File: httpd-webserver.conf

package info (click to toggle)
gridsite 3.0.0~20240125git1200598-1.1
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 1,820 kB
  • sloc: ansic: 16,198; perl: 1,183; makefile: 463; sh: 372; xml: 252
file content (231 lines) | stat: -rw-r--r-- 8,458 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
 
##############################################################################
## GridSite httpd-webserver.conf - Andrew McNab <Andrew.McNab@man.ac.uk>
##
## For GridSite documentation, see http://www.gridsite.org/
##
## Example configuration file for GridSite as a Web Server 
## (that is, primarily for interactive use with a browser.)
## Listening is on ports 80/777 (HTTP) and 443/488 (HTTPS).
##
## (777/488 is to allow firewalls to distinguish between Grid and
## Web HTTP(S) traffic. See http://www.gridsite.org/wiki/IP_Ports )
##
## This file should be renamed /etc/httpd/conf/httpd.conf and Apache
## restarted to use Apache2/GridSite as a webserver. 
##
## We assume you have installed GridSite from the RPMs into locations
## under /usr. This includes mod_gridsite.so in /usr/lib/httpd/modules 
## and the CGI binaries in /usr/sbin. We also assume that you have
## (a) the host's hostcert.pem and hostkey.pem in /etc/grid-security/
## and (b) the Certification Authorities' you trust have their root 
## certs in /etc/grid-security/certificates
##
## (You can get RPMs for many European and North American Grid CAs
## from http://www.igtf.net/ ) 
##
## IF THESE ASSUMPTIONS ARE INCORRECT, YOU NEED TO EDIT THE CORRESPONDING
## DIRECTORY NAMES IN THIS FILE.
##
## If you want to use DN Lists in ACLs, they should be placed/downloaded
## in /etc/grid-security/dn-lists/ or /var/www/html/dn-lists/ 
## (Lists in /etc/grid-security/dn-lists/ override lists elsewhere.)
##
## To start serving files, make a directory /var/www/html owned by
## apache.apache, including the file .gacl containing:
##
## <?xml version="1.0"?>
## <gacl>
## <entry>
##   <any-user/>
##   <allow><read/><list/></allow>
## </entry>
## </gacl>
##
## To enable writing, add DN List, Person or VOMS entries to the GACL
## (see the GridSite GACL document for the syntax.) For example:
##
## <?xml version="1.0"?>
## <gacl>
## <entry>
##   <any-user/>
##   <allow><read/><list/></allow>
## </entry>
## <entry>
##   <person>
##   <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab</dn>
##   </person>
##   <allow><write/></allow>
## </entry>
## </gacl>
##
## and add the following directive to the HTTPS <Directory> section:
##
## GridSiteMethods GET PUT DELETE MOVE
##
## If you wish to accept Globus GSI Proxies as well as full X.509 user
## certificates, set GridSiteGSIProxyLimit to the depth of proxy you
## wish to accept. 
##
## (As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy 
##  owned by running Globus job; 3=Proxy delegated by a Globus job.)
##
## With this done and Apache restarted, you can upload a file with:
##
## curl -v --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem    \
##  --capath /etc/grid-security/certificates --upload-file /tmp/tmp.txt \
##  https://INSERT.HOSTNAME.HERE/tmp.txt
##
## (or with  --cert /tmp/x509up_u`id -u` --key /tmp/x509up_u`id -u`  to use
##  a Globus GSI Proxy created with grid-proxy-init.)
##############################################################################

ServerRoot "/etc/httpd"

## You MUST put your server's fully qualified domain name here
## This, the DOMAIN part of the https://DOMAIN/... URLs you want
ServerName FULL.SERVER.NAME

PidFile logs/httpd.pid

Timeout			300
KeepAlive		On
MaxKeepAliveRequests	100
KeepAliveTimeout	15

# (Replace /lib/ with /lib64/ if on x86_64!)
LoadModule log_config_module	/usr/lib/httpd/modules/mod_log_config.so
LoadModule ssl_module		/usr/lib/httpd/modules/mod_ssl.so
LoadModule gridsite_module	/usr/lib/httpd/modules/mod_gridsite.so
LoadModule mime_module		/usr/lib/httpd/modules/mod_mime.so
LoadModule dir_module		/usr/lib/httpd/modules/mod_dir.so
LoadModule alias_module		/usr/lib/httpd/modules/mod_alias.so
LoadModule cgi_module		/usr/lib/httpd/modules/mod_cgi.so

TypesConfig /etc/mime.types

# User and group who will own files created by Apache
User  apache
Group apache

DocumentRoot "/var/www/html"

