# # VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # # Load lookup_identity module in case it has not been loaded yet # The module is used to search users according the certificate. LoadModule lookup_identity_module modules/mod_lookup_identity.so ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # Substantially increase the request field size to support MS-PAC # requests, ticket #2767. This should easily support a 64KiB PAC. LimitRequestFieldSize 100000 # Increase connection keep alive time. Default value is 5 seconds, which is too # short for interactive ipa commands. 30 seconds is a good compromise. KeepAlive On KeepAliveTimeout 30 # ipa-rewrite.conf is loaded separately # Proper header for .tff fonts AddType application/x-font-ttf ttf # Enable compression AddOutputFilterByType DEFLATE text/html text/plain text/xml \ application/javascript application/json text/css \ application/x-font-ttf # Disable etag http header. Doesn't work well with mod_deflate # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 # Usage of last-modified header and modified-since validator is sufficient. Header unset ETag FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix $WSGI_PREFIX_DIR # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \ lang=C.UTF-8 locale=C.UTF-8 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: SetHandler None SetHandler None SetHandler None # Protect /ipa and everything below it in webspace with Apache Kerberos auth AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION # Uncomment the following to have shorter sessions, but beware this may break # old IPA client tols that incorrectly parse cookies. # SessionMaxAge 1800 GssapiSessionKey file:$GSSAPI_SESSION_KEY GssapiImpersonate On GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" # mod_session always sets two copies of the cookie, and this confuses our # legacy clients, the unset here works because it ends up unsetting only one # of the 2 header tables set by mod_session, leaving the other intact Header unset Set-Cookie # Target for login with internal connections Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" # Turn off Apache authentication for password/token based login pages Satisfy Any Order Deny,Allow Allow from all # Login with user certificate/smartcard configuration # This configuration needs to be loaded after AuthType none GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi NSSVerifyClient require NSSUserName SSL_CLIENT_CERT LookupUserByCertificate On LookupUserByCertificateParamName "username" WSGIProcessGroup ipa WSGIApplicationGroup ipa GssapiImpersonate On GssapiUseSessions On Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 GssapiSessionKey file:$GSSAPI_SESSION_KEY Header unset Set-Cookie Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all # Custodia stuff is redirected to the custodia daemon # after authentication ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/" RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 0 seconds" # For CRL publishing Alias /ipa/crl "$CRL_PUBLISH_PATH" SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all # List explicitly only the fonts we want to serve Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans" Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" ExpiresDefault "access plus 0 seconds" # Simple wsgi scripts required by ui Alias /ipa/wsgi "/usr/share/ipa/wsgi" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py