[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making CA certificate available over http, __default__ rewrites




----- Original Message -----
> From: "Brenton Leanhardt" <bleanhar redhat com>
> To: "Jan Pazdziora" <jpazdziora redhat com>
> Cc: "Openshift Dev" <dev lists openshift redhat com>
> Sent: Wednesday, July 10, 2013 4:41:21 PM
> Subject: Re: Making CA certificate available over http, __default__ rewrites
> 
> +++ Jan Pazdziora [10/07/13 13:47 +0200]:
> >
> >Hello,
> >
> >in an effort to stop using curl -k and rhc -k when talking to
> >broker,
> >I thought it'd be nice if broker had a well-known location of its CA
> >certificate.
> 
> This isn't to solve a security concern, right?  You just want to
> avoid
> using -k?
> 
> Personally, I prefer for clients to understand clearly that they are
> using untrusted connections.
> 
> Your points about ensuring that Brokers and Nodes don't own the whole
> apache context is certainly valid though.  I'm sure we can improve
> something there.  Please open a bug when you have a specific example
> you need to get working and we'll take care of it.

I think it's really the node owning the whole apache namespace, and kindly making an exception for the broker in the all-in-one configuration. Shouldn't be a problem if the broker was separated out.

Should the node apache conf recuse itself if no known gear is matched? I'm not sure that's such an easy thing to implement...

> >
> >So I put the certificate to /var/www/html/CA.crt (well, it's the
> >server self-signed certificate but that should not matter) but then
> >I hit the issue or derdirects -- to /console, and to https.
> >
> >I tried to put
> >
> >	RewriteRule     ^/CA\.*crt$    -   [L]
> >
> >to
> >
> >	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf
> >
> >but that did not help. Then I've realized that this being
> >all-on-one-machine installation, the
> >
> >	/etc/httpd/conf.d/openshift_route.include
> >
> >takes precedence. When I put the RewriteRule there, before the other
> >rules, it works (I can fetch the certificate from
> >http://broker.example.net/CA.crt) but I can also get it from any
> >node
> >running on the same machine.
> >
> >It looks like I want to put equivalent ot
> >
> >	__default__/CA.crt NOPROXY
> >
> >to something like
> >
> >	/var/lib/openshift/.httpd.d/nodes.db
> >
> >except I did not find where that database gets populated. Is there
> >a way to put that one record there in rpm build time?
> >
> >I also wonder if the records
> >
> >	__default__ REDIRECT:/console
> >	__default__/console TOHTTPS:127.0.0.1:8118/console
> >	__default__/broker TOHTTPS:127.0.0.1:8080/broker
> >
> >in there are actually correct -- I'd expect these to be handled by
> >
> >	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf
> >
> >and that
> >
> >	/etc/httpd/conf.d/000001_openshift_origin_node.conf
> >	/etc/httpd/conf.d/openshift_route.include
> >
> >would only specifically do anything for gear hostnames, never for
> >__default__. Am I missing something in the setup?
> >
> >The task to fetch CA.crt is really just a beginning in trying to
> >co-install other projects on the same machine, like FreeIPA. I'll
> >be attempting to add other .conf drop-ins to /etc/httpd/conf.d and
> >stopping OpenShift from being over-owning the URI namespace would
> >make the work and debugging easier.
> >
> >--
> >Jan Pazdziora | adelton at #ipa*, #brno
> >Principal Software Engineer, Identity Management Engineering, Red
> >Hat
> >
> >_______________________________________________
> >dev mailing list
> >dev lists openshift redhat com
> >http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]