IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
b2b9d8f1569b9aeefae835c0316cd4695ef86f2e
freeipa/install/conf/ipa.conf
Petr Vobornik fd840a9cd7 mod_auth_gssapi: enable unique credential caches names 
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.

It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.

With this feature there are two ccaches so there is no clash.

https://fedorahosted.org/freeipa/ticket/5653

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2016-06-24 16:06:49 +02:00

193 lines
4.9 KiB
Plaintext
Raw Blame History

#
# VERSION 22 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
ProxyRequests Off
#We use xhtml, a file format that the browser validates
DirectoryIndex index.html
# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000
# ipa-rewrite.conf is loaded separately
# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive jar
AddType application/x-xpinstall xpi
# Proper header for .tff fonts
AddType application/x-font-ttf ttf
# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
application/javascript application/json text/css \
application/x-font-ttf
# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /run/httpd/wsgi
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
display-name=%{GROUP} socket-timeout=2147483647
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
SetHandler None
</Location>
<Location "/ipa/config">
SetHandler None
</Location>
<Location "/ipa/crl">
SetHandler None
</Location>
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
# Turn off Apache authentication for sessions
<Location "/ipa/session/json">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/xml">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/login_password">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/change_password">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
<Location "/ipa/session/sync_token">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
</Directory>
# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Allow from all
</Directory>
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
<Directory "/usr/share/fonts">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Directory>
# webUI is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
</Directory>
# Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
Reference in New Issue View Git Blame Copy Permalink