Created
September 1, 2010 11:18
-
-
Save thepatrick/560557 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# provides a ridiculously simple SSL VPN, using a client side certificate. | |
# Issuing client side certificates is easy, and there are plenty of | |
# demos already. | |
# | |
# The following files are assumed: | |
# ca.crt This is your root certificate (note: NOT the key!) | |
# apache.crt An SSL certificate for this webserver | |
# apache.key The SSL key (to go with the SSL certificate) | |
# ca.crl The revocation list from your CA (so you can disable access!) | |
# | |
# Auth is limited here to checking organisation (well, and that the cert | |
# is valid, which means it has to be issued by our CA). | |
<VirtualHost {external IP}:443> | |
DocumentRoot /home/patrick/proxy/docs | |
ServerName remote.your-domain.net | |
ServerAdmin support@your-domain.net | |
ErrorLog /home/patrick/proxy/logs/error_log | |
TransferLog /home/patrick/proxy/logs/access_log | |
SSLEngine on | |
SSLCertificateFile /home/patrick/proxy/ssl/apache.crt | |
SSLCertificateKeyFile /home/patrick/proxy/ssl/apache.key | |
SSLCACertificateFile /home/patrick/proxy/ssl/ca.crt | |
SSLVerifyClient require | |
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars | |
CustomLog /home/patrick/proxy/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |
SSLVerifyDepth 1 | |
SSLCARevocationFile /home/patrick/proxy/ssl/ca.crl | |
<Location /> | |
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Your Organisation" ) | |
</Location> | |
SSLProxyEngine | |
ProxyPass / https://some-internal-server/ | |
ProxyPassReverse / https://some-internal-server/ | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Much potential usefulness here