Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Apache configuration file for a virtual host running Flask behind a uWSGI server, authentication with Shibboleth SSO
# Apache server configuration for ssotutorial.
# This sets up a Flask application over SSL with CERN SSO authentication via
# Shibboleth.
# Load the SSL and Shibboleth modules
LoadModule ssl_module modules/
LoadModule mod_shib /usr/lib64/shibboleth/
# Disable TRACE HTTP requests on CERN advice
TraceEnable Off
# Listen on 433 for SSL
Listen 443
# These settings are taken directly from the default ssl.conf file
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# Rewrite HTTP requests to HTTPS
Redirect permanent /
# Define the behaviour for our SSL-encypted host
# Enable SSL and define some host-specific settings
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/host.cert
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
SSLCertificateChainFile /etc/pki/tls/certs/CERN-bundle.pem
# Bad browser support
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Logging to the default Apache log directory (/var/log/httpd on SLC6)
ErrorLog logs/sso_error_log
TransferLog logs/sso_access_log
CustomLog logs/sso_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel warn
# Make sure that the handlers are always available
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
# Aliases for resources used in Shibboleth error templates.
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Satisfy Any
Allow from all
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
# logo.jpg doesn't come with a Shibboleth install, unlike main.css
# If you would like a logo shown on Shibboleth error pages, you can place
# one called logo.jpg in /usr/share/shibboleth
Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
# This location requires authentication
# When the user hits /login, they will be redirect to the CERN SSO page by
# Shibboleth, then redirected back to /login, via /Shibboleth.sso/ADFS,
# on successful authentication
<Location /login>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
ShibUseHeaders On
require shib-session
# Proxy everything to the WSGI server except /Shibboleth.sso and
# /shibboleth-sp
ProxyPass /Shibboleth.sso !
ProxyPass /shibboleth-sp !
ProxyPass / uwsgi://
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.