From 32cc0ca47da8021103744f26d3ced982ea0c22ad Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 11 Oct 2015 13:01:22 +0200 Subject: [PATCH] Use SSO certs on jenkins --- hieradata/common.yaml | 1 + modules/roles/files/jenkins/jenkins.debian.org | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 3d1702126..d1e83aa66 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -110,6 +110,7 @@ roles: # single sign on relying party (host) - also required apache2 module enabled on that host via other means sso_rp: - diabelli.debian.org + - jerea.debian.org - nono.debian.org - ticharich.debian.org static_master: diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org index b5ccc6b04..e8d9ebed5 100644 --- a/modules/roles/files/jenkins/jenkins.debian.org +++ b/modules/roles/files/jenkins/jenkins.debian.org @@ -7,6 +7,13 @@ Use common-debian-service-https-redirect * jenkins.debian.org Use common-debian-service-ssl jenkins.debian.org Use common-ssl-HSTS + SSLCACertificateFile /var/lib/dsa/sso/ca.crt + SSLCARevocationCheck chain + SSLCARevocationFile /var/lib/dsa/sso/ca.crl + SSLVerifyClient optional + + SSLOptions +StdEnvVars + UserDir disabled @@ -14,6 +21,8 @@ Use common-debian-service-https-redirect * jenkins.debian.org CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy ServerSignature On + RequestHeader unset X-Forwarded-User + RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN Order deny,allow Allow from all -- 2.20.1