diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-02-21 16:25:09 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-21 16:25:09 -0500 |
commit | 49148dc34a5fbd40f8e500e59691cea1600c9a86 (patch) | |
tree | 5c9f12194f7a5e1594e643609de89e0cb4a38561 | |
parent | 84d1e08d7651d04fffc68d8e25f2568879840ae1 (diff) | |
download | freeipa-49148dc34a5fbd40f8e500e59691cea1600c9a86.tar.gz freeipa-49148dc34a5fbd40f8e500e59691cea1600c9a86.tar.xz freeipa-49148dc34a5fbd40f8e500e59691cea1600c9a86.zip |
Redirect users when they don't use the FQDN on both SSL and non-SSL ports
We update the mod_nss configuration (nss.conf) during installation to include
ipa-rewrite.conf to handle the SSL side.
433054
-rwxr-xr-x | ipa-server/ipa-server.spec | 6 | ||||
-rw-r--r-- | ipa-server/ipa-server.spec.in | 6 | ||||
-rw-r--r-- | ipa-server/ipaserver/httpinstance.py | 15 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/Makefile.am | 1 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/ipa-rewrite.conf | 12 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/ipa.conf | 13 |
6 files changed, 37 insertions, 16 deletions
diff --git a/ipa-server/ipa-server.spec b/ipa-server/ipa-server.spec index c0a79de3f..bdbe56ae9 100755 --- a/ipa-server/ipa-server.spec +++ b/ipa-server/ipa-server.spec @@ -1,6 +1,6 @@ Name: ipa-server Version: 0.99.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: IPA authentication server Group: System Environment/Base @@ -129,6 +129,7 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html %{_usr}/share/ipa/ipa_webgui.cfg %{_usr}/share/ipa/ipa.conf +%{_usr}/share/ipa/ipa-rewrite.conf %dir %{_usr}/share/ipa/ipagui %{_usr}/share/ipa/ipagui/* %dir %{_usr}/share/ipa/ipa_gui.egg-info @@ -150,6 +151,9 @@ fi %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions %changelog +* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-2 +- package new file ipa-rewrite.conf + * Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1 - Version bump for release diff --git a/ipa-server/ipa-server.spec.in b/ipa-server/ipa-server.spec.in index c94845928..e41fa5502 100644 --- a/ipa-server/ipa-server.spec.in +++ b/ipa-server/ipa-server.spec.in @@ -1,6 +1,6 @@ Name: ipa-server Version: VERSION -Release: 1%{?dist} +Release: 2%{?dist} Summary: IPA authentication server Group: System Environment/Base @@ -129,6 +129,7 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html %{_usr}/share/ipa/ipa_webgui.cfg %{_usr}/share/ipa/ipa.conf +%{_usr}/share/ipa/ipa-rewrite.conf %dir %{_usr}/share/ipa/ipagui %{_usr}/share/ipa/ipagui/* %dir %{_usr}/share/ipa/ipa_gui.egg-info @@ -150,6 +151,9 @@ fi %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions %changelog +* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-2 +- package new file ipa-rewrite.conf + * Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1 - Version bump for release diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py index 17532ddb0..da89f6bd1 100644 --- a/ipa-server/ipaserver/httpinstance.py +++ b/ipa-server/ipaserver/httpinstance.py @@ -64,6 +64,7 @@ class HTTPInstance(service.Service): self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("Setting mod_nss port to 443", self.__set_mod_nss_port) + self.step("Adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("Setting up ssl", self.__setup_ssl) @@ -122,8 +123,13 @@ class HTTPInstance(service.Service): sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open("/etc/httpd/conf.d/ipa.conf", "w") http_fd.write(http_txt) - http_fd.close() + http_fd.close() + http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) + sysrestore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") + http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w") + http_fd.write(http_txt) + http_fd.close() def __disable_mod_ssl(self): if os.path.exists(SSL_CONF): @@ -133,7 +139,12 @@ class HTTPInstance(service.Service): def __set_mod_nss_port(self): sysrestore.backup_file(NSS_CONF) if installutils.update_file(NSS_CONF, '8443', '443') != 0: - print "Updating %s failed." % NSS_CONF + print "Updating port in %s failed." % NSS_CONF + + def __add_include(self): + """This should run after __set_mod_nss_port so is already backed up""" + if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0: + print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF def __setup_ssl(self): ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) diff --git a/ipa-server/xmlrpc-server/Makefile.am b/ipa-server/xmlrpc-server/Makefile.am index cf1420197..49457ba4c 100644 --- a/ipa-server/xmlrpc-server/Makefile.am +++ b/ipa-server/xmlrpc-server/Makefile.am @@ -24,6 +24,7 @@ server_PYTHON = \ appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + ipa-rewrite.conf \ $(NULL) EXTRA_DIST = \ diff --git a/ipa-server/xmlrpc-server/ipa-rewrite.conf b/ipa-server/xmlrpc-server/ipa-rewrite.conf new file mode 100644 index 000000000..977be7398 --- /dev/null +++ b/ipa-server/xmlrpc-server/ipa-rewrite.conf @@ -0,0 +1,12 @@ +RewriteEngine on + +# Redirect to the fully-qualified hostname. Not redirecting to secure +# port so configuration files can be retrieved without requiring SSL. +RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] +RewriteRule ^/(.*) http://$FQDN/$$1 [L,R=301] + +# Redirect to the secure port if not displaying an error or retrieving +# configuration. +RewriteCond %{SERVER_PORT} !^443$$ +RewriteCond %{REQUEST_URI} !^/(errors|config|favicon.ico) +RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301,NC] diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf index 4e8bf528f..10c9b5ec2 100644 --- a/ipa-server/xmlrpc-server/ipa.conf +++ b/ipa-server/xmlrpc-server/ipa.conf @@ -2,18 +2,7 @@ ProxyRequests Off -RewriteEngine on - -# Redirect to the fully-qualified hostname. Not redirecting to secure -# port so configuration files can be retrieved without requiring SSL. -RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] -RewriteRule ^/(.*) http://$FQDN/$$1 [L,R=301] - -# Redirect to the secure port if not displaying an error or retrieving -# configuration. -RewriteCond %{SERVER_PORT} !^443$$ -RewriteCond %{REQUEST_URI} !^/(errors|config|favicon.ico) -RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301,NC] +# ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar |