mod_auth_mellon needs to be in a VirtualHost so that UseCanonicalName works correctly to generate the redirect_to urls behind our reverseproxy.

roles/pdc/frontend/templates/pdc.conf

@@ -9,83 +9,89 @@ WSGIPythonOptimize 1
 
 WSGIScriptAlias /  /usr/lib/python2.7/site-packages/pdc/wsgi.py
 
-RewriteEngine on
-# First try to find the files in pdc
-RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
-RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
-# Try to find them in the patternfly files
-RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
 
-<Location "/">
+<VirtualHost *:80>
-    SetHandler wsgi-script
+    ServerName https://pdc.stg.fedoraproject.org
+    UseCanonicalName on
 
-    LimitRequestBody 256000000
+    RewriteEngine on
-    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+    # First try to find the files in pdc
-    Require all granted
+    RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
-    MellonEnable "info"
+    RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
-    MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
+    # Try to find them in the patternfly files
-    MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
+    RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
-    MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
-    MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
-    MellonEndpointPath /saml2
-    MellonVariable "saml-sesion-cookie"
 
-    MellonUser "NAME_ID"
+    <Location "/">
-    MellonIdP "IDP"
+        SetHandler wsgi-script
-    MellonSessionLength 3600
-    # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
-    # MellonPostDirectory "/var/lib/ipsilon/post_cache"
-    # MellonPostReplay On
-</Location>
 
-<Location /auth/saml2login>
+        LimitRequestBody 256000000
-    WSGIProcessGroup pdc
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
-    MellonEnable "auth"
+        Require all granted
-    Header append Cache-Control "no-cache"
+        MellonEnable "info"
-</Location>
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
+        MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
+        MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+        MellonEndpointPath /saml2
+        MellonVariable "saml-sesion-cookie"
+
+        MellonUser "NAME_ID"
+        MellonIdP "IDP"
+        MellonSessionLength 3600
+        # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
+        # MellonPostDirectory "/var/lib/ipsilon/post_cache"
+        # MellonPostReplay On
+    </Location>
+
+    <Location /auth/saml2login>
+        WSGIProcessGroup pdc
+        MellonEnable "auth"
+        Header append Cache-Control "no-cache"
+    </Location>
 
 
-WSGIPassAuthorization On
+    WSGIPassAuthorization On
-<Location /rest_api/v1/auth/token>
+    <Location /rest_api/v1/auth/token>
-    WSGIProcessGroup pdc
+        WSGIProcessGroup pdc
-</Location>
+    </Location>
 
-<Location "/static">
+    <Location "/static">
-    SetHandler None
+        SetHandler None
 
-    # Disable auth on the static content, so that we're aren't forced to
+        # Disable auth on the static content, so that we're aren't forced to
-    # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
-    # content, which would lead to poor page-load times.
+        # content, which would lead to poor page-load times.
-    AuthType none
+        AuthType none
-    Satisfy Any
+        Satisfy Any
-    Require all granted
+        Require all granted
 
-    # Many file types are likely to benefit from compression
+        # Many file types are likely to benefit from compression
-    # Enable gzip compression on them:
+        # Enable gzip compression on them:
-    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
 
-    # Set far-future Expires headers on static content
+        # Set far-future Expires headers on static content
-    # (trac 184):
+        # (trac 184):
-    ExpiresActive On
+        ExpiresActive On
-    ExpiresDefault "access plus 10 years"
+        ExpiresDefault "access plus 10 years"
-</Location>
+    </Location>
 
-<Location "/docs">
+    <Location "/docs">
-    SetHandler None
+        SetHandler None
 
-    # Disable auth on the static content, so that we're aren't forced to
+        # Disable auth on the static content, so that we're aren't forced to
-    # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
-    # content, which would lead to poor page-load times.
+        # content, which would lead to poor page-load times.
-    AuthType none
+        AuthType none
-    Satisfy Any
+        Satisfy Any
-    Require all granted
+        Require all granted
 
-    # Many file types are likely to benefit from compression
+        # Many file types are likely to benefit from compression
-    # Enable gzip compression on them:
+        # Enable gzip compression on them:
-    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
 
-    # Set far-future Expires headers on static content
+        # Set far-future Expires headers on static content
-    # (trac 184):
+        # (trac 184):
-    ExpiresActive On
+        ExpiresActive On
-    ExpiresDefault "access plus 2 weeks"
+        ExpiresDefault "access plus 2 weeks"
-</Location>
+    </Location>
+</VirtualHost>

roles/pdc/frontend/templates/raw

@@ -0,0 +1,97 @@
+Alias /docs/ /usr/share/doc/pdc/docs/build/html/
+Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
+
+WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=2
+WSGISocketPrefix run/wsgi
+WSGIRestrictStdout On
+WSGIRestrictSignal Off
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /  /usr/lib/python2.7/site-packages/pdc/wsgi.py
+
+
+<VirtualHost *:80>
+    ServerName https://pdc.stg.fedoraproject.org
+    UseCanonicalName on
+
+    RewriteEngine on
+    # First try to find the files in pdc
+    RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
+    RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
+    # Try to find them in the patternfly files
+    RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
+    
+    <Location "/">
+        SetHandler wsgi-script
+    
+        LimitRequestBody 256000000
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+        Require all granted
+        MellonEnable "info"
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
+        MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
+        MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
+        MellonEndpointPath /saml2
+        MellonVariable "saml-sesion-cookie"
+    
+        MellonUser "NAME_ID"
+        MellonIdP "IDP"
+        MellonSessionLength 3600
+        # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
+        # MellonPostDirectory "/var/lib/ipsilon/post_cache"
+        # MellonPostReplay On
+    </Location>
+    
+    <Location /auth/saml2login>
+        WSGIProcessGroup pdc
+        MellonEnable "auth"
+        Header append Cache-Control "no-cache"
+    </Location>
+    
+    
+    WSGIPassAuthorization On
+    <Location /rest_api/v1/auth/token>
+        WSGIProcessGroup pdc
+    </Location>
+    
+    <Location "/static">
+        SetHandler None
+    
+        # Disable auth on the static content, so that we're aren't forced to
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # content, which would lead to poor page-load times.
+        AuthType none
+        Satisfy Any
+        Require all granted
+    
+        # Many file types are likely to benefit from compression
+        # Enable gzip compression on them:
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+    
+        # Set far-future Expires headers on static content
+        # (trac 184):
+        ExpiresActive On
+        ExpiresDefault "access plus 10 years"
+    </Location>
+    
+    <Location "/docs">
+        SetHandler None
+    
+        # Disable auth on the static content, so that we're aren't forced to
+        # use Kerberos.  Doing so would remove "Expires" headers from the static
+        # content, which would lead to poor page-load times.
+        AuthType none
+        Satisfy Any
+        Require all granted
+    
+        # Many file types are likely to benefit from compression
+        # Enable gzip compression on them:
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
+    
+        # Set far-future Expires headers on static content
+        # (trac 184):
+        ExpiresActive On
+        ExpiresDefault "access plus 2 weeks"
+    </Location>
+</VirtualHost>