alexpearce/ssotutorial.apacheconf

## ssotutorial.apacheconf
# Apache server configuration for ssotutorial.
# This sets up a Flask application over SSL with CERN SSO authentication via
# Shibboleth.

# Load the SSL and Shibboleth modules
LoadModule ssl_module modules/mod_ssl.so
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so

# Disable TRACE HTTP requests on CERN advice
TraceEnable Off

# Listen on 433 for SSL
Listen 443

# These settings are taken directly from the default ssl.conf file
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# Rewrite HTTP requests to HTTPS
<VirtualHost ssotutorial.cern.ch:80>
  Redirect permanent / https://ssotutorial.cern.ch/
</VirtualHost>

# Define the behaviour for our SSL-encypted host
<VirtualHost ssotutorial.cern.ch:443>
  # Enable SSL and define some host-specific settings
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/host.cert
  SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
  SSLCertificateChainFile /etc/pki/tls/certs/CERN-bundle.pem
  # Bad browser support
  SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0

  # Logging to the default Apache log directory (/var/log/httpd on SLC6)
  ErrorLog logs/sso_error_log
  TransferLog logs/sso_access_log
  CustomLog logs/sso_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  LogLevel warn

  # Make sure that the handlers are always available
  <Location /Shibboleth.sso>
    Satisfy Any
    Allow from all
  </Location>

  # Aliases for resources used in Shibboleth error templates.
  <IfModule mod_alias.c>
    <Location /shibboleth-sp>
      Satisfy Any
      Allow from all
    </Location>
    Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
    # logo.jpg doesn't come with a Shibboleth install, unlike main.css
    # If you would like a logo shown on Shibboleth error pages, you can place
    # one called logo.jpg in /usr/share/shibboleth
    Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
  </IfModule>

  # This location requires authentication
  # When the user hits /login, they will be redirect to the CERN SSO page by
  # Shibboleth, then redirected back to /login, via /Shibboleth.sso/ADFS,
  # on successful authentication
  <Location /login>
    AuthType shibboleth
    ShibCompatWith24 On
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    require shib-session
  </Location>

  # Proxy everything to the WSGI server except /Shibboleth.sso and
  # /shibboleth-sp
  ProxyPass /Shibboleth.sso !
  ProxyPass /shibboleth-sp !
  ProxyPass / uwsgi://127.0.0.1:8000/
</VirtualHost>
	# Apache server configuration for ssotutorial.
	# This sets up a Flask application over SSL with CERN SSO authentication via
	# Shibboleth.

	# Load the SSL and Shibboleth modules
	LoadModule ssl_module modules/mod_ssl.so
	LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so

	# Disable TRACE HTTP requests on CERN advice
	TraceEnable Off

	# Listen on 433 for SSL
	Listen 443

	# These settings are taken directly from the default ssl.conf file
	SSLPassPhraseDialog builtin
	SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
	SSLSessionCacheTimeout 300
	SSLMutex default
	SSLRandomSeed startup file:/dev/urandom 256
	SSLRandomSeed connect builtin
	SSLCryptoDevice builtin

	# Rewrite HTTP requests to HTTPS
	<VirtualHost ssotutorial.cern.ch:80>
	Redirect permanent / https://ssotutorial.cern.ch/
	</VirtualHost>

	# Define the behaviour for our SSL-encypted host
	<VirtualHost ssotutorial.cern.ch:443>
	# Enable SSL and define some host-specific settings
	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /etc/pki/tls/certs/host.cert
	SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
	SSLCertificateChainFile /etc/pki/tls/certs/CERN-bundle.pem
	# Bad browser support
	SetEnvIf User-Agent ".MSIE." \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0

	# Logging to the default Apache log directory (/var/log/httpd on SLC6)
	ErrorLog logs/sso_error_log
	TransferLog logs/sso_access_log
	CustomLog logs/sso_request_log \
	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	LogLevel warn

	# Make sure that the handlers are always available
	<Location /Shibboleth.sso>
	Satisfy Any
	Allow from all
	</Location>

	# Aliases for resources used in Shibboleth error templates.
	<IfModule mod_alias.c>
	<Location /shibboleth-sp>
	Satisfy Any
	Allow from all
	</Location>
	Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
	# logo.jpg doesn't come with a Shibboleth install, unlike main.css
	# If you would like a logo shown on Shibboleth error pages, you can place
	# one called logo.jpg in /usr/share/shibboleth
	Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
	</IfModule>

	# This location requires authentication
	# When the user hits /login, they will be redirect to the CERN SSO page by
	# Shibboleth, then redirected back to /login, via /Shibboleth.sso/ADFS,
	# on successful authentication
	<Location /login>
	AuthType shibboleth
	ShibCompatWith24 On
	ShibRequestSetting requireSession 1
	ShibUseHeaders On
	require shib-session
	</Location>

	# Proxy everything to the WSGI server except /Shibboleth.sso and
	# /shibboleth-sp
	ProxyPass /Shibboleth.sso !
	ProxyPass /shibboleth-sp !
	ProxyPass / uwsgi://127.0.0.1:8000/
	</VirtualHost>