Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Adjust the apache configuration for pdc

Browse source 
- Make it https by default
- Make it use saml for login
This commit is contained in:
Pierre-Yves Chibon 2015-09-30 15:30:27 +02:00
parent 9204b67642
commit d8cf9c9166
1 changed files with 37 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

39
roles/pdc/templates/pdc.conf
View file

@ -2,13 +2,28 @@ WSGISocketPrefix /var/run/wsgi
WSGIPythonOptimize 1 WSGIPythonOptimize 1
WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10 WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10
<VirtualHost {{ hostname }}:80> <VirtualHost *:80>
ServerName {{ hostname }}
Redirect permanent / https://{{ hostname }}/
</VirtualHost>
<VirtualHost *:443>
ServerName {{ hostname }} ServerName {{ hostname }}
CustomLog /var/log/httpd/pdc-access.log combined CustomLog /var/log/httpd/pdc-access.log combined
ErrorLog /var/log/httpd/pdc-error.log ErrorLog /var/log/httpd/pdc-error.log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Alias /docs/ /usr/share/doc/pdc/docs/build/html/ Alias /docs/ /usr/share/doc/pdc/docs/build/html/
Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
# Using SetEnv here will not work as expected as it does not change # Using SetEnv here will not work as expected as it does not change
# os.environ in the application itself. For more details see: # os.environ in the application itself. For more details see:
@ -26,16 +41,35 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
# Try to find them in the patternfly files # Try to find them in the patternfly files
RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L] RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
<Location "/"> <Location "/">
SetHandler wsgi-script SetHandler wsgi-script
LimitRequestBody 31457280 LimitRequestBody 31457280
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
Require all granted Require all granted
MellonEnable "info"
MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/pdc.fedorainfracloud.org.key"
MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/pdc.fedorainfracloud.org.pem"
MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
MellonEndpointPath /saml2
MellonVariable "saml-sesion-cookie"
# Comment out the next two lines if you want to allow logins on bare HTTP
MellonsecureCookie On
SSLRequireSSL
MellonUser "NAME_ID"
MellonIdP "IDP"
MellonSessionLength 3600
# MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
# MellonPostDirectory "/var/lib/ipsilon/post_cache"
# MellonPostReplay On
</Location> </Location>
<Location /auth/krb5login> <Location /auth/saml2login>
WSGIProcessGroup pdc WSGIProcessGroup pdc
MellonEnable "auth"
Header append Cache-Control "no-cache"
## Kerberos authentication: ## Kerberos authentication:
#AuthType Kerberos #AuthType Kerberos
@ -51,6 +85,7 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
#Require valid-user #Require valid-user
</Location> </Location>
WSGIPassAuthorization On WSGIPassAuthorization On
<Location /rest_api/v1/auth/token> <Location /rest_api/v1/auth/token>
WSGIProcessGroup pdc WSGIProcessGroup pdc