-
-
Save vkuznet/cd8338f8a309ae788142 to your computer and use it in GitHub Desktop.
Apache configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ServerName regsvc-dev01.cern.ch | |
| ServerRoot "/data/srv/state/frontend" | |
| DocumentRoot "/data/srv/state/frontend/htdocs" | |
| PidFile /data/srv/state/frontend/var/httpd.pid | |
| User _frontend | |
| Group _frontend | |
| # Dynamic modules. Enable explicitly only the bits we need. | |
| LoadModule dumpio_module /path/apache2/2.2.25gsi-comp/modules/mod_dumpio.so | |
| LoadModule authz_host_module /path/apache2/2.2.25gsi-comp/modules/mod_authz_host.so | |
| LoadModule auth_basic_module /path/apache2/2.2.25gsi-comp/modules/mod_auth_basic.so | |
| LoadModule ext_filter_module /path/apache2/2.2.25gsi-comp/modules/mod_ext_filter.so | |
| LoadModule filter_module /path/apache2/2.2.25gsi-comp/modules/mod_filter.so | |
| LoadModule deflate_module /path/apache2/2.2.25gsi-comp/modules/mod_deflate.so | |
| LoadModule log_config_module /path/apache2/2.2.25gsi-comp/modules/mod_log_config.so | |
| LoadModule logio_module /path/apache2/2.2.25gsi-comp/modules/mod_logio.so | |
| LoadModule env_module /path/apache2/2.2.25gsi-comp/modules/mod_env.so | |
| LoadModule mime_magic_module /path/apache2/2.2.25gsi-comp/modules/mod_mime_magic.so | |
| LoadModule expires_module /path/apache2/2.2.25gsi-comp/modules/mod_expires.so | |
| LoadModule headers_module /path/apache2/2.2.25gsi-comp/modules/mod_headers.so | |
| LoadModule setenvif_module /path/apache2/2.2.25gsi-comp/modules/mod_setenvif.so | |
| LoadModule proxy_module /path/apache2/2.2.25gsi-comp/modules/mod_proxy.so | |
| LoadModule proxy_http_module /path/apache2/2.2.25gsi-comp/modules/mod_proxy_http.so | |
| LoadModule ssl_module /path/apache2/2.2.25gsi-comp/modules/mod_ssl.so | |
| LoadModule mime_module /path/apache2/2.2.25gsi-comp/modules/mod_mime.so | |
| LoadModule asis_module /path/apache2/2.2.25gsi-comp/modules/mod_asis.so | |
| LoadModule cgi_module /path/apache2/2.2.25gsi-comp/modules/mod_cgi.so | |
| LoadModule negotiation_module /path/apache2/2.2.25gsi-comp/modules/mod_negotiation.so | |
| LoadModule dir_module /path/apache2/2.2.25gsi-comp/modules/mod_dir.so | |
| LoadModule alias_module /path/apache2/2.2.25gsi-comp/modules/mod_alias.so | |
| LoadModule rewrite_module /path/apache2/2.2.25gsi-comp/modules/mod_rewrite.so | |
| LoadModule perl_module /path/mod_perl2/2.0.7-comp9/modules/mod_perl.so | |
| # Default to disallow everything. | |
| <Directory /> | |
| Options FollowSymLinks | |
| AllowOverride None | |
| Order deny,allow | |
| Deny from all | |
| </Directory> | |
| # Grant basic browsing access to the document root directory. | |
| <Directory "/data/srv/state/frontend/htdocs"> | |
| Options FollowSymLinks | |
| AllowOverride None | |
| Order allow,deny | |
| Allow from all | |
| </Directory> | |
| # Ban access to .ht* files. | |
| <FilesMatch "^\.ht"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </FilesMatch> | |
| # Logging defaults. | |
| DumpIOInput On | |
| LogLevel warn | |
| ErrorLog "||/path/apache2/2.2.25gsi-comp/bin/rotatelogs -f /data/srv/logs/frontend/error_log_%Y%m%d.txt 86400" | |
| CustomLog "||/path/apache2/2.2.25gsi-comp/bin/rotatelogs -f /data/srv/logs/frontend/access_log_%Y%m%d.txt 86400" \ | |
| "%t %v %a \"%r\" %>s [data: %I in %O out %b body %D us ] [auth: %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN}x\" \"%{cms-auth}C\" ] [ref: \"%{Referer}i\" \"%{User-Agent}i\" ]" | |
