From: Alex Dehnert <alex@dehnerts.com>
Date: Fri, 9 Jul 2021 00:22:40 +0000 (-0400)
Subject: SquaresDB: Apparently I can check peer name
X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=7cc6042d049258fbea44d290a0d922b43f610bf0;p=sysconfig%2Fapache2.git

SquaresDB: Apparently I can check peer name

I'm guessing that by passing ProxyPreserveHost, I make it accept
squaresdb.dehnerts.com in the cert? In any case, it seems to work now.
---

diff --git a/sites-available/mit-proxy.conf b/sites-available/mit-proxy.conf
index b3d06f6..7da8eb2 100644
--- a/sites-available/mit-proxy.conf
+++ b/sites-available/mit-proxy.conf
@@ -17,9 +17,7 @@
     SSLProxyVerify require
     SSLProxyVerifyDepth 2
     SSLProxyCACertificatePath /etc/ssl/certs
-    # Really I want to validate that the name matches squaresdb.dehnerts.com,
-    # but apparently that's not a thing, AFAICT.
-    SSLProxyCheckPeerName off
+    SSLProxyCheckPeerName on
     ProxyPass "/"  "https://squaresdb.lushan-vms.dehnerts.com/"
     ProxyPassReverse "/"  "https://squaresdb.lushan-vms.dehnerts.com/"
     ProxyPreserveHost on