Redirect users when they don't use the FQDN on both SSL and non-SSL ports

We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2025-02-25 18:55:28 -06:00 · 2008-02-21 16:25:09 -05:00
parent 84d1e08d76
commit 49148dc34a
6 changed files with 37 additions and 16 deletions
--- a/ipa-server/ipa-server.spec
+++ b/ipa-server/ipa-server.spec
@@ -1,6 +1,6 @@
 Name:           ipa-server
 Version:        0.99.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        IPA authentication server

 Group:          System Environment/Base
@@ -129,6 +129,7 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
 %{_usr}/share/ipa/ipa_webgui.cfg
 %{_usr}/share/ipa/ipa.conf
+%{_usr}/share/ipa/ipa-rewrite.conf
 %dir %{_usr}/share/ipa/ipagui
 %{_usr}/share/ipa/ipagui/*
 %dir %{_usr}/share/ipa/ipa_gui.egg-info
@@ -150,6 +151,9 @@ fi
 %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions

 %changelog
+* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-2
+- package new file ipa-rewrite.conf
+
 * Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1
 - Version bump for release

--- a/ipa-server/ipa-server.spec.in
+++ b/ipa-server/ipa-server.spec.in
@@ -1,6 +1,6 @@
 Name:           ipa-server
 Version:        VERSION
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        IPA authentication server

 Group:          System Environment/Base
@@ -129,6 +129,7 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
 %{_usr}/share/ipa/ipa_webgui.cfg
 %{_usr}/share/ipa/ipa.conf
+%{_usr}/share/ipa/ipa-rewrite.conf
 %dir %{_usr}/share/ipa/ipagui
 %{_usr}/share/ipa/ipagui/*
 %dir %{_usr}/share/ipa/ipa_gui.egg-info
@@ -150,6 +151,9 @@ fi
 %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions

 %changelog
+* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-2
+- package new file ipa-rewrite.conf
+
 * Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1
 - Version bump for release

--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -64,6 +64,7 @@ class HTTPInstance(service.Service):
        
        self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
        self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
+        self.step("Adding URL rewriting rules", self.__add_include)
        self.step("configuring httpd", self.__configure_http)
        self.step("creating a keytab for httpd", self.__create_http_keytab)
        self.step("Setting up ssl", self.__setup_ssl)
@@ -122,8 +123,13 @@ class HTTPInstance(service.Service):
        sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf")
        http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
        http_fd.write(http_txt)
-        http_fd.close()                
+        http_fd.close()

+        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
+        sysrestore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
+        http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+        http_fd.write(http_txt)
+        http_fd.close()

    def __disable_mod_ssl(self):
        if os.path.exists(SSL_CONF):
@@ -133,7 +139,12 @@ class HTTPInstance(service.Service):
    def __set_mod_nss_port(self):
        sysrestore.backup_file(NSS_CONF)
        if installutils.update_file(NSS_CONF, '8443', '443') != 0:
-            print "Updating %s failed." % NSS_CONF
+            print "Updating port in %s failed." % NSS_CONF
+
+    def __add_include(self):
+        """This should run after __set_mod_nss_port so is already backed up"""
+        if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+            print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF

    def __setup_ssl(self):
        ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
--- a/ipa-server/xmlrpc-server/Makefile.am
+++ b/ipa-server/xmlrpc-server/Makefile.am
@@ -24,6 +24,7 @@ server_PYTHON =			\
 appdir = $(IPA_DATA_DIR)
 app_DATA =			\
 	ipa.conf		\
+	ipa-rewrite.conf	\
 	$(NULL)

 EXTRA_DIST =			\
--- a/ipa-server/xmlrpc-server/ipa-rewrite.conf
+++ b/ipa-server/xmlrpc-server/ipa-rewrite.conf
@@ -0,0 +1,12 @@
+RewriteEngine on
+
+# Redirect to the fully-qualified hostname. Not redirecting to secure
+# port so configuration files can be retrieved without requiring SSL.
+RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
+RewriteRule ^/(.*)          http://$FQDN/$$1 [L,R=301]
+
+# Redirect to the secure port if not displaying an error or retrieving
+# configuration.
+RewriteCond %{SERVER_PORT}  !^443$$
+RewriteCond %{REQUEST_URI}  !^/(errors|config|favicon.ico)
+RewriteRule ^/(.*)          https://$FQDN/$$1 [L,R=301,NC]
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -2,18 +2,7 @@

 ProxyRequests Off

-RewriteEngine on
-
-# Redirect to the fully-qualified hostname. Not redirecting to secure
-# port so configuration files can be retrieved without requiring SSL.
-RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
-RewriteRule ^/(.*)          http://$FQDN/$$1 [L,R=301]
-
-# Redirect to the secure port if not displaying an error or retrieving
-# configuration.
-RewriteCond %{SERVER_PORT}  !^443$$
-RewriteCond %{REQUEST_URI}  !^/(errors|config|favicon.ico)
-RewriteRule ^/(.*)          https://$FQDN/$$1 [L,R=301,NC]
+# ipa-rewrite.conf is loaded separately

 # This is required so the auto-configuration works with Firefox 2+
 AddType application/java-archive        jar