From b5f1737ccb506e8180434cd13cd7a33ac9314099 Mon Sep 17 00:00:00 2001 From: Mike McLean Date: Apr 14 2020 07:12:59 +0000 Subject: Make the docs more in line with our example configs --- diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst index 1b13d4d..4b02695 100644 --- a/docs/source/server_howto.rst +++ b/docs/source/server_howto.rst @@ -679,23 +679,38 @@ The koji-hub package provides this configuration file. You will need to modify it based on your authentication type. Instructions are contained within the file and should be simple to follow. +For example, if you are using SSL authentication, you will want to uncomment +the section that looks like this: + +:: + + # uncomment this to enable authentication via SSL client certificates + # + # SSLVerifyClient require + # SSLVerifyDepth 10 + # SSLOptions +StdEnvVars + # + + /etc/httpd/conf.d/ssl.conf ^^^^^^^^^^^^^^^^^^^^^^^^^^ -If using SSL you will also need to add the needed SSL options for apache. These -options should point to where the certificates are located on the hub. +If you are configuring your server for httpd (and you really should), then your +``SSLCertificate*`` directives will generally live in the main ``ssl.conf`` file. +This part is mostly independent of Koji. +It's something you would do for any httpd instance. + +The part that matters to Koji is this -- +if you are using SSL authentication, then the CA certificate you configure +here should be the same one that you use to issue user certificates. :: - - SSLCertificateFile /etc/pki/koji/certs/kojihub.crt - SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key - SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt - SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt - SSLVerifyClient require - SSLVerifyDepth 10 - SSLOptions +StdEnvVars - + SSLCertificateFile /etc/pki/koji/certs/kojihub.crt + SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key + SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt + SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt + /etc/koji-hub/hub.conf ^^^^^^^^^^^^^^^^^^^^^^ @@ -894,18 +909,37 @@ The koji-web package provides this configuration file. You will need to modify it based on your authentication type. Instructions are contained within the file and should be simple to follow. +For example, if you are using SSL authentication, you would want to uncomment +the section that looks like this: + +:: + + # uncomment this to enable authentication via SSL client certificates + # + # SSLVerifyClient require + # SSLVerifyDepth 10 + # SSLOptions +StdEnvVars + # + + /etc/httpd/conf.d/ssl.conf ^^^^^^^^^^^^^^^^^^^^^^^^^^ -If you are using SSL you will need to add the needed SSL options for apache. +Similarly to the hub configuration, if you are using https (as you should), +then you will need to configure your certificates. +This is something you might do for any httpd instance and is mostly independent +of Koji + +If you are using SSL authentication, then the CA certificate you configure +here should be the same one that you use to issue user certificates. :: - - SSLVerifyClient require - SSLVerifyDepth 10 - SSLOptions +StdEnvVars - + SSLCertificateFile /etc/pki/koji/certs/kojihub.crt + SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key + SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt + SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt + /etc/kojiweb/web.conf ^^^^^^^^^^^^^^^^^^^^^