# # VERSION 22 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # Substantially increase the request field size to support MS-PAC # requests, ticket #2767. This should easily support a 64KiB PAC. LimitRequestFieldSize 100000 # ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar AddType application/x-xpinstall xpi # Proper header for .tff fonts AddType application/x-font-ttf ttf # Enable compression AddOutputFilterByType DEFLATE text/html text/plain text/xml \ application/javascript application/json text/css \ application/x-font-ttf # Disable etag http header. Doesn't work well with mod_deflate # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 # Usage of last-modified header and modified-since validator is sufficient. Header unset ETag FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ display-name=%{GROUP} socket-timeout=2147483647 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: SetHandler None SetHandler None SetHandler None # Protect /ipa and everything below it in webspace with Apache Kerberos auth AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" # Turn off Apache authentication for sessions Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all Satisfy Any Order Deny,Allow Allow from all # Custodia stuff is redirected to the custodia daemon # after authentication ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 0 seconds" # For CRL publishing Alias /ipa/crl "$CRL_PUBLISH_PATH" SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all # List explicitly only the fonts we want to serve Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" SetHandler None AllowOverride None Satisfy Any Allow from all ExpiresActive On ExpiresDefault "access plus 1 year" ExpiresDefault "access plus 0 seconds" # Simple wsgi scripts required by ui Alias /ipa/wsgi "/usr/share/ipa/wsgi" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py