Use SSO certs on jenkins
authorPeter Palfrader <peter@palfrader.org>
Sun, 11 Oct 2015 11:01:22 +0000 (13:01 +0200)
committerPeter Palfrader <peter@palfrader.org>
Sun, 11 Oct 2015 11:01:22 +0000 (13:01 +0200)
hieradata/common.yaml
modules/roles/files/jenkins/jenkins.debian.org

index 3d17021..d1e83aa 100644 (file)
@@ -110,6 +110,7 @@ roles:
   # single sign on relying party (host) - also required apache2 module enabled on that host via other means
   sso_rp:
     - diabelli.debian.org
+    - jerea.debian.org
     - nono.debian.org
     - ticharich.debian.org
   static_master:
index b5ccc6b..e8d9ebe 100644 (file)
@@ -7,6 +7,13 @@ Use common-debian-service-https-redirect * jenkins.debian.org
        Use common-debian-service-ssl jenkins.debian.org
        Use common-ssl-HSTS
 
+       SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+       SSLCARevocationCheck chain
+       SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+       SSLVerifyClient optional
+
+       SSLOptions +StdEnvVars
+
        <IfModule mod_userdir.c>
                UserDir disabled
        </IfModule>
@@ -14,6 +21,8 @@ Use common-debian-service-https-redirect * jenkins.debian.org
        CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy
        ServerSignature On
        <IfModule mod_proxy.c>
+               RequestHeader unset X-Forwarded-User
+               RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN
                <Proxy *>
                        Order deny,allow
                        Allow from all