mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
174 lines
4.1 KiB
Plaintext
174 lines
4.1 KiB
Plaintext
#
|
|
# VERSION 13 - DO NOT REMOVE THIS LINE
|
|
#
|
|
# This file may be overwritten on upgrades.
|
|
#
|
|
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
|
|
|
ProxyRequests Off
|
|
|
|
|
|
#We use xhtml, a file format that the browser validates
|
|
DirectoryIndex index.html
|
|
|
|
|
|
# Substantially increase the request field size to support MS-PAC
|
|
# requests, ticket #2767. This should easily support a 64KiB PAC.
|
|
LimitRequestFieldSize 100000
|
|
|
|
# ipa-rewrite.conf is loaded separately
|
|
|
|
# This is required so the auto-configuration works with Firefox 2+
|
|
AddType application/java-archive jar
|
|
AddType application/x-xpinstall xpi
|
|
|
|
# Proper header for .woff fonts
|
|
AddType application/x-font-woff woff
|
|
|
|
# Enable compression
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
|
|
application/javascript application/json text/css
|
|
|
|
# Disable etag http header. Doesn't work well with mod_deflate
|
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
|
|
# Usage of last-modified header and modified-since validator is sufficient.
|
|
Header unset ETag
|
|
FileETag None
|
|
|
|
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
|
|
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
|
|
|
|
# Configure mod_wsgi handler for /ipa
|
|
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
|
|
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
|
|
WSGIScriptReloading Off
|
|
|
|
|
|
# Turn off mod_msgi handler for errors, config, crl:
|
|
<Location "/ipa/errors">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/config">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/crl">
|
|
SetHandler None
|
|
</Location>
|
|
|
|
KrbConstrainedDelegationLock ipa
|
|
|
|
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
|
<Location "/ipa">
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Login"
|
|
KrbMethodNegotiate on
|
|
KrbMethodK5Passwd off
|
|
KrbServiceName HTTP
|
|
KrbAuthRealms $REALM
|
|
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
|
KrbSaveCredentials on
|
|
KrbConstrainedDelegation on
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
</Location>
|
|
|
|
# Turn off Apache authentication for sessions
|
|
<Location "/ipa/session/json">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/xml">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/login_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/change_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# This is where we redirect on failed auth
|
|
Alias /ipa/errors "/usr/share/ipa/html"
|
|
|
|
# For the MIT Windows config files
|
|
Alias /ipa/config "/usr/share/ipa/html"
|
|
|
|
# Do no authentication on the directory that contains error messages
|
|
<Directory "/usr/share/ipa/html">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
|
|
# For CRL publishing
|
|
Alias /ipa/crl "$CRL_PUBLISH_PATH"
|
|
<Directory "$CRL_PUBLISH_PATH">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Options Indexes FollowSymLinks
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
|
|
# webUI is now completely static, and served out of that directory
|
|
Alias /ipa/ui "/usr/share/ipa/ui"
|
|
<Directory "/usr/share/ipa/ui">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
# Simple wsgi scripts required by ui
|
|
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
|
|
<Directory "/usr/share/ipa/wsgi">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|
|
|
|
# Protect our CGIs
|
|
<Directory /var/www/cgi-bin>
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Login"
|
|
KrbMethodNegotiate on
|
|
KrbMethodK5Passwd off
|
|
KrbServiceName HTTP
|
|
KrbAuthRealms $REALM
|
|
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
|
KrbSaveCredentials on
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
</Directory>
|
|
|
|
|
|
# migration related pages
|
|
Alias /ipa/migration "/usr/share/ipa/migration"
|
|
<Directory "/usr/share/ipa/migration">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|