From 9aa0f02267fd65d712ba8b7bbfafd600a1ba68af Mon Sep 17 00:00:00 2001
From: Alex Dehnert <alex@dehnerts.com>
Date: Thu, 8 Jul 2021 20:10:20 -0400
Subject: [PATCH] SquaresDB: At least verify the CA is valid

Without checking the name, this is fairly worthless, but at least if we enable
name checking the rest will work already.
---
 sites-available/mit-proxy.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sites-available/mit-proxy.conf b/sites-available/mit-proxy.conf
index b6cd081..b3d06f6 100644
--- a/sites-available/mit-proxy.conf
+++ b/sites-available/mit-proxy.conf
@@ -14,6 +14,9 @@
 <VirtualHost *:443>
     ServerName squaresdb.dehnerts.com
     SSLProxyEngine on
+    SSLProxyVerify require
+    SSLProxyVerifyDepth 2
+    SSLProxyCACertificatePath /etc/ssl/certs
     # Really I want to validate that the name matches squaresdb.dehnerts.com,
     # but apparently that's not a thing, AFAICT.
     SSLProxyCheckPeerName off
-- 
2.34.1