dist-git/files/lookaside-upload.conf

Alias /repo/ /srv/cache/lookaside/

# default SSL configuration...
Listen 443

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

Mutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# SSL host
<VirtualHost _default_:443>
    # This alias must come before the /repo/ one to avoid being overridden.
    ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi

    Alias /repo/ /srv/cache/lookaside/
    ServerName pkgs.fedoraproject.org
    ServerAdmin webmaster@fedoraproject.org

    SSLEngine on

    SSLCertificateFile    conf/pkgs.fedoraproject.org_key_and_cert.pem
    SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem
    SSLCACertificateFile  conf/cacert.pem
    SSLCARevocationFile  /etc/pki/tls/crl.pem

    SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH

# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
    SSLVerifyClient optional
# Must be here for POST operations to upload.cgi
    SSLOptions +OptRenegotiate
    ErrorLog logs/ssl_error_log
    CustomLog logs/ssl_access_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"

   <Directory /repo/pkgs/>
       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
        # require that the client auth cert was created by us and signed by us
       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
   </Directory>

   <Location /repo/pkgs/upload.cgi>
       SSLRequireSSL

       Options +ExecCGI
       Require all granted

       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
       # require that the access comes from internal or that
       # the client auth cert was created by us and signed by us
       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
    </Location>

</VirtualHost>
initial 2015-03-25 12:22:45 +01:00			`Alias /repo/ /srv/cache/lookaside/`

			`# default SSL configuration...`
			`Listen 443`

			`SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)`
			`SSLSessionCacheTimeout 300`

			`Mutex default`

			`SSLRandomSeed startup file:/dev/urandom 256`
			`SSLRandomSeed connect builtin`
			`SSLCryptoDevice builtin`

			`# SSL host`
			`<VirtualHost _default_:443>`
			`# This alias must come before the /repo/ one to avoid being overridden.`
			`ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi`

			`Alias /repo/ /srv/cache/lookaside/`
			`ServerName pkgs.fedoraproject.org`
			`ServerAdmin webmaster@fedoraproject.org`

			`SSLEngine on`

			`SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem`
			`SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem`
			`SSLCACertificateFile conf/cacert.pem`
			`SSLCARevocationFile /etc/pki/tls/crl.pem`

			`SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH`

			`# Must be 'optional' everywhere in order to have POST operations work to upload.cgi`
			`SSLVerifyClient optional`
			`# Must be here for POST operations to upload.cgi`
			`SSLOptions +OptRenegotiate`
			`ErrorLog logs/ssl_error_log`
			`CustomLog logs/ssl_access_log \`
			`"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"`

			`<Directory /repo/pkgs/>`
			`SSLVerifyClient optional`
			`SSLVerifyDepth 1`
			`SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate`
			`# require that the client auth cert was created by us and signed by us`
			`SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \`
			`and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \`
			`and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \`
			`and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \`
			`and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )`
			`</Directory>`

			`<Location /repo/pkgs/upload.cgi>`
			`SSLRequireSSL`

			`Options +ExecCGI`
			`Require all granted`

			`SSLVerifyClient optional`
			`SSLVerifyDepth 1`
			`SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate`
			`# require that the access comes from internal or that`
			`# the client auth cert was created by us and signed by us`
			`SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \`
			`and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \`
			`and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \`
			`and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \`
			`and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )`
			`</Location>`

			`</VirtualHost>`