apache-config 3.73 KB
Newer Older
1 2 3
ServerName ${DJANGO_PRIMARY_FQDN}

<VirtualHost *:80>
4 5
  ServerName https://${DJANGO_PRIMARY_FQDN}:443
  UseCanonicalName On
6 7 8 9 10 11
  ServerSignature On
  ErrorLog /dev/stderr
  Transferlog /dev/stdout

  ServerAdmin cgca-admins@uwm.edu

12 13 14
  ## Log format
  LogFormat "APACHE | %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
  ## Vhost docroot
  DocumentRoot "/var/www/html"

  ## Directories, there should at least be a declaration for /var/www/html

  <Directory "/var/www/html">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Custom fragment
  # gUnicorn edits
  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
31
  Alias /static/ "/app/gracedb_project/static_root/"
32
  # Aliases for docs and admin_docs
33 34
  Alias /documentation/ "/app/gracedb_project/docs/user_docs/build/"
  Alias /admin_docs/ "/app/gracedb_project/docs/admin_docs/build/"
35
  ProxyPreserveHost on
36
  ProxyAddHeaders off
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
  ProxyPass "/robots.txt" "!"
  ProxyPass "/shibboleth-ds" "!"
  ProxyPass "/Shibboleth.sso" "!"
  ProxyPass "/static" "!"
  ProxyPass "/documentation" "!"
  ProxyPass "/admin_docs" "!"
  ProxyPass "/" "http://localhost:8080/"

  # Unset certain headers to help prevent spoofing
  RequestHeader unset REMOTE_USER
  RequestHeader unset ISMEMBEROF
  RequestHeader unset X_FORWARDED_FOR
  RequestHeader unset REMOTE_ADDR
  RequestHeader unset SSL_CLIENT_S_DN
  RequestHeader unset SSL_CLIENT_I_DN
  RequestHeader unset X_FORWARDED_PROTO

  # Get a few of them from the environment
  RequestHeader set X_FORWARDED_FOR "%{X_FORWARDED_FOR}e" env=X_FORWARDED_FOR
  RequestHeader set REMOTE_ADDR "%{REMOTE_ADDR}e" env=REMOTE_ADDR

  # Set X_FORWARDED_PROTO to https
  RequestHeader set X_FORWARDED_PROTO "https"

  # Set up mod_xsendfile for serving static event files as directed by Django
  XSendFile On
63
  XSendFilePath /app/db_data/
64 65 66 67 68 69

  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css

  <Directory /etc/shibboleth-ds>
70
    Require all granted
71 72 73 74 75
  </Directory>

  # Deny access to the DocumentRoot. This makes it possible to upload
  # large files. See notes.
  <Directory "/var/www/">
76
    Require all denied
77 78
  </Directory>

79
  <Directory "/app/gracedb_project/static_root/">
80 81 82
    AllowOverride None
    Options None
    Require all granted
83 84 85 86
  </Directory>

  Alias /robots.txt /home/gracedb/gracedb_project/static_root/robots.txt

87 88 89 90 91 92 93 94 95 96 97 98 99 100
  <Location /Shibboleth.sso>
    SetHandler shib
    Require all granted
  </Location>

  <Location /shibboleth-sp>
    Require all granted
  </Location>

  <Location "/post-login/">
    AuthType Shibboleth
    Require shibboleth
    ShibRequestSetting requireSession true
    ShibUseHeaders On
101 102 103 104 105 106 107 108 109

    # use funky method to get REMOTE_USER variable
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set REMOTE_USER %{RU}e

    # this way only works with SSLEngine On because REMOTE_USER is secure variable
    #RequestHeader set REMOTE_USER %{REMOTE_USER}s
110 111 112 113 114 115 116 117 118 119 120 121
    RequestHeader set ISMEMBEROF "%{ISMEMBEROF}e" env=ISMEMBEROF
  </Location>

  <Directory "/app/gracedb_project/docs/user_docs/build/">
    Require all granted
  </Directory>

  # Restrict access to admin documentation
  <Location "/admin_docs/">
    AuthType Shibboleth
    ShibRequestSetting requireSession true
    ShibUseHeaders On
122
    Require shib-user tanner.prestegard@LIGO.ORG alexander.pace@LIGO.ORG patrick.brady@LIGO.ORG thomas.downes@LIGO.ORG
123 124
  </Location>

125
</VirtualHost>