summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorJason Gerard DeRose <jderose@redhat.com>2010-02-24 11:29:23 -0700
committerJason Gerard DeRose <jderose@redhat.com>2010-03-01 20:22:22 -0700
commit1d529a8d09a2577da9a3883572c2f8ae6dd04d58 (patch)
tree79f3ae824c739232b8c3ac835f04e3799ec4ce60 /install
parent942919bef77030b10a96cab66ab878a8a3d7ef10 (diff)
downloadfreeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.gz
freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.xz
freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.zip
Run ipaserver under mod_wsgi
Diffstat (limited to 'install')
-rw-r--r--install/conf/ipa.conf103
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/share/wsgi.py13
3 files changed, 54 insertions, 63 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f5987fbea..dba47c5a4 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,7 +4,6 @@
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
ProxyRequests Off
-PythonImport ipaserver main_interpreter
# ipa-rewrite.conf is loaded separately
@@ -12,79 +11,47 @@ PythonImport ipaserver main_interpreter
AddType application/java-archive jar
+# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
+# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
+WSGISocketPrefix /var/run/httpd/wsgi
-<Location "/ipa">
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- Require valid-user
- ErrorDocument 401 /ipa/errors/unauthorized.html
-
- SetHandler python-program
- PythonInterpreter main_interpreter
- PythonHandler ipaserver::handler
- PythonDebug Off
- PythonOption SCRIPT_NAME /ipa
- PythonAutoReload Off
-
-</Location>
-
-#<Location "/ipa/xml">
-# SetHandler python-program
-# PythonInterpreter main_interpreter
-# PythonHandler ipaserver::xmlrpc
-# PythonDebug Off
-# PythonOption SCRIPT_NAME /ipa/xml
-# PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/json">
-# SetHandler python-program
-# PythonInterpreter main_interpreter
-# PythonHandler ipaserver::jsonrpc
-# PythonDebug Off
-# PythonOption SCRIPT_NAME /ipa/json
-# PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/ui">
-# SetHandler python-program
-# PythonInterpreter main_interpreter
-# PythonHandler ipaserver::webui
-# PythonDebug Off
-# PythonOption SCRIPT_NAME /ipa/ui
-# PythonAutoReload Off
-#</Location>
-Alias /ipa-assets/ "/var/cache/ipa/assets/"
-<Directory "/var/cache/ipa/assets">
- Allow from all
- AllowOverride None
- # add Indexes to Options to allow browsing
- Options FollowSymLinks
- ExpiresActive On
- ExpiresDefault A31536000
-</Directory>
+# Configure mod_wsgi handler for /ipa
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
+WSGIProcessGroup ipa
+WSGIApplicationGroup ipa
+WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptReloading Off
+# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
SetHandler None
</Location>
-
<Location "/ipa/config">
SetHandler None
</Location>
-
<Location "/ipa/crl">
SetHandler None
</Location>
+# Protect /ipa with Kerberos
+<Location "/ipa">
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ KrbMethodNegotiate on
+ KrbMethodK5Passwd off
+ KrbServiceName HTTP
+ KrbAuthRealms $REALM
+ Krb5KeyTab /etc/httpd/conf/ipa.keytab
+ KrbSaveCredentials on
+ Require valid-user
+ ErrorDocument 401 /ipa/errors/unauthorized.html
+</Location>
+
+
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
@@ -102,7 +69,6 @@ Alias /ipa/config "/usr/share/ipa/html"
# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"
-
<Directory "/var/lib/pki-ca/publish">
SetHandler None
AllowOverride None
@@ -111,6 +77,18 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
Allow from all
</Directory>
+
+# WebUI assets
+Alias /ipa-assets/ "/var/cache/ipa/assets/"
+<Directory "/var/cache/ipa/assets">
+ Allow from all
+ AllowOverride None
+ Options FollowSymLinks
+ ExpiresActive On
+ ExpiresDefault A31536000
+</Directory>
+
+
# Protect our CGIs
<Directory /var/www/cgi-bin>
AuthType Kerberos
@@ -125,20 +103,19 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>
+
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
-
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Allow from all
-
AddHandler mod_python .py
PythonHandler mod_python.publisher
</Directory>
-#Alias /ipatest "/usr/share/ipa/ipatest"
+#Alias /ipatest "/usr/share/ipa/ipatest"
#<Directory "/usr/share/ipa/ipatest">
# AuthType Kerberos
# AuthName "Kerberos Login"
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e3e7cf606..92d50775f 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -38,6 +38,7 @@ app_DATA = \
unique-attributes.ldif \
schema_compat.uldif \
ldapi.ldif \
+ wsgi.py \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
new file mode 100644
index 000000000..457d8e024
--- /dev/null
+++ b/install/share/wsgi.py
@@ -0,0 +1,13 @@
+"""
+WSGI appliction for IPA server.
+"""
+
+from ipalib import api
+api.bootstrap(context='server', debug=True, log=None)
+api.finalize()
+api.log.info('*** PROCESS START ***')
+import ipawebui
+ui = ipawebui.create_wsgi_app(api)
+
+# This is the WSGI callable:
+application = api.Backend.session