此示例配置三个名为 repo1、repo2 和 repo3 的安全系统信息库。repo1 和 repo2 系统信息库是使用专用证书配置的。因此,repo1 的证书将不在 repo2 上运行,repo2 的证书将不在 repo1 上运行。repo3 系统信息库配置为接受两个证书之一。
该示例假定您已具有 Apache 实例的可用正确服务器证书。如果您没有 Apache 实例的服务器证书,请参见创建自签名服务器证书颁发机构中的说明创建一个测试证书。
这三个系统信息库分别在 https://pkg-sec.example.com/repo1、https://pkg-sec.example.com/repo2 和 https://pkg-sec.example.com/repo3 下进行设置。这些系统信息库分别指向在端口 10001、10002 和 10003 上的 http://internal.example.com 设置的 depot 服务器。确保已按照创建密钥库中所述正确设置 SOFTTOKEN_DIR 环境变量。
$ pktool gencert label=repo1_ca subject="CN=repo1" serial=0x01 $ pktool export objtype=cert label=repo1_ca outformat=pem \ outfile=repo1_ca.pem
$ pktool gencert label=repo2_ca subject="CN=repo2" serial=0x01 $ pktool export objtype=cert label=repo2_ca outformat=pem \ outfile=repo2_ca.pem
$ cat repo1_ca.pem > repo_cas.pem $ cat repo2_ca.pem >> repo_cas.pem $ cp repo_cas.pem /path-to-certs
$ pktool gencsr subject="C=US,CN=myuser" label=repo1_0001 format=pem \ outcsr=repo1_myuser.csr $ pktool signcsr signkey=repo1_ca csr=repo1_myuser.csr \ serial=0x02 outcert=repo1_myuser.crt.pem issuer="CN=repo1" $ pktool export objtype=key label=repo1_0001 outformat=pem \ outfile=repo1_myuser.key.pem $ cp repo1_myuser.key.pem /path-to-certs $ cp repo1_myuser.crt.pem /path-to-certs
$ pktool gencsr subject="C=US,CN=myuser" label=repo2_0001 format=pem \ outcsr=repo2_myuser.csr $ pktool signcsr signkey=repo2_ca csr=repo2_myuser.csr \ serial=0x02 outcert=repo2_myuser.crt.pem issuer="CN=repo2" $ pktool export objtype=key label=repo2_0001 outformat=pem \ outfile=repo2_myuser.key.pem $ cp repo2_myuser.key.pem /path-to-certs $ cp repo2_myuser.crt.pem /path-to-certs
将以下 SSL 配置添加到 httpd.conf 文件的结尾:
# Let Apache listen on the standard HTTPS port Listen 443 <VirtualHost 0.0.0.0:443> # DNS domain name of the server ServerName pkg-sec.example.com # enable SSL SSLEngine On # Location of the server certificate and key. # You either have to get one from a certificate signing authority like # VeriSign or create your own CA for testing purposes (see "Creating a # Self-Signed CA for Testing Purposes") SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key # Intermediate CA certificate file. Required if your server certificate # is not signed by a top-level CA directly but an intermediate authority. # Comment out this section if you don't need one or if you are using a # test certificate SSLCertificateChainFile /path/to/ca_intermediate.pem # CA certs for client verification. # This is where the CA certificate created in step 3 needs to go. # If you have multiple CAs for multiple repos, just concatenate the # CA certificate files SSLCACertificateFile /path/to/certs/repo_cas.pem # If the client presents a certificate, verify it here. If it doesn't, # ignore. # This is required to be able to use client-certificate based and # anonymous SSL traffic on the same VirtualHost. SSLVerifyClient optional <Location /repo1> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo1/ ) # proxy request to depot running at internal.example.com:10001 ProxyPass http://internal.example.com:10001 nocanon max=500 </Location> <Location /repo2> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/repo2/ ) # proxy request to depot running at internal.example.com:10002 ProxyPass http://internal.example.com:10002 nocanon max=500 </Location> <Location /repo3> SSLVerifyDepth 1 SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # proxy request to depot running at internal.example.com:10003 ProxyPass http://internal.example.com:10003 nocanon max=500 </Location> </VirtualHost>
$ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \ -c /path-to-certs/repo1_myuser.crt.pem \ -p https://pkg-sec.example.com/repo1/
$ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \ -c /path-to-certs/repo2_myuser.crt.pem \ -p https://pkg-sec.example.com/repo2/
使用 repo1 证书测试对 repo3 的访问。
$ pkg set-publisher -k /path-to-certs/repo1_myuser.key.pem \ -c /path-to-certs/repo1_myuser.crt.pem \ -p https://pkg-sec.example.com/repo3/
使用 repo2 证书测试对 repo3 的访问。
$ pkg set-publisher -k /path-to-certs/repo2_myuser.key.pem \ -c /path-to-certs/repo2_myuser.crt.pem \ -p https://pkg-sec.example.com/repo3/