#
# VERSION 23 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html


# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000

# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar
AddType application/x-xpinstall         xpi

# Proper header for .tff fonts
AddType application/x-font-ttf          ttf

# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 application/javascript application/json text/css \
 application/x-font-ttf

# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None

# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /run/httpd/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
 user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
  SetHandler None
</Location>
<Location "/ipa/config">
  SetHandler None
</Location>
<Location "/ipa/crl">
  SetHandler None
</Location>

# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiUseSessions On
  Session On
  SessionCookieName ipa_session path=/ipa;httponly;secure;
  SessionHeader IPASESSION
  SessionMaxAge 1800
  GssapiSessionKey file:/etc/httpd/alias/ipasession.key

  GssapiDelegCcacheDir /var/run/ipa/ccaches
  GssapiDelegCcachePerms mode:0660 gid:ipaapi
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"

  # mod_session always sets two copies of the cookie, and this confuses our
  # legacy clients, the unset here works because it ends up unsetting only one
  # of the 2 header tables set by mod_session, leaving the other intact
  Header unset Set-Cookie
</Location>

# Target for login with internal connections
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"

# Turn off Apache authentication for password/token based login pages
<Location "/ipa/session/login_password">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/change_password">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/sync_token">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
    ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
    RequestHeader set GSS_NAME %{GSS_NAME}s
    RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>

# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 0 seconds"
</Directory>


# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
</Directory>


#  List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
<Directory "/usr/share/fonts">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
</Directory>


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
  <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
        ExpiresDefault "access plus 0 seconds"
  </FilesMatch>
</Directory>

#  Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>

# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>