<Directory />
    AllowOverride None
</Directory>

LogLevel debug
LogFormat "%h \"%{SSL_CLIENT_S_DN}x\" %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

CustomLog	logs/httpd-gridsite-access combined
ErrorLog	logs/httpd-gridsite-errors

HostnameLookups On

######################################################################
# Plain unauthenticated HTTP on ports 80 and 777
######################################################################

Listen 80
Listen 777
<VirtualHost *:80 *:777>

## This is used to serve the Manage Directory links in footers,
## and to allow you to edit files and ACLs via your browser.
ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi

<Directory "/var/www/html">
 ## This sets up GACL authorization for this server.
 GridSiteAuth		on

 ## This exports various bits of info into the CGI environment 
 ## variables (and is needed for gridsite-admin.cgi to work.)
 GridSiteEnvs           on

 ## Nice GridSite directory listings (without truncating file names!)
 GridSiteIndexes	on

 ## If this is on, GridSite will look for gridsitehead.txt and
 ## gridsitefoot.txt in the current directory or its parents, and
 ## use them to replace the <body> and </body> tags in .html files.
 GridSiteHtmlFormat	on

 ## These directives (and the ScriptAlias above) allow authorized
 ## people to manage files, ACLs and DN Lists through their web
 ## browsers.  Via HTTP, this just means extended directory listings
 ## and History pages.
 GridSiteAdminURI	/real-gridsite-admin.cgi
 GridSiteAdminFile	gridsite-admin.cgi
</Directory>
 
</VirtualHost>

######################################################################
# Secured and possibly authenticated HTTPS on ports 443 and 488
######################################################################
Listen 443
Listen 488
SSLSessionCacheTimeout  300
SSLSessionCache         shm:/var/cache/mod_ssl/shm_cache

<VirtualHost *:443 *:488>
 
SSLEngine               on
SSLCertificateFile      /etc/grid-security/hostcert.pem
SSLCertificateKeyFile   /etc/grid-security/hostkey.pem
SSLCACertificatePath    /etc/grid-security/certificates
#SSLCARevocationPath    YOUR CRL DIRECTORY WOULD GO HERE
SSLVerifyClient         optional
SSLVerifyDepth          10
SSLOptions              +ExportCertData +StdEnvVars

## This is used to serve the Manage Directory links in footers,
## and to allow you to edit files and ACLs via your browser.
ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi

<Directory "/var/www/html">
 ## This sets up GACL authorization for this server.
 GridSiteAuth		on

 ## This exports various bits of info into the CGI environment 
 ## variables (and is needed for gridsite-admin.cgi to work.)
 GridSiteEnvs           on

 ## Nice GridSite directory listings (without truncating file names!)
 GridSiteIndexes	on

 ## If this is on, GridSite will look for gridsitehead.txt and
 ## gridsitefoot.txt in the current directory or its parents, and
 ## use them to replace the <body> and </body> tags in .html files.
 GridSiteHtmlFormat	on

 ## This is the path of directories (and all their subdirectories) for
 ## GACL to search when it encounters a dn-list credential. The DN List
 ## files are plain text, one DN per line, and must have the full url
 ## as the file name, but URL Encoded - eg with urlencode(1)
 GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/html/dn-lists/

 ## This is used to form the URL at which DN Lists "owned" by this 
 ## server are exported. https://FULL.SERVER.NAME/dn-lists/file
 ## ALL FILES WITH URLs ON THIS SERVER WILL BE EXPORTED IRRESPECTIVE
 ## OF WHERE THEY ARE FOUND ON THE DN-LISTS PATH!!
 GridSiteDNlistsURI	/dn-lists/

 ## If this is greater than zero, we will accept GSI Proxies for clients
 ## (full client certificates - eg inside web browsers - are always ok)
 GridSiteGSIProxyLimit	0

 ## This directive allows authorized people to write/delete files 
 ## from non-browser clients - eg with htcp(1)
 GridSiteMethods	GET PUT DELETE MOVE

 ## These directives (and the ScriptAlias above) allow authorized
 ## people to manage files, ACLs and DN Lists through their web
 ## browsers via HTTPS. The value of GridSiteAdminFile appears to
 ## exist in every directory, but is internally redirected by
 ## mod_gridsite to the value of GridSiteAdminURI (the ScriptAlias
 ## then maps that onto the real-gridsite-admin.cgi executable.)
 GridSiteAdminURI	/real-gridsite-admin.cgi
 GridSiteAdminFile	gridsite-admin.cgi
</Directory>
 
</VirtualHost>