freeipa/install/conf/ipa.conf
Martin Babinsky 7ff7b1f533 move IPA-related http runtime directories to common subdirectory
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-19 12:59:18 +00:00

180 lines
4.4 KiB
Plaintext

#
# VERSION 18 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
ProxyRequests Off
#We use xhtml, a file format that the browser validates
DirectoryIndex index.html
# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000
# ipa-rewrite.conf is loaded separately
# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive jar
AddType application/x-xpinstall xpi
# Proper header for .tff fonts
AddType application/x-font-ttf ttf
# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
application/javascript application/json text/css \
application/x-font-ttf
# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /run/httpd/wsgi
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
SetHandler None
</Location>
<Location "/ipa/config">
SetHandler None
</Location>
<Location "/ipa/crl">
SetHandler None
</Location>
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
# Turn off Apache authentication for sessions
<Location "/ipa/session/json">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/xml">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/login_password">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/change_password">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/sync_token">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
</Directory>
# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Allow from all
</Directory>
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Directory>
# webUI is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
</Directory>
# Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>