Adjust the apache configuration for pdc

- Make it https by default - Make it use saml for login
2015-09-30 15:30:27 +02:00 · 2015-09-30 15:30:27 +02:00 · d8cf9c9166
commit d8cf9c9166
parent 9204b67642
1 changed files with 37 additions and 2 deletions
--- a/roles/pdc/templates/pdc.conf
+++ b/roles/pdc/templates/pdc.conf
@ -2,13 +2,28 @@ WSGISocketPrefix /var/run/wsgi
 WSGIPythonOptimize 1
 WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10

-<VirtualHost {{ hostname }}:80>
+<VirtualHost *:80>
+  ServerName {{ hostname }}
+  Redirect permanent / https://{{ hostname }}/
+</VirtualHost>
+
+
+<VirtualHost *:443>
    ServerName {{ hostname }}

    CustomLog /var/log/httpd/pdc-access.log combined
    ErrorLog /var/log/httpd/pdc-error.log

+    SSLEngine on
+    SSLProtocol all -SSLv2 -SSLv3
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
    Alias /docs/ /usr/share/doc/pdc/docs/build/html/
+    Alias /saml2protected /usr/share/ipsilon/ui/saml2sp

    # Using SetEnv here will not work as expected as it does not change
    # os.environ in the application itself. For more details see:
@ -26,16 +41,35 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
    # Try to find them in the patternfly files
    RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]

+
    <Location "/">
        SetHandler wsgi-script

        LimitRequestBody 31457280
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
        Require all granted
+        MellonEnable "info"
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/pdc.fedorainfracloud.org.key"
+        MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/pdc.fedorainfracloud.org.pem"
+        MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
+        MellonEndpointPath /saml2
+        MellonVariable "saml-sesion-cookie"
+        # Comment out the next two lines if you want to allow logins on bare HTTP
+        MellonsecureCookie On
+        SSLRequireSSL
+        MellonUser "NAME_ID"
+        MellonIdP "IDP"
+        MellonSessionLength 3600
+        # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
+        # MellonPostDirectory "/var/lib/ipsilon/post_cache"
+        # MellonPostReplay On
    </Location>

-    <Location /auth/krb5login>
+    <Location /auth/saml2login>
        WSGIProcessGroup pdc
+        MellonEnable "auth"
+        Header append Cache-Control "no-cache"

        ## Kerberos authentication:
        #AuthType Kerberos
@ -51,6 +85,7 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
        #Require valid-user
    </Location>

+
    WSGIPassAuthorization On
    <Location /rest_api/v1/auth/token>
        WSGIProcessGroup pdc