| #RewriteLogLevel 3 | |
| #RewriteLog /data/srv/logs/frontend/rewrite_log | |
| # Content and default index definitions. | |
| DirectoryIndex index.html | |
| DefaultType text/plain | |
| TypesConfig /path/apache2/2.2.25gsi-comp/conf/mime.types | |
| AddType application/x-compress .Z | |
| AddType application/x-gzip .gz .tgz | |
| # Basic SSL settings. The rest are in virtual host definitions. | |
| SSLRandomSeed startup builtin | |
| SSLRandomSeed connect builtin | |
| SSLMutex file:/data/srv/state/frontend/var/ssl_mutex | |
| SSLSessionCache shmcb:/data/srv/state/frontend/var/ssl_scache(512000) | |
| SSLSessionCacheTimeout 300 | |
| # Server capacity settings. | |
| StartServers 5 | |
| MinSpareServers 5 | |
| MaxSpareServers 30 | |
| MaxClients 150 | |
| MaxRequestsPerChild 5000000 | |
| # Various basic configurables. | |
| Timeout 300 | |
| KeepAlive On | |
| MaxKeepAliveRequests 100 | |
| KeepAliveTimeout 5 | |
| UseCanonicalName Off | |
| ServerTokens Prod | |
| ServerSignature Off | |
| HostnameLookups Off | |
| TraceEnable Off | |
| # Now include actual server application containers. | |
| # Disable keep-alive with Safari. See various bugs on Google. | |
| BrowserMatch Safari nokeepalive | |
| # Standard stanza for MSIE SSL bugs. | |
| BrowserMatch "MSIE [456]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 | |
| # Always return server processing time. | |
| Header set CMS-Server-Time "%D %t" | |
| # -- /data/srv/current/config/frontend/perl.conf | |
| PerlSwitches -w -CSD | |
| PerlRequire /data/srv/current/config/frontend/cmsinit.pl | |
| # -- /data/srv/current/config/frontend/error.conf | |
| # Define custom error message handling. See error.conf for details. | |
| ErrorDocument 401 /error/401 | |
| ErrorDocument 403 /error/403 | |
| ErrorDocument 404 /error/404 | |
| ErrorDocument 503 /error/503 | |
| <Location /error> | |
| Order allow,deny | |
| Allow from all | |
| Options +ExecCGI | |
| SetHandler perl-script | |
| PerlResponseHandler cmserror | |
| </Location> | |
| # -- /data/srv/current/config/frontend/nukehdr.conf | |
| # Clean up (incoming) request headers. | |
| PerlPostReadRequestHandler cmsnuke | |
| # -- /data/srv/current/config/frontend/backends.conf | |
| # Set backend cluster names. | |
| PerlAddVar HOST_MAP /data/srv/current/config/frontend/backends-dev.txt | |
| PerlAddVar AUTH_HMAC_KEYS etc/keys | |
| PerlPostReadRequestHandler cmshosts | |
| # Define server virtual host. | |
| Listen 80 | |
| <VirtualHost *:80> | |
| SSLEngine off | |
| # Disable all request methods except GET. Anything else must come | |
| # over HTTPS. GET needs to be supported so people can type URLs in | |
| # web browser location bar, and get a redirect to HTTPS. | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} !^GET$ | |
| RewriteRule ^ - [F] | |
| # Capture the URI for the backend; need mod_rewrite to grab it. | |
| RewriteCond %{ENV:REDIRECT_REQUEST_URI} !^$ | |
| RewriteRule ^ - [E=CMS_REQUEST_URI:%{ENV:REDIRECT_REQUEST_URI}] | |
| RewriteCond %{ENV:REDIRECT_REQUEST_URI} ^$ | |
| RewriteRule ^ - [E=CMS_REQUEST_URI:%{REQUEST_URI}] | |
| RequestHeader set CMS-Request-URI %{CMS_REQUEST_URI}e | |
| # Add 'escape' rewrite map to name space. Extract query for redirects. | |
| RewriteMap escape int:escape | |
| RewriteCond %{QUERY_STRING} ^$ | |
| RewriteRule ^ - [E=CMS_QUERY:] | |
| RewriteCond %{QUERY_STRING} !^$ | |
| RewriteRule ^ - [E=CMS_QUERY:?%{QUERY_STRING}] | |
