File: ipa.conf.template

package info (click to toggle)
freeipa 4.7.2-3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 82,340 kB
  • sloc: python: 249,916; ansic: 42,919; sh: 5,842; makefile: 2,120; xml: 343; sed: 16
file content (229 lines) | stat: -rw-r--r-- 6,558 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
#
# VERSION 30 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#

# Load lookup_identity module in case it has not been loaded yet
# The module is used to search users according the certificate.
<IfModule !lookup_identity_module>
    LoadModule lookup_identity_module modules/mod_lookup_identity.so
</IfModule>

ProxyRequests Off

#We use xhtml, a file format that the browser validates
DirectoryIndex index.html


# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000

# Increase connection keep alive time. Default value is 5 seconds, which is too
# short for interactive ipa commands. 30 seconds is a good compromise.
KeepAlive On
KeepAliveTimeout 30

# ipa-rewrite.conf is loaded separately

# Proper header for .tff fonts
AddType application/x-font-ttf          ttf

# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 application/javascript application/json text/css \
 application/x-font-ttf

# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix $WSGI_PREFIX_DIR


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
  user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
  lang=C.UTF-8 locale=C.UTF-8
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
  SetHandler None
</Location>
<Location "/ipa/config">
  SetHandler None
</Location>
<Location "/ipa/crl">
  SetHandler None
</Location>

# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiUseSessions On
  Session On
  SessionCookieName ipa_session path=/ipa;httponly;secure;
  SessionHeader IPASESSION
  # Uncomment the following to have shorter sessions, but beware this may break
  # old IPA client tols that incorrectly parse cookies.
  # SessionMaxAge 1800
  GssapiSessionKey file:$GSSAPI_SESSION_KEY

  GssapiImpersonate On
  GssapiDelegCcacheDir $IPA_CCACHES
  GssapiDelegCcachePerms mode:0660 gid:ipaapi
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"

  # mod_session always sets two copies of the cookie, and this confuses our
  # legacy clients, the unset here works because it ends up unsetting only one
  # of the 2 header tables set by mod_session, leaving the other intact
  Header unset Set-Cookie

  # Disable etag http header. Doesn't work well with mod_deflate
  # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
  # Usage of last-modified header and modified-since validator is sufficient.
  Header unset ETag
  FileETag None
</Location>

# Target for login with internal connections
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"

# Turn off Apache authentication for i18n messages
<Location "/ipa/i18n_messages">
  Require all granted
</Location>

# Turn off Apache authentication for password/token based login pages
<Location "/ipa/session/login_password">
  Satisfy Any
  Require all granted
</Location>

# Login with user certificate/smartcard configuration
# This configuration needs to be loaded after <Location "/ipa">
<Location "/ipa/session/login_x509">
  AuthType none
  GssapiDelegCcacheDir $IPA_CCACHES
  GssapiDelegCcachePerms mode:0660 gid:ipaapi
  SSLVerifyClient require
  SSLUserName SSL_CLIENT_CERT
  LookupUserByCertificate On
  LookupUserByCertificateParamName "username"
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  GssapiImpersonate On

  GssapiUseSessions On
  Session On
  SessionCookieName ipa_session path=/ipa;httponly;secure;
  SessionHeader IPASESSION
  SessionMaxAge 1800
  GssapiSessionKey file:$GSSAPI_SESSION_KEY

  Header unset Set-Cookie
</Location>

<Location "/ipa/session/change_password">
  Satisfy Any
  Require all granted
</Location>

<Location "/ipa/session/sync_token">
  Satisfy Any
  Require all granted
</Location>

# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
    ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/"
    RequestHeader set GSS_NAME %{GSS_NAME}s
    RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>

# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 0 seconds"
</Directory>


# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
</Directory>


#  List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/${FONT_AWESOME_DIR}"
<Directory "${FONTS_DIR}">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
</Directory>


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
  <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
        ExpiresDefault "access plus 0 seconds"
  </FilesMatch>
</Directory>

#  Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>

# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>