# # VERSION 16 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # Substantially increase the request field size to support MS-PAC # requests, ticket #2767. This should easily support a 64KiB PAC. LimitRequestFieldSize 100000 # ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar AddType application/x-xpinstall xpi # Proper header for .tff fonts AddType application/x-font-ttf ttf # Enable compression AddOutputFilterByType DEFLATE text/html text/plain text/xml \ application/javascript application/json text/css \ application/x-font-ttf # Disable etag http header. Doesn't work well with mod_deflate # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 # Usage of last-modified header and modified-since validator is sufficient. Header unset ETag FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 WSGIProcessGroup ipa WSGIApplicationGroup ipa WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: SetHandler None SetHandler None SetHandler None KrbConstrainedDelegationLock ipa # Protect /ipa and everything below it in webspace with Apache Kerberos auth AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # Turn off Apache authentication for sessions Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 0 seconds" # For CRL publishing Alias /ipa/crl "$CRL_PUBLISH_PATH" SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all # List explicitly only the fonts we want to serve Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" ExpiresDefault "access plus 0 seconds" # Simple wsgi scripts required by ui Alias /ipa/wsgi "/usr/share/ipa/wsgi" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py # Protect our CGIs AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py