Skip to content

Instantly share code, notes, and snippets.

@thepatrick
Created September 1, 2010 11:18
Show Gist options
  • Save thepatrick/560557 to your computer and use it in GitHub Desktop.
Save thepatrick/560557 to your computer and use it in GitHub Desktop.
# provides a ridiculously simple SSL VPN, using a client side certificate.
# Issuing client side certificates is easy, and there are plenty of
# demos already.
#
# The following files are assumed:
# ca.crt This is your root certificate (note: NOT the key!)
# apache.crt An SSL certificate for this webserver
# apache.key The SSL key (to go with the SSL certificate)
# ca.crl The revocation list from your CA (so you can disable access!)
#
# Auth is limited here to checking organisation (well, and that the cert
# is valid, which means it has to be issued by our CA).
<VirtualHost {external IP}:443>
DocumentRoot /home/patrick/proxy/docs
ServerName remote.your-domain.net
ServerAdmin support@your-domain.net
ErrorLog /home/patrick/proxy/logs/error_log
TransferLog /home/patrick/proxy/logs/access_log
SSLEngine on
SSLCertificateFile /home/patrick/proxy/ssl/apache.crt
SSLCertificateKeyFile /home/patrick/proxy/ssl/apache.key
SSLCACertificateFile /home/patrick/proxy/ssl/ca.crt
SSLVerifyClient require
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars
CustomLog /home/patrick/proxy/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLVerifyDepth 1
SSLCARevocationFile /home/patrick/proxy/ssl/ca.crl
<Location />
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Your Organisation" )
</Location>
SSLProxyEngine
ProxyPass / https://some-internal-server/
ProxyPassReverse / https://some-internal-server/
</VirtualHost>
@chrisbnt
Copy link

chrisbnt commented Sep 2, 2010

Much potential usefulness here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment