apache-config

ServerName ${DJANGO_PRIMARY_FQDN}

<VirtualHost *:80>
  ServerName https://${DJANGO_PRIMARY_FQDN}:443
  UseCanonicalName On
  ServerSignature On
  ErrorLog /dev/stderr
  Transferlog /dev/stdout

  ServerAdmin cgca-admins@uwm.edu

  ## Log format
  LogFormat "APACHE | %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

  ## Vhost docroot
  DocumentRoot "/var/www/html"

  ## Directories, there should at least be a declaration for /var/www/html

  <Directory "/var/www/html">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  # Improve proxy behavior with gunicorn:
  # https://serverfault.com/questions/206738/intermittent-error-when-using-mod-proxy-to-do-reverse-proxy-to-soap-service#comment1327184_209006
  # https://github.com/benoitc/gunicorn/issues/207

  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1

  ## Custom fragment
  # gUnicorn edits
  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
  Alias /static/ "/app/gracedb_project/static_root/"
  # Aliases for docs and admin_docs
  Alias /documentation/ "/app/gracedb_project/docs/user_docs/build/"
  Alias /admin_docs/ "/app/gracedb_project/docs/admin_docs/build/"
  ProxyPreserveHost on
  ProxyAddHeaders off
  ProxyPass "/robots.txt" "!"
  ProxyPass "/shibboleth-ds" "!"
  ProxyPass "/Shibboleth.sso" "!"
  ProxyPass "/static" "!"
  ProxyPass "/documentation" "!"
  ProxyPass "/admin_docs" "!"
  ProxyPass "/" "http://localhost:8080/" timeout=120
  ProxyPassReverse "/" "http://localhost:8080/"

  # This section is for apache2 timeout and keepalive tuning parameters. 
  # https://ioflood.com/blog/2020/02/21/what-is-apache-keepalive-timeout-how-to-optimize-this-critical-setting/
  
  # KeepAlive will... keep a connection alive for subsequent requests. 
  # Turn this on.
  KeepAlive On

  # The maximum number of requests served to a client before terminating the connection.
  # This can be large, possibly safely unlimited. (0 = unlimited)
  MaxKeepAliveRequests 0

  # The number of seconds Apache will wait for a subsequent request before closing the 
  # connection. Once a request has been received, the timeout value specified by the 
  # Timeout directive applies. Setting KeepAliveTimeout to a high value may cause 
  # performance problems in heavily loaded servers. The higher the timeout, the more 
  # server processes will be kept occupied waiting on connections with idle clients
  KeepAliveTimeout 5

  # Amount of time the server will wait for certain events before failing a 
  # request. The TimeOut directive defines the length of time Apache will wait for
  # I/O (e.g., when reading data from the client, when writing data to the client, etc.) 
  # Default: 300s. Try setting this lower, then do a test like a long query with the API
  # and in the browser and see what happens. 
  Timeout 60

  # Unset certain headers to help prevent spoofing
  RequestHeader unset REMOTE_USER
  RequestHeader unset ISMEMBEROF
  RequestHeader unset X_FORWARDED_FOR
  RequestHeader unset REMOTE_ADDR
  RequestHeader unset SSL_CLIENT_S_DN
  RequestHeader unset SSL_CLIENT_I_DN
  RequestHeader unset X_FORWARDED_PROTO

  # Get a few of them from the environment
  RequestHeader set X_FORWARDED_FOR "%{X_FORWARDED_FOR}e" env=X_FORWARDED_FOR
  RequestHeader set REMOTE_ADDR "%{REMOTE_ADDR}e" env=REMOTE_ADDR

  # Set X_FORWARDED_PROTO to https
  RequestHeader set X_FORWARDED_PROTO "https"

  # Increase the max allowable header size:
  LimitRequestFieldSize 16384

  # Set up mod_xsendfile for serving static event files as directed by Django
  XSendFile On
  XSendFilePath /app/db_data/

  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css

  <Directory /etc/shibboleth-ds>
    Require all granted
  </Directory>

  # Deny access to the DocumentRoot. This makes it possible to upload
  # large files. See notes.
  <Directory "/var/www/">
    Require all denied
  </Directory>

  <Directory "/app/gracedb_project/static_root/">
    AllowOverride None
    Options None
    Require all granted
  </Directory>

  Alias /robots.txt /app/gracedb_project/static_root/robots.txt

  <Location /Shibboleth.sso>
    SetHandler shib
    Require all granted
  </Location>

  <Location /shibboleth-sp>
    Require all granted
  </Location>

  <Location "/post-login/">
    AuthType Shibboleth
    Require shibboleth
    ShibRequestSetting requireSession true
    ShibUseHeaders On

    # use funky method to get REMOTE_USER variable
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set REMOTE_USER %{RU}e

    # this way only works with SSLEngine On because REMOTE_USER is secure variable
    #RequestHeader set REMOTE_USER %{REMOTE_USER}s
    RequestHeader set ISMEMBEROF "%{ISMEMBEROF}e" env=ISMEMBEROF
  </Location>

  <Directory "/app/gracedb_project/docs/user_docs/build/">
    Require all granted
  </Directory>

  # Restrict access to admin documentation
  <Location "/admin_docs/">
    AuthType Shibboleth
    ShibRequestSetting requireSession true
    ShibUseHeaders On
    Require shib-user duncan.meacher@ligo.org alexander.pace@ligo.org daniel.wysocki@ligo.org patrick.brady@ligo.org
  </Location>

</VirtualHost>