diff options
author | Jason Gerard DeRose <jderose@redhat.com> | 2010-02-24 11:29:23 -0700 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2010-03-01 20:22:22 -0700 |
commit | 1d529a8d09a2577da9a3883572c2f8ae6dd04d58 (patch) | |
tree | 79f3ae824c739232b8c3ac835f04e3799ec4ce60 /install/conf | |
parent | 942919bef77030b10a96cab66ab878a8a3d7ef10 (diff) | |
download | freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.gz freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.tar.xz freeipa-1d529a8d09a2577da9a3883572c2f8ae6dd04d58.zip |
Run ipaserver under mod_wsgi
Diffstat (limited to 'install/conf')
-rw-r--r-- | install/conf/ipa.conf | 103 |
1 files changed, 40 insertions, 63 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f5987fbe..dba47c5a 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -4,7 +4,6 @@ # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off -PythonImport ipaserver main_interpreter # ipa-rewrite.conf is loaded separately @@ -12,79 +11,47 @@ PythonImport ipaserver main_interpreter AddType application/java-archive jar +# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package +# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: +WSGISocketPrefix /var/run/httpd/wsgi -<Location "/ipa"> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - Require valid-user - ErrorDocument 401 /ipa/errors/unauthorized.html - - SetHandler python-program - PythonInterpreter main_interpreter - PythonHandler ipaserver::handler - PythonDebug Off - PythonOption SCRIPT_NAME /ipa - PythonAutoReload Off - -</Location> - -#<Location "/ipa/xml"> -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::xmlrpc -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/xml -# PythonAutoReload Off -#</Location> - -#<Location "/ipa/json"> -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::jsonrpc -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/json -# PythonAutoReload Off -#</Location> - -#<Location "/ipa/ui"> -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::webui -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/ui -# PythonAutoReload Off -#</Location> -Alias /ipa-assets/ "/var/cache/ipa/assets/" -<Directory "/var/cache/ipa/assets"> - Allow from all - AllowOverride None - # add Indexes to Options to allow browsing - Options FollowSymLinks - ExpiresActive On - ExpiresDefault A31536000 -</Directory> +# Configure mod_wsgi handler for /ipa +WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 +WSGIProcessGroup ipa +WSGIApplicationGroup ipa +WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa +WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py +WSGIScriptReloading Off +# Turn off mod_msgi handler for errors, config, crl: <Location "/ipa/errors"> SetHandler None </Location> - <Location "/ipa/config"> SetHandler None </Location> - <Location "/ipa/crl"> SetHandler None </Location> +# Protect /ipa with Kerberos +<Location "/ipa"> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + KrbAuthRealms $REALM + Krb5KeyTab /etc/httpd/conf/ipa.keytab + KrbSaveCredentials on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html +</Location> + + # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" @@ -102,7 +69,6 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing Alias /ipa/crl "/var/lib/pki-ca/publish" - <Directory "/var/lib/pki-ca/publish"> SetHandler None AllowOverride None @@ -111,6 +77,18 @@ Alias /ipa/crl "/var/lib/pki-ca/publish" Allow from all </Directory> + +# WebUI assets +Alias /ipa-assets/ "/var/cache/ipa/assets/" +<Directory "/var/cache/ipa/assets"> + Allow from all + AllowOverride None + Options FollowSymLinks + ExpiresActive On + ExpiresDefault A31536000 +</Directory> + + # Protect our CGIs <Directory /var/www/cgi-bin> AuthType Kerberos @@ -125,20 +103,19 @@ Alias /ipa/crl "/var/lib/pki-ca/publish" ErrorDocument 401 /ipa/errors/unauthorized.html </Directory> + # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" - <Directory "/usr/share/ipa/migration"> AllowOverride None Satisfy Any Allow from all - AddHandler mod_python .py PythonHandler mod_python.publisher </Directory> -#Alias /ipatest "/usr/share/ipa/ipatest" +#Alias /ipatest "/usr/share/ipa/ipatest" #<Directory "/usr/share/ipa/ipatest"> # AuthType Kerberos # AuthName "Kerberos Login" |