94 lines
2.9 KiB
Django/Jinja
94 lines
2.9 KiB
Django/Jinja
RewriteEngine on
|
|
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
|
|
#Alias /ui /usr/share/ipsilon/ui
|
|
Alias /ui /usr/share/ipsilon/themes/Fedora
|
|
Alias /.well-known /var/lib/ipsilon/root/public/well-known
|
|
Alias /cache /var/cache/ipsilon
|
|
Redirect /.well-known/webfinger /webfinger
|
|
|
|
# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
|
|
RewriteEngine on
|
|
RewriteMap lowercase int:tolower
|
|
{% if env == "staging" %}
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_\.-]+\.id\.stg\.fedoraproject\.org$
|
|
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
|
|
RewriteRule ^([a-z0-9_\.-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
|
|
{% else %}
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_\.-]+\.id\.fedoraproject\.org$
|
|
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
|
|
RewriteRule ^([a-z0-9_\.-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
|
|
{% endif %}
|
|
|
|
|
|
WSGIScriptAlias / /usr/libexec/ipsilon/ipsilon
|
|
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=6 threads=2 maximum-requests=1000
|
|
WSGISocketPrefix run/wsgi
|
|
#WSGIRestrictStdout Off
|
|
#WSGIRestrictSignal Off
|
|
# This header is required to be passed for OIDC client_secret_basic
|
|
WSGIPassAuthorization On
|
|
# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
|
|
# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
|
|
|
|
<Location />
|
|
WSGIProcessGroup ipsilon
|
|
</Location>
|
|
|
|
<Directory /usr/libexec/ipsilon>
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Directory /usr/share/ipsilon>
|
|
Options +SymLinksIfOwnerMatch
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Directory /var/lib/ipsilon/root/public/well-known>
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Location /openidc/>
|
|
Header set Access-Control-Allow-Origin "*"
|
|
</Location>
|
|
|
|
<Location /.well-known/browserid>
|
|
ForceType application/json
|
|
</Location>
|
|
|
|
<Location /login/gssapi/negotiate>
|
|
AuthName "GSSAPI Single Sign On Login"
|
|
GssapiCredStore keytab:/etc/krb5.HTTP_id{{ env_suffix }}.fedoraproject.org.keytab
|
|
AuthType GSSAPI
|
|
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
|
|
GssapiSSLonly Off
|
|
GssapiLocalName on
|
|
Require valid-user
|
|
ErrorDocument 401 /login/gssapi/unauthorized
|
|
ErrorDocument 500 /login/gssapi/failed
|
|
</Location>
|
|
|
|
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
|
|
LoadModule authnz_pam_module modules/mod_authnz_pam.so
|
|
|
|
<Location /login/form>
|
|
InterceptFormPAMService ipsilon
|
|
InterceptFormLogin login_name
|
|
InterceptFormPassword login_password
|
|
# InterceptFormLoginSkip admin
|
|
# InterceptFormClearRemoteUserForSkipped on
|
|
InterceptFormPasswordRedact on
|
|
</Location>
|
|
|
|
<Directory "/var/cache/ipsilon">
|
|
SetHandler None
|
|
AllowOverride None
|
|
<IfModule mod_authz_core.c>
|
|
Require all granted
|
|
</IfModule>
|
|
<IfModule !mod_authz_core.c>
|
|
Order Allow,Deny
|
|
Allow from All
|
|
</IfModule>
|
|
</Directory>
|