Run ipaserver under mod_wsgi

author: Jason Gerard DeRose <jderose@redhat.com> 2010-02-24 11:29:23 -0700
committer: Jason Gerard DeRose <jderose@redhat.com> 2010-03-01 20:22:22 -0700
commit: 1d529a8d09a2577da9a3883572c2f8ae6dd04d58 (patch)
tree: 79f3ae824c739232b8c3ac835f04e3799ec4ce60 /install/conf
parent: 942919bef77030b10a96cab66ab878a8a3d7ef10 (diff)
download: freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.gz
freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.xz
freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.zip
1 files changed, 40 insertions, 63 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f5987fbea..dba47c5a4 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,7 +4,6 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
-PythonImport ipaserver main_interpreter
 
 # ipa-rewrite.conf is loaded separately
 
@@ -12,79 +11,47 @@ PythonImport ipaserver main_interpreter
 AddType application/java-archive        jar
 
 
+# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
+# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
+WSGISocketPrefix /var/run/httpd/wsgi
 
-<Location "/ipa">
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /ipa/errors/unauthorized.html
-
-  SetHandler python-program
-  PythonInterpreter main_interpreter
-  PythonHandler ipaserver::handler
-  PythonDebug Off
-  PythonOption SCRIPT_NAME /ipa
-  PythonAutoReload Off
-
-</Location>
-
-#<Location "/ipa/xml">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::xmlrpc
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/xml
-#  PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/json">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::jsonrpc
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/json
-#  PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/ui">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::webui
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/ui
-#  PythonAutoReload Off
-#</Location>
 
-Alias /ipa-assets/ "/var/cache/ipa/assets/"
-<Directory "/var/cache/ipa/assets">
-  Allow from all
-  AllowOverride None
-  # add Indexes to Options to allow browsing
-  Options FollowSymLinks
-  ExpiresActive On
-  ExpiresDefault A31536000
-</Directory>
+# Configure mod_wsgi handler for /ipa
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
+WSGIProcessGroup ipa
+WSGIApplicationGroup ipa
+WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptReloading Off
 
 
+# Turn off mod_msgi handler for errors, config, crl:
 <Location "/ipa/errors">
   SetHandler None
 </Location>
-
 <Location "/ipa/config">
   SetHandler None
 </Location>
-
 <Location "/ipa/crl">
   SetHandler None
 </Location>
 
 
+# Protect /ipa with Kerberos
+<Location "/ipa">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+</Location>
+
+
 # This is where we redirect on failed auth
 Alias /ipa/errors "/usr/share/ipa/html"
 
@@ -102,7 +69,6 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 # For CRL publishing
 Alias /ipa/crl "/var/lib/pki-ca/publish"
-
 <Directory "/var/lib/pki-ca/publish">
   SetHandler None
   AllowOverride None
@@ -111,6 +77,18 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   Allow from all
 </Directory>
 
+
+# WebUI assets
+Alias /ipa-assets/ "/var/cache/ipa/assets/"
+<Directory "/var/cache/ipa/assets">
+  Allow from all
+  AllowOverride None
+  Options FollowSymLinks
+  ExpiresActive On
+  ExpiresDefault A31536000
+</Directory>
+
+
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
   AuthType Kerberos
@@ -125,20 +103,19 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Directory>
 
+
 # migration related pages
 Alias /ipa/migration "/usr/share/ipa/migration"
-
 <Directory "/usr/share/ipa/migration">
     AllowOverride None
     Satisfy Any
     Allow from all
-
     AddHandler mod_python .py
     PythonHandler mod_python.publisher
 </Directory>
 
-#Alias /ipatest "/usr/share/ipa/ipatest"
 
+#Alias /ipatest "/usr/share/ipa/ipatest"
 #<Directory "/usr/share/ipa/ipatest">
 #  AuthType Kerberos
 #  AuthName "Kerberos Login"
author	Jason Gerard DeRose <jderose@redhat.com>	2010-02-24 11:29:23 -0700
committer	Jason Gerard DeRose <jderose@redhat.com>	2010-03-01 20:22:22 -0700
commit	1d529a8d09a2577da9a3883572c2f8ae6dd04d58 (patch)
tree	79f3ae824c739232b8c3ac835f04e3799ec4ce60 /install/conf
parent	942919bef77030b10a96cab66ab878a8a3d7ef10 (diff)
download	freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.gz freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.xz freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.zip