From: Alex Dehnert <alex@dehnerts.com>
Date: Fri, 9 Jul 2021 00:10:20 +0000 (-0400)
Subject: SquaresDB: At least verify the CA is valid
X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=9aa0f02267fd65d712ba8b7bbfafd600a1ba68af;hp=4991f62736b41100f51ec24844e539aeb52eb1b7;p=sysconfig%2Fapache2.git

SquaresDB: At least verify the CA is valid

Without checking the name, this is fairly worthless, but at least if we enable
name checking the rest will work already.
---

diff --git a/sites-available/mit-proxy.conf b/sites-available/mit-proxy.conf
index b6cd081..b3d06f6 100644
--- a/sites-available/mit-proxy.conf
+++ b/sites-available/mit-proxy.conf
@@ -14,6 +14,9 @@
 <VirtualHost *:443>
     ServerName squaresdb.dehnerts.com
     SSLProxyEngine on
+    SSLProxyVerify require
+    SSLProxyVerifyDepth 2
+    SSLProxyCACertificatePath /etc/ssl/certs
     # Really I want to validate that the name matches squaresdb.dehnerts.com,
     # but apparently that's not a thing, AFAICT.
     SSLProxyCheckPeerName off