mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-11 10:32:27 +08:00
148 lines
5.1 KiB
Plaintext
148 lines
5.1 KiB
Plaintext
WSGISocketPrefix /var/run/wsgi
|
|
WSGIPythonOptimize 1
|
|
WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10
|
|
|
|
<VirtualHost *:80>
|
|
ServerName {{ hostname }}
|
|
Redirect permanent / https://{{ hostname }}/
|
|
</VirtualHost>
|
|
|
|
|
|
<VirtualHost *:443>
|
|
ServerName {{ hostname }}
|
|
|
|
CustomLog /var/log/httpd/pdc-access.log combined
|
|
ErrorLog /var/log/httpd/pdc-error.log
|
|
|
|
SSLEngine on
|
|
SSLProtocol all -SSLv2 -SSLv3
|
|
# Use secure TLSv1.1 and TLSv1.2 ciphers
|
|
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
|
|
|
|
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
|
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
|
|
|
Alias /docs/ /usr/share/doc/pdc/docs/build/html/
|
|
Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
|
|
|
|
# Using SetEnv here will not work as expected as it does not change
|
|
# os.environ in the application itself. For more details see:
|
|
# http://stackoverflow.com/a/9017610/1576064
|
|
#
|
|
# To override settings provide wsgi.py file with your preferred settings
|
|
# and point the following directive to it.
|
|
WSGIScriptAlias / /usr/lib/python2.7/site-packages/pdc/wsgi.py
|
|
|
|
|
|
RewriteEngine on
|
|
# First try to find the files in pdc
|
|
RewriteCond "/usr/lib/python2.7/site-packages/pdc/static/$1" -f
|
|
RewriteRule "^/static/(.*)" "/usr/lib/python2.7/site-packages/pdc/static/$1" [L]
|
|
# Try to find them in the patternfly files
|
|
RewriteRule "^/static/(.*)" "/usr/share/patternfly1/resources/$1" [L]
|
|
|
|
|
|
<Location "/">
|
|
SetHandler wsgi-script
|
|
|
|
LimitRequestBody 31457280
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
|
|
Require all granted
|
|
MellonEnable "info"
|
|
MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
|
|
MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
|
|
MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
|
|
MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
|
|
MellonEndpointPath /saml2
|
|
MellonVariable "saml-sesion-cookie"
|
|
# Comment out the next two lines if you want to allow logins on bare HTTP
|
|
MellonsecureCookie On
|
|
SSLRequireSSL
|
|
MellonUser "NAME_ID"
|
|
MellonIdP "IDP"
|
|
MellonSessionLength 3600
|
|
# MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
|
|
# MellonPostDirectory "/var/lib/ipsilon/post_cache"
|
|
# MellonPostReplay On
|
|
</Location>
|
|
|
|
<Location /auth/saml2login>
|
|
WSGIProcessGroup pdc
|
|
MellonEnable "auth"
|
|
Header append Cache-Control "no-cache"
|
|
|
|
## Kerberos authentication:
|
|
#AuthType Kerberos
|
|
#AuthName "PDC - Kerberos login"
|
|
#KrbMethodNegotiate on
|
|
#KrbMethodK5Passwd on
|
|
#KrbAuthoritative on
|
|
#KrbServiceName HTTP
|
|
#KrbAuthRealm EXAMPLE.COM
|
|
#KrbVerifyKDC on
|
|
#Krb5Keytab /etc/httpd/conf/httpd.keytab
|
|
#KrbSaveCredentials off
|
|
#Require valid-user
|
|
</Location>
|
|
|
|
|
|
WSGIPassAuthorization On
|
|
<Location /rest_api/v1/auth/token>
|
|
WSGIProcessGroup pdc
|
|
|
|
## Kerberos authentication:
|
|
#AuthType Kerberos
|
|
#AuthName "PDC - Kerberos login"
|
|
#KrbMethodNegotiate on
|
|
#KrbMethodK5Passwd off
|
|
#KrbAuthoritative on
|
|
#KrbServiceName HTTP
|
|
#KrbAuthRealm EXAMPLE.COM
|
|
#KrbVerifyKDC on
|
|
#Krb5Keytab /etc/httpd/conf/httpd.keytab
|
|
#KrbSaveCredentials off
|
|
#Require valid-user
|
|
</Location>
|
|
|
|
<Location "/static">
|
|
SetHandler None
|
|
|
|
# Disable auth on the static content, so that we're aren't forced to
|
|
# use Kerberos. Doing so would remove "Expires" headers from the static
|
|
# content, which would lead to poor page-load times.
|
|
AuthType none
|
|
Satisfy Any
|
|
Require all granted
|
|
|
|
# Many file types are likely to benefit from compression
|
|
# Enable gzip compression on them:
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
|
|
|
|
# Set far-future Expires headers on static content
|
|
# (trac 184):
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 10 years"
|
|
</Location>
|
|
|
|
<Location "/docs">
|
|
SetHandler None
|
|
|
|
# Disable auth on the static content, so that we're aren't forced to
|
|
# use Kerberos. Doing so would remove "Expires" headers from the static
|
|
# content, which would lead to poor page-load times.
|
|
AuthType none
|
|
Satisfy Any
|
|
Require all granted
|
|
|
|
# Many file types are likely to benefit from compression
|
|
# Enable gzip compression on them:
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
|
|
|
|
# Set far-future Expires headers on static content
|
|
# (trac 184):
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 2 weeks"
|
|
</Location>
|
|
|
|
</VirtualHost>
|