From: Peter Palfrader Date: Sun, 11 Oct 2015 11:01:22 +0000 (+0200) Subject: Use SSO certs on jenkins X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=32cc0ca47da8021103744f26d3ced982ea0c22ad;p=mirror%2Fdsa-puppet.git Use SSO certs on jenkins --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 3d1702126..d1e83aa66 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -110,6 +110,7 @@ roles: # single sign on relying party (host) - also required apache2 module enabled on that host via other means sso_rp: - diabelli.debian.org + - jerea.debian.org - nono.debian.org - ticharich.debian.org static_master: diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org index b5ccc6b04..e8d9ebed5 100644 --- a/modules/roles/files/jenkins/jenkins.debian.org +++ b/modules/roles/files/jenkins/jenkins.debian.org @@ -7,6 +7,13 @@ Use common-debian-service-https-redirect * jenkins.debian.org Use common-debian-service-ssl jenkins.debian.org Use common-ssl-HSTS + SSLCACertificateFile /var/lib/dsa/sso/ca.crt + SSLCARevocationCheck chain + SSLCARevocationFile /var/lib/dsa/sso/ca.crl + SSLVerifyClient optional + + SSLOptions +StdEnvVars + UserDir disabled @@ -14,6 +21,8 @@ Use common-debian-service-https-redirect * jenkins.debian.org CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy ServerSignature On + RequestHeader unset X-Forwarded-User + RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN Order deny,allow Allow from all