[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites



+++ Jan Pazdziora [10/07/13 13:47 +0200]:

Hello,

in an effort to stop using curl -k and rhc -k when talking to broker,
I thought it'd be nice if broker had a well-known location of its CA
certificate.

This isn't to solve a security concern, right?  You just want to avoid
using -k?

Personally, I prefer for clients to understand clearly that they are
using untrusted connections.

Your points about ensuring that Brokers and Nodes don't own the whole
apache context is certainly valid though.  I'm sure we can improve
something there.  Please open a bug when you have a specific example
you need to get working and we'll take care of it.


So I put the certificate to /var/www/html/CA.crt (well, it's the
server self-signed certificate but that should not matter) but then
I hit the issue or derdirects -- to /console, and to https.

I tried to put

	RewriteRule     ^/CA\.*crt$    -   [L]

to

	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf

but that did not help. Then I've realized that this being
all-on-one-machine installation, the

	/etc/httpd/conf.d/openshift_route.include

takes precedence. When I put the RewriteRule there, before the other
rules, it works (I can fetch the certificate from
http://broker.example.net/CA.crt) but I can also get it from any node
running on the same machine.

It looks like I want to put equivalent ot

	__default__/CA.crt NOPROXY

to something like

	/var/lib/openshift/.httpd.d/nodes.db

except I did not find where that database gets populated. Is there
a way to put that one record there in rpm build time?

I also wonder if the records

	__default__ REDIRECT:/console
	__default__/console TOHTTPS:127.0.0.1:8118/console
	__default__/broker TOHTTPS:127.0.0.1:8080/broker

in there are actually correct -- I'd expect these to be handled by

	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf

and that

	/etc/httpd/conf.d/000001_openshift_origin_node.conf
	/etc/httpd/conf.d/openshift_route.include

would only specifically do anything for gear hostnames, never for
__default__. Am I missing something in the setup?

The task to fetch CA.crt is really just a beginning in trying to
co-install other projects on the same machine, like FreeIPA. I'll
be attempting to add other .conf drop-ins to /etc/httpd/conf.d and
stopping OpenShift from being over-owning the URI namespace would
make the work and debugging easier.

--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]