port Listen 443 # VirtualHost configuration for request on port 443 <VirtualHost 0.0.0.0:443> # DNS domain name of the server, needs to match your server certificate ServerName pkg-sec.example.com # enable SSL SSLEngine On # Location of the server certificate and key. # You either have to get one from a certificate signing authority like # VeriSign or create your own CA for testing purposes (see "Creating a # Self-Signed CA for Testing Purposes") SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key # Intermediate CA certificate file. Required if your server certificate # is not signed by a top-level CA directly but an intermediate authority # Comment out this section if you are using a test certificate or your # server certificate doesn't require it. # For more info: # http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile SSLCertificateChainFile /path/to/ca_intermediate.pem # CA certs for client verification. # This is where the CA certificate created in step 3 needs to go. # If you have multiple CAs for multiple repos, just concatenate the # CA certificate files SSLCACertificateFile /path/to/ca_cert.pem # If the client presents a certificate, verify it here. If it doesn't, # ignore. # This is required to be able to use client-certificate based and # anonymous SSL traffic on the same VirtualHost. # This statement could also go into the <Location> tags but putting it # here avoids re-negotiation which can cause security issues with older # servers/clients: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 SSLVerifyClient optional <Location /repo> SSLVerifyDepth 1 # This is the SSL requirement for this location. # Requirements can be made based on various information encoded # in the certificate. Two variants are the most useful for use # with IPS repositories: # a) SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/reponame/ ) # only allow access if the CN in the client certificate matches # "reponame", useful for different certificates for different # repos # # b) SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # grant access if clients certificate is signed by one of the # CAs specified in SSLCACertificateFile SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # proxy request to depot running at internal.example.com:12345 ProxyPass http://internal.example.com:12345 nocanon max=500 </Location> </VirtualHost>