| # Application configurations. | |
| </VirtualHost> | |
| # This is the configuration file for the HTTPS web server, listening | |
| # on the port 443. It defines the basic SSL server, then includes | |
| # "content" rules from ssl_rewrites.d directory. | |
| # | |
| # The server configuration features are as follows: | |
| # - Listening on port 443 | |
| # - Requires SSL, i.e. no HTTP on HTTPS port. A common exploit is | |
| # to fool browsers talking in "clear" on a supposedly secure port. | |
| # Note that this doesn't prevent browsers from revealing secret | |
| # information at the network level, but does prevent the server | |
| # from disclosing any information on an unsecure channel, and does | |
| # prevent the client from completing transactions with the server. | |
| # - Requires strong authentication; weak encryption is not accepted. | |
| # - Uses CERN CA signed host keys. In a load balanced cluster all | |
| # the hosts share a single key for the DNS alias, not keys for the | |
| # actual host name (e.g. "cmsweb.cern.ch", rather than "vocmsnn"). | |
| # - CA certificates and CRL lists for all grid sites. These will be | |
| # used when SSL client verification is needed, to identify grid | |
| # certificates. Certificates from general bodies (Thawte, Verisign | |
| # and so on) are deliberately not accepted; we only take grid certs. | |
| # - SSL certificate verification details, where used, are exported | |
| # to web services hosted on the server, and the back-end proxies. | |
| # - Try authenticating clients with X509 certificates. Here the | |
| # check is merely optional, more complete checks are elsewhere. | |
| # This has been moved to global server level to avoid issues with | |
| # re-negotiation triggered by location-specific checks. This has | |
| # the unfortunate side effect that accessing the https server, i.e. | |
| # for almost every access to the server, the client is prompted for | |
| # a certificate, even if the certificate isn't used for anything. | |
| Listen 443 | |
| <VirtualHost *:443> | |
| SSLEngine on | |
| SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:@STRENGTH | |
| SSLCertificateFile /etc/grid-security/hostcert.pem | |
| SSLCertificateKeyFile /etc/grid-security/hostkey.pem | |
| SSLCACertificatePath /etc/grid-security/certificates | |
| SSLCARevocationPath /etc/grid-security/certificates | |
| SSLOptions +StrictRequire +StdEnvVars +ExportCertData | |
| SSLVerifyClient optional | |
| SSLVerifyDepth 10 | |
| <Location /> | |
| # Require strong encryption. This is defence in depth, this is | |
| # technically unnecessary due to SSLCipherSuite definition. | |
| SSLRequire (%{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CIPHER} !~ m/^(EXP|NULL)/) | |
| # Always require SSL when talking to this port. This will not | |
| # prevent a client from compromising itself (the request will | |
| # already have been sent in clear on the wire by the time it is | |
| # rejected), but does protect the server, does prevent reasonable | |
| # web browser clients from sending "secure" cookies over an | |
| # insecure connection, and does limit malicious attempts to | |
| # fool humans the access is secure when in fact it is not. | |
| SSLRequireSSL | |
| # Increase SSL renegotiation buffer size. | |
| SSLRenegBufferSize 1048576 | |
| </Location> | |
| # If we've verified certificate, pass the info to the back-end. | |
| RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e | |
| RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e | |
| RequestHeader set SSL_CLIENT_VERIFY %{SSL_CLIENT_VERIFY}e | |
| RequestHeader set HTTPS %{HTTPS}e | |
| # Tell backends the request was https | |
| RequestHeader set X-Forwarded-Proto "https" | |
| # Enable rewrite engine and disable (again) all request methods except | |
| # HEAD, POST, GET, PUT and DELETE. In particular make sure TRACE and | |
| # TRACK cannot be used. This is defence in depth, the "TraceEnable Off" | |
| # in the main server configuration should already disable these methods; | |
| # the rules below are just a precaution to avoid accidents. | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} !^(HEAD|POST|GET|PUT|DELETE)$ | |
| RewriteRule ^ - [F] | |
| # Capture the URI for the backend; need mod_rewrite to grab it. | |
| RewriteCond %{ENV:REDIRECT_REQUEST_URI} !^$ | |
| RewriteRule ^ - [E=CMS_REQUEST_URI:%{ENV:REDIRECT_REQUEST_URI}] | |
| RewriteCond %{ENV:REDIRECT_REQUEST_URI} ^$ | |
| RewriteRule ^ - [E=CMS_REQUEST_URI:%{REQUEST_URI}] | |
| RequestHeader set CMS-Request-URI %{CMS_REQUEST_URI}e | |
| # Add 'escape' rewrite map to name space. Extract query for redirects. | |
| RewriteMap escape int:escape | |
| RewriteCond %{QUERY_STRING} ^$ | |
| RewriteRule ^ - [E=CMS_QUERY:] | |
| RewriteCond %{QUERY_STRING} !^$ | |
| RewriteRule ^ - [E=CMS_QUERY:?%{QUERY_STRING}] | |
| # Application configurations. | |
| # -- /data/srv/current/config/frontend/auth.conf | |
| # /auth/verify is only allowed from internal redirect with AUTH_SPEC set. | |
| RewriteCond %{ENV:REDIRECT_AUTH_SPEC} ^$ | |
| RewriteRule ^/auth/verify(/.*)?$ - [F] | |
| # /auth/complete is only allowed from internal redirect with AUTH_DONE set. | |
| RewriteCond %{ENV:REDIRECT_AUTH_DONE} !=OK | |
| RewriteRule ^/auth/complete(/.*)?$ - [F] | |
| # Common environment parametres for authentication handlers. | |
| PerlAddVar AUTH_HMAC_KEYS etc/keys | |
| PerlAddVar AUTH_HOST_EXEMPT /data/srv/current/config/frontend/cms-centres.txt | |
| PerlAddVar AUTH_GRID_MAPS /data/srv/current/config/frontend/extra-certificates.txt | |
| PerlAddVar AUTH_GRID_MAPS etc/voms-gridmap.txt | |
| PerlAddVar AUTH_REVOKED /data/srv/current/config/frontend/revoked-users.txt | |
| PerlAddVar AUTH_JSON_MAP /data/srv/state/frontend/etc/authmap.json | |
| # Internal redirection location for handling authentication steps. | |
| <Location /auth/verify> | |
| Order allow,deny | |
| Allow from all | |
| Options +ExecCGI | |
| SetHandler perl-script | |
| PerlResponseHandler cmsauth->auth_verify_handler | |
| </Location> | |
| # Public location for logging out. | |
| <Location /auth/logout> | |
| Order allow,deny | |
| Allow from all | |
| Options +ExecCGI | |
| SetHandler perl-script | |
| PerlResponseHandler cmsauth->auth_logout_handler | |
| </Location> | |
| # Public location for diagnosing authentication problems. | |
| <Location /auth/trouble> | |
| Order allow,deny | |
| Allow from all | |
| Options +ExecCGI | |
| SetHandler perl-script | |
| PerlResponseHandler cmsauth->auth_trouble_handler | |
| </Location> | |
| # -- /data/srv/current/config/frontend/app_couch_ssl.conf | |
| RewriteRule ^(/couchdb?(/.*)?)$ /auth/verify${escape:$1} [QSA,PT,E=AUTH_SPEC:cert;host] | |
| RewriteRule ^/auth/complete/couchdb?(/.*)?$ http://%{ENV:BACKEND}:5984${escape:$1} [QSA,P,L,NE] | |
| </VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment