Skip to content

Commit b9f6425

Browse files
hhundhhund
committed
rev proxy config parameters
1 parent 06db009 commit b9f6425

File tree

2 files changed

+40
-13
lines changed

2 files changed

+40
-13
lines changed

docs/src/operations/v2.0.0-RC1/bpe-reverse-proxy/configuration.md

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,16 +47,26 @@ icon: config
4747

4848
### SSL_CA_CERTIFICATE_FILE
4949
- **Required:** No
50-
- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`
51-
- **Recommendation:** Use docker secret file to configure
52-
- **Default:** `ca/client_cert_ca_chains.pem`
50+
- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides `SSL_CA_CERTIFICATE_PATH` if not empty
51+
52+
53+
### SSL_CA_CERTIFICATE_PATH
54+
- **Required:** No
55+
- **Description:** Folder with trusted full CA chains for validating client certificates
56+
- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
57+
- **Default:** `ca/client_ca_chains`
5358

5459

5560
### SSL_CA_DN_REQUEST_FILE
5661
- **Required:** No
57-
- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from `SSL_CA_CERTIFICATE_FILE` are used
58-
- **Recommendation:** Use docker secret file to configure
59-
- **Default:** `ca/client_cert_issuing_cas.pem`
62+
- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from `SSL_CA_CERTIFICATE_FILE` are used; not used by default, overrides `SSL_CA_DN_REQUEST_PATH` if not empty
63+
64+
65+
### SSL_CA_DN_REQUEST_PATH
66+
- **Required:** No
67+
- **Description:** Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from `SSL_CA_CERTIFICATE_FILE` or `SSL_CA_CERTIFICATE_PATH` if not set or empty
68+
- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
69+
- **Default:** `ca/client_issuing_cas`
6070

6171

6272
### SSL_CERTIFICATE_CHAIN_FILE
@@ -89,7 +99,7 @@ icon: config
8999
### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
90100
- **Required:** No
91101
- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
92-
- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
102+
- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
93103

94104

95105
### SSL_VERIFY_CLIENT

docs/src/operations/v2.0.0-RC1/fhir-reverse-proxy/configuration.md

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -47,16 +47,33 @@ icon: config
4747

4848
### SSL_CA_CERTIFICATE_FILE
4949
- **Required:** No
50-
- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`
51-
- **Recommendation:** Use docker secret file to configure
52-
- **Default:** `ca/client_cert_ca_chains.pem`
50+
- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides `SSL_CA_CERTIFICATE_PATH` if not empty
51+
52+
53+
### SSL_CA_CERTIFICATE_PATH
54+
- **Required:** No
55+
- **Description:** Folder with trusted full CA chains for validating client certificates
56+
- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
57+
- **Default:** `ca/client_ca_chains`
5358

5459

5560
### SSL_CA_DN_REQUEST_FILE
5661
- **Required:** No
57-
- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from `SSL_CA_CERTIFICATE_FILE` are used
62+
- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from `SSL_CA_CERTIFICATE_FILE` are used; not used by default, overrides `SSL_CA_DN_REQUEST_PATH` if not empty
63+
64+
65+
### SSL_CA_DN_REQUEST_PATH
66+
- **Required:** No
67+
- **Description:** Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from `SSL_CA_CERTIFICATE_FILE` or `SSL_CA_CERTIFICATE_PATH` if not set or empty
68+
- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
69+
- **Default:** `ca/client_issuing_cas`
70+
71+
72+
### SSL_CERTIFICATE_CHAIN_FILE
73+
- **Required:** No
74+
- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via `SSL_CERTIFICATE_FILE` contains the certificate chain
5875
- **Recommendation:** Use docker secret file to configure
59-
- **Default:** `ca/client_cert_issuing_cas.pem`
76+
- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
6077

6178

6279
### SSL_CERTIFICATE_CHAIN_FILE
@@ -89,7 +106,7 @@ icon: config
89106
### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
90107
- **Required:** No
91108
- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
92-
- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
109+
- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
93110

94111

95112
### SSL_VERIFY_CLIENT

0 commit comments

Comments
 (0)