Commit Graph

12 Commits

Author SHA1 Message Date
Christian Heimes
931d92d353 Better mod_wsgi configuration
* Remove WSGIImportScript
* Configure process-group in WSGIScriptAlias
* Run WSGI app in main interpreter of daemon script

See: https://github.com/GrahamDumpleton/mod_wsgi/issues/642#issuecomment-749498828
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-04-07 11:43:23 +03:00
Alexander Bokovoy
ee7dfc3d29 Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.

The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.

Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.

Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.

Fixes: https://pagure.io/freeipa/issue/8613

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-10 13:47:16 +02:00
Rob Crittenden
c6644b8566 Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Christian Heimes
2bfe5ff689 Use httpd 2.4 syntax for access control
The httpd options Allow, Deny, Order, and Satisfy are deprecated in
Apache httpd 2.4. These options are provided by the mod_access_compat
module and should no longer be used.

Replace "Allow from all" with "Require all granted".

Removal of "Satisfy Any" needs more investigation.

See: httpd.apache.org/docs/2.4/upgrading.html
See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html
Fixes: pagure.io/freeipa/issue/8305
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-07 11:00:55 -04:00
Christian Heimes
da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
sudharsanomprakash
0c0a392dd0 Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.

Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 17:52:10 -05:00
Stanislav Levin
86b57236c0 Disable authentication to endpoint for serving i18n requests
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process.

Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-07-17 15:32:28 -04:00
Christian Heimes
f1d5ab3a03 Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-15 13:02:53 +02:00
Brian J. Murrell
d7c23a3ba6 Move ETag disabling to /ipa virtual server
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.

This enables better co-existence with other virtual servers that want ETags.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 08:01:53 +01:00
Rob Crittenden
5c64e28512
Convert ipa-pki-proxy.conf to use mod_ssl directives
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00