Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apache configuration file for a virtual host running Flask behind a uWSGI server, authentication with Shibboleth SSO
# Apache server configuration for ssotutorial.
# This sets up a Flask application over SSL with CERN SSO authentication via
# Shibboleth.
# Load the SSL and Shibboleth modules
LoadModule ssl_module modules/mod_ssl.so
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
# Disable TRACE HTTP requests on CERN advice
TraceEnable Off
# Listen on 433 for SSL
Listen 443
# These settings are taken directly from the default ssl.conf file
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# Rewrite HTTP requests to HTTPS
<VirtualHost ssotutorial.cern.ch:80>
Redirect permanent / https://ssotutorial.cern.ch/
</VirtualHost>
# Define the behaviour for our SSL-encypted host
<VirtualHost ssotutorial.cern.ch:443>
# Enable SSL and define some host-specific settings
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/host.cert
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
SSLCertificateChainFile /etc/pki/tls/certs/CERN-bundle.pem
# Bad browser support
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Logging to the default Apache log directory (/var/log/httpd on SLC6)
ErrorLog logs/sso_error_log
TransferLog logs/sso_access_log
CustomLog logs/sso_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel warn
# Make sure that the handlers are always available
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
# Aliases for resources used in Shibboleth error templates.
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Satisfy Any
Allow from all
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
# logo.jpg doesn't come with a Shibboleth install, unlike main.css
# If you would like a logo shown on Shibboleth error pages, you can place
# one called logo.jpg in /usr/share/shibboleth
Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
</IfModule>
# This location requires authentication
# When the user hits /login, they will be redirect to the CERN SSO page by
# Shibboleth, then redirected back to /login, via /Shibboleth.sso/ADFS,
# on successful authentication
<Location /login>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
ShibUseHeaders On
require shib-session
</Location>
# Proxy everything to the WSGI server except /Shibboleth.sso and
# /shibboleth-sp
ProxyPass /Shibboleth.sso !
ProxyPass /shibboleth-sp !
ProxyPass / uwsgi://127.0.0.1:8000/
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment