mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
f1d5ab3a03
Increase the WSGI daemon worker process count from 2 processes to 5 processes. This allows IPA RPC to handle more parallel requests. The additional processes increase memory consumption by approximante 250 MB in total. Since memory is scarce on 32bit platforms, only 64bit platforms are bumped to 5 workers. Fixes: https://pagure.io/freeipa/issue/7587 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
228 lines
6.3 KiB
Plaintext
228 lines
6.3 KiB
Plaintext
#
|
|
# VERSION 28 - DO NOT REMOVE THIS LINE
|
|
#
|
|
# This file may be overwritten on upgrades.
|
|
#
|
|
|
|
# Load lookup_identity module in case it has not been loaded yet
|
|
# The module is used to search users according the certificate.
|
|
<IfModule !lookup_identity_module>
|
|
LoadModule lookup_identity_module modules/mod_lookup_identity.so
|
|
</IfModule>
|
|
|
|
ProxyRequests Off
|
|
|
|
#We use xhtml, a file format that the browser validates
|
|
DirectoryIndex index.html
|
|
|
|
|
|
# Substantially increase the request field size to support MS-PAC
|
|
# requests, ticket #2767. This should easily support a 64KiB PAC.
|
|
LimitRequestFieldSize 100000
|
|
|
|
# Increase connection keep alive time. Default value is 5 seconds, which is too
|
|
# short for interactive ipa commands. 30 seconds is a good compromise.
|
|
KeepAlive On
|
|
KeepAliveTimeout 30
|
|
|
|
# ipa-rewrite.conf is loaded separately
|
|
|
|
# Proper header for .tff fonts
|
|
AddType application/x-font-ttf ttf
|
|
|
|
# Enable compression
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
|
|
application/javascript application/json text/css \
|
|
application/x-font-ttf
|
|
|
|
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
|
|
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
|
|
WSGISocketPrefix $WSGI_PREFIX_DIR
|
|
|
|
|
|
# Configure mod_wsgi handler for /ipa
|
|
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
|
|
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
|
|
lang=C.UTF-8 locale=C.UTF-8
|
|
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
|
|
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
|
|
WSGIScriptReloading Off
|
|
|
|
|
|
# Turn off mod_msgi handler for errors, config, crl:
|
|
<Location "/ipa/errors">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/config">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/crl">
|
|
SetHandler None
|
|
</Location>
|
|
|
|
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
|
<Location "/ipa">
|
|
AuthType GSSAPI
|
|
AuthName "Kerberos Login"
|
|
GssapiUseSessions On
|
|
Session On
|
|
SessionCookieName ipa_session path=/ipa;httponly;secure;
|
|
SessionHeader IPASESSION
|
|
# Uncomment the following to have shorter sessions, but beware this may break
|
|
# old IPA client tols that incorrectly parse cookies.
|
|
# SessionMaxAge 1800
|
|
GssapiSessionKey file:$GSSAPI_SESSION_KEY
|
|
|
|
GssapiImpersonate On
|
|
GssapiDelegCcacheDir $IPA_CCACHES
|
|
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
GssapiUseS4U2Proxy on
|
|
GssapiAllowedMech krb5
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
Header always append X-Frame-Options DENY
|
|
Header always append Content-Security-Policy "frame-ancestors 'none'"
|
|
|
|
# mod_session always sets two copies of the cookie, and this confuses our
|
|
# legacy clients, the unset here works because it ends up unsetting only one
|
|
# of the 2 header tables set by mod_session, leaving the other intact
|
|
Header unset Set-Cookie
|
|
|
|
# Disable etag http header. Doesn't work well with mod_deflate
|
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
|
|
# Usage of last-modified header and modified-since validator is sufficient.
|
|
Header unset ETag
|
|
FileETag None
|
|
</Location>
|
|
|
|
# Target for login with internal connections
|
|
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
|
|
|
|
# Turn off Apache authentication for password/token based login pages
|
|
<Location "/ipa/session/login_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# Login with user certificate/smartcard configuration
|
|
# This configuration needs to be loaded after <Location "/ipa">
|
|
<Location "/ipa/session/login_x509">
|
|
AuthType none
|
|
GssapiDelegCcacheDir $IPA_CCACHES
|
|
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
SSLVerifyClient require
|
|
SSLUserName SSL_CLIENT_CERT
|
|
LookupUserByCertificate On
|
|
LookupUserByCertificateParamName "username"
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
GssapiImpersonate On
|
|
|
|
GssapiUseSessions On
|
|
Session On
|
|
SessionCookieName ipa_session path=/ipa;httponly;secure;
|
|
SessionHeader IPASESSION
|
|
SessionMaxAge 1800
|
|
GssapiSessionKey file:$GSSAPI_SESSION_KEY
|
|
|
|
Header unset Set-Cookie
|
|
</Location>
|
|
|
|
<Location "/ipa/session/change_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/sync_token">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# Custodia stuff is redirected to the custodia daemon
|
|
# after authentication
|
|
<Location "/ipa/keys/">
|
|
ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/"
|
|
RequestHeader set GSS_NAME %{GSS_NAME}s
|
|
RequestHeader set REMOTE_USER %{REMOTE_USER}s
|
|
</Location>
|
|
|
|
# This is where we redirect on failed auth
|
|
Alias /ipa/errors "/usr/share/ipa/html"
|
|
|
|
# For the MIT Windows config files
|
|
Alias /ipa/config "/usr/share/ipa/html"
|
|
|
|
# Do no authentication on the directory that contains error messages
|
|
<Directory "/usr/share/ipa/html">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</Directory>
|
|
|
|
|
|
# For CRL publishing
|
|
Alias /ipa/crl "$CRL_PUBLISH_PATH"
|
|
<Directory "$CRL_PUBLISH_PATH">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Options Indexes FollowSymLinks
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
|
|
# List explicitly only the fonts we want to serve
|
|
Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
|
|
Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
|
|
<Directory "${FONTS_DIR}">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
</Directory>
|
|
|
|
|
|
# webUI is now completely static, and served out of that directory
|
|
Alias /ipa/ui "/usr/share/ipa/ui"
|
|
<Directory "/usr/share/ipa/ui">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</FilesMatch>
|
|
</Directory>
|
|
|
|
# Simple wsgi scripts required by ui
|
|
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
|
|
<Directory "/usr/share/ipa/wsgi">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|
|
|
|
# migration related pages
|
|
Alias /ipa/migration "/usr/share/ipa/migration"
|
|
<Directory "/usr/share/ipa/migration">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|