freeipa/install/share/ipa.conf.template
Christian Heimes da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00

230 lines
6.4 KiB
Plaintext

#
# VERSION 30 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
# Load lookup_identity module in case it has not been loaded yet
# The module is used to search users according the certificate.
<IfModule !lookup_identity_module>
LoadModule lookup_identity_module modules/mod_lookup_identity.so
</IfModule>
ProxyRequests Off
#We use xhtml, a file format that the browser validates
DirectoryIndex index.html
# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000
# Increase connection keep alive time. Default value is 5 seconds, which is too
# short for interactive ipa commands. 30 seconds is a good compromise.
KeepAlive On
KeepAliveTimeout 30
# ipa-rewrite.conf is loaded separately
# Proper header for .tff fonts
AddType application/x-font-ttf ttf
# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
application/javascript application/json text/css \
application/x-font-ttf
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix $WSGI_PREFIX_DIR
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
lang=C.UTF-8 locale=C.UTF-8
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
SetHandler None
</Location>
<Location "/ipa/config">
SetHandler None
</Location>
<Location "/ipa/crl">
SetHandler None
</Location>
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
# Uncomment the following to have shorter sessions, but beware this may break
# old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800
GssapiSessionKey file:$GSSAPI_SESSION_KEY
GssapiImpersonate On
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
# mod_session always sets two copies of the cookie, and this confuses our
# legacy clients, the unset here works because it ends up unsetting only one
# of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie
# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None
</Location>
# Target for login with internal connections
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
# Turn off Apache authentication for i18n messages
<Location "/ipa/i18n_messages">
Require all granted
</Location>
# Turn off Apache authentication for password/token based login pages
<Location "/ipa/session/login_password">
Satisfy Any
Require all granted
</Location>
# Login with user certificate/smartcard configuration
# This configuration needs to be loaded after <Location "/ipa">
<Location "/ipa/session/login_x509">
AuthType none
GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
LookupUserByCertificate On
LookupUserByCertificateParamName "username"
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
GssapiImpersonate On
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
SessionMaxAge 1800
GssapiSessionKey file:$GSSAPI_SESSION_KEY
Header unset Set-Cookie
</Location>
<Location "/ipa/session/change_password">
Satisfy Any
Require all granted
</Location>
<Location "/ipa/session/sync_token">
Satisfy Any
Require all granted
</Location>
# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
</Directory>
# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Allow from all
</Directory>
# List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "${FONTS_OPENSANS_DIR}"
Alias /ipa/ui/fonts/fontawesome "${FONTS_FONTAWESOME_DIR}"
<Directory "${FONTS_DIR}">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Directory>
# webUI is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
SetHandler None
AllowOverride None
Satisfy Any
Allow from all
ExpiresActive On
ExpiresDefault "access plus 1 year"
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
ExpiresDefault "access plus 0 seconds"
</FilesMatch>
</Directory>
# Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Allow from all
Options ExecCGI
AddHandler wsgi-script .py
</Directory>