diff options
Diffstat (limited to 'install/conf')
-rw-r--r-- | install/conf/ipa-rewrite.conf | 19 | ||||
-rw-r--r-- | install/conf/ipa.conf | 109 |
2 files changed, 128 insertions, 0 deletions
diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf new file mode 100644 index 000000000..ef494300c --- /dev/null +++ b/install/conf/ipa-rewrite.conf @@ -0,0 +1,19 @@ +# VERSION 2 - DO NOT REMOVE THIS LINE + +RewriteEngine on + +# By default forward all requests to /ipa. If you don't want IPA +# to be the default on your web server comment this line out. You will +# need to modify ipa_webgui.cfg as well. +RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301] + +# Redirect to the fully-qualified hostname. Not redirecting to secure +# port so configuration files can be retrieved without requiring SSL. +RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] +RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301] + +# Redirect to the secure port if not displaying an error or retrieving +# configuration. +RewriteCond %{SERVER_PORT} !^443$$ +RewriteCond %{REQUEST_URI} !^/ipa/(errors|config) +RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC] diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf new file mode 100644 index 000000000..85b4543af --- /dev/null +++ b/install/conf/ipa.conf @@ -0,0 +1,109 @@ +# +# VERSION 2 - DO NOT REMOVE THIS LINE +# +# LoadModule auth_kerb_module modules/mod_auth_kerb.so + +ProxyRequests Off + +# ipa-rewrite.conf is loaded separately + +# This is required so the auto-configuration works with Firefox 2+ +AddType application/java-archive jar + +<ProxyMatch ^.*/ipa/ui.*$$> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + KrbAuthRealms $REALM + Krb5KeyTab /etc/httpd/conf/ipa.keytab + KrbSaveCredentials on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html + RewriteEngine on + Order deny,allow + Allow from all + + RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e + + # RequestHeader unset Authorization +</ProxyMatch> + +# The URI's with a trailing ! are those that aren't handled by the proxy +ProxyPass /ipa/ui http://localhost:8080/ipa/ui +ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui + +# Configure the XML-RPC service +Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC" + +# This is where we redirect on failed auth +Alias /ipa/errors "/usr/share/ipa/html" + +# For the MIT Windows config files +Alias /ipa/config "/usr/share/ipa/html" + +<Directory "/usr/share/ipa/ipaserver"> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + KrbAuthRealms $REALM + Krb5KeyTab /etc/httpd/conf/ipa.keytab + KrbSaveCredentials on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html + + SetHandler mod_python + PythonHandler ipaxmlrpc + + PythonDebug Off + + PythonOption IPADebug Off + + # this is pointless to use since it would just reload ipaxmlrpc.py + PythonAutoReload Off +</Directory> + +# Do no authentication on the directory that contains error messages +<Directory "/usr/share/ipa/html"> + AllowOverride None + Satisfy Any + Allow from all +</Directory> + +# Protect our CGIs +<Directory /var/www/cgi-bin> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + KrbAuthRealms $REALM + Krb5KeyTab /etc/httpd/conf/ipa.keytab + KrbSaveCredentials on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html +</Directory> + +#Alias /ipatest "/usr/share/ipa/ipatest" + +#<Directory "/usr/share/ipa/ipatest"> +# AuthType Kerberos +# AuthName "Kerberos Login" +# KrbMethodNegotiate on +# KrbMethodK5Passwd off +# KrbServiceName HTTP +# KrbAuthRealms $REALM +# Krb5KeyTab /etc/httpd/conf/ipa.keytab +# KrbSaveCredentials on +# Require valid-user +# ErrorDocument 401 /ipa/errors/unauthorized.html +# +# SetHandler mod_python +# PythonHandler test_mod_python +# +# PythonDebug Off +# +#</Directory> |