mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-04-26 19:42:55 +08:00
97 lines
3.2 KiB
Plaintext
97 lines
3.2 KiB
Plaintext
# Unencrypted access is bad
|
|
# Un-comment the following to force https connections
|
|
RewriteEngine on
|
|
#RewriteCond %{REQUEST_URI} !^/rpms/.* [NC]
|
|
#RewriteCond %{REQUEST_URI} !^/repos/.* [NC]
|
|
#RewriteCond %{REQUEST_URI} !^/harness/.* [NC]
|
|
#RewriteCond %{REQUEST_URI} !^/kickstart/.* [NC]
|
|
#RewriteCond %{REQUEST_URI} !/ipxe-script$ [NC]
|
|
#RewriteCond %{HTTPS} off
|
|
#RewriteRule ^/(.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
#RewriteRule ^/bkr$ /bkr/ [R]
|
|
|
|
Alias /static /usr/share/bkr/server/static
|
|
Alias /assets/generated /var/cache/beaker/assets
|
|
Alias /assets /usr/share/bkr/server/assets
|
|
Redirect permanent /apidoc http://beaker-project.org/docs/server-api
|
|
Alias /logs /var/www/beaker/logs
|
|
Alias /rpms /var/www/beaker/rpms
|
|
Alias /repos /var/www/beaker/repos
|
|
Alias /harness /var/www/beaker/harness
|
|
|
|
<Directory "/var/www/beaker/logs">
|
|
<Files "*.log">
|
|
ForceType text/plain
|
|
</Files>
|
|
</Directory>
|
|
|
|
# To work around a thread safety issue in TurboGears where HTTP requests will
|
|
# sometimes fail with NoApplicableMethods during application startup, it is
|
|
# recommended to set threads=1 here.
|
|
# See https://bugzilla.redhat.com/show_bug.cgi?id=796037 for details.
|
|
WSGIDaemonProcess beaker-server user=apache group=apache display-name=beaker-server maximum-requests=1000 processes=8 threads=1
|
|
WSGISocketPrefix /var/run/wsgi
|
|
WSGIRestrictStdout On
|
|
WSGIRestrictSignal Off
|
|
WSGIPythonOptimize 2
|
|
WSGIPassAuthorization On
|
|
|
|
WSGIScriptAlias / /usr/share/bkr/beaker-server.wsgi
|
|
|
|
<Directory /usr/share/bkr>
|
|
WSGIApplicationGroup beaker-server
|
|
WSGIProcessGroup beaker-server
|
|
<IfModule mod_authz_core.c>
|
|
# Apache 2.4
|
|
Require all granted
|
|
</IfModule>
|
|
<IfModule !mod_authz_core.c>
|
|
# Apache 2.2
|
|
Order deny,allow
|
|
Allow from all
|
|
</IfModule>
|
|
</Directory>
|
|
|
|
<Directory /var/cache/beaker/assets>
|
|
<IfModule mod_authz_core.c>
|
|
# Apache 2.4
|
|
Require all granted
|
|
</IfModule>
|
|
<IfModule !mod_authz_core.c>
|
|
# Apache 2.2
|
|
Order deny,allow
|
|
Allow from all
|
|
</IfModule>
|
|
# Generated assets have a content hash in their filename so they can
|
|
# safely be cached forever.
|
|
ExpiresActive on
|
|
ExpiresDefault "access plus 1 year"
|
|
</Directory>
|
|
|
|
# Humans will be accessing the application using a CNAME through a reverse
|
|
# proxy doing SSL termination. We need to make mellon aware of that since it
|
|
# does some sanity checks on the destination URL.
|
|
ServerName https://{{ beaker_server_cname }}
|
|
UseCanonicalName on
|
|
|
|
<Location />
|
|
MellonEnable "info"
|
|
MellonSPPrivateKeyFile "/etc/httpd/saml2/{{ beaker_server_cname }}/certificate.key"
|
|
MellonSPCertFile "/etc/httpd/saml2/{{ beaker_server_cname }}/certificate.pem"
|
|
MellonSPMetadataFile "/etc/httpd/saml2/{{ beaker_server_cname }}/metadata.xml"
|
|
MellonIdPMetadataFile "/etc/httpd/saml2/{{ beaker_server_cname }}/idp-metadata.xml"
|
|
MellonEndpointPath /saml2
|
|
MellonVariable "saml-sesion-cookie"
|
|
MellonsecureCookie On
|
|
MellonUser "NAME_ID"
|
|
MellonIdP "IDP"
|
|
MellonSetEnvNoPrefix "REMOTE_USER_FULLNAME" "fullname"
|
|
MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" "email"
|
|
MellonSessionLength 3600
|
|
</Location>
|
|
|
|
<Location /login>
|
|
MellonEnable "auth"
|
|
Header append Cache-Control "no-cache"
|
|
</Location>
|