diff --git a/apache-mod-mellon/templates/apache-config-httpd.yaml b/apache-mod-mellon/templates/apache-config-httpd.yaml index 8525ab4..68603e0 100644 --- a/apache-mod-mellon/templates/apache-config-httpd.yaml +++ b/apache-mod-mellon/templates/apache-config-httpd.yaml @@ -7,257 +7,258 @@ metadata: name: {{ include "apache-mod-mellon.fullname" . }}-httpd data: httpd.conf: | - ServerRoot "/usr/local/apache2" - Listen 80 + ServerRoot "/usr/local/apache2" + Listen 80 - # - # Dynamic Shared Object (DSO) Support - # - # To be able to use the functionality of a module which was built as a DSO you - # have to place corresponding `LoadModule' lines at this location so the - # directives contained in it are actually available _before_ they are used. - # Statically compiled modules (those listed by `httpd -l') do not need - # to be loaded here. - # - # Example: - # LoadModule foo_module modules/mod_foo.so - LoadModule mpm_event_module modules/mod_mpm_event.so - LoadModule authn_file_module modules/mod_authn_file.so - LoadModule authn_core_module modules/mod_authn_core.so - LoadModule authz_host_module modules/mod_authz_host.so - LoadModule authz_groupfile_module modules/mod_authz_groupfile.so - LoadModule authz_user_module modules/mod_authz_user.so - LoadModule authz_core_module modules/mod_authz_core.so - LoadModule access_compat_module modules/mod_access_compat.so - LoadModule auth_mellon_module modules/mod_auth_mellon.so - LoadModule reqtimeout_module modules/mod_reqtimeout.so - LoadModule filter_module modules/mod_filter.so - LoadModule log_config_module modules/mod_log_config.so - LoadModule env_module modules/mod_env.so - LoadModule headers_module modules/mod_headers.so - LoadModule setenvif_module modules/mod_setenvif.so - LoadModule version_module modules/mod_version.so - LoadModule unixd_module modules/mod_unixd.so - LoadModule status_module modules/mod_status.so - LoadModule autoindex_module modules/mod_autoindex.so - LoadModule dir_module modules/mod_dir.so - LoadModule rewrite_module modules/mod_rewrite.so - - # - # If you wish httpd to run as a different user or group, you must run - # httpd as root initially and it will switch. - # - # User/Group: The name (or #number) of the user/group to run httpd as. - # It is usually good practice to create a dedicated user and group for - # running httpd, as with most system services. - # - User www-data - Group www-data + # + # Dynamic Shared Object (DSO) Support + # + # To be able to use the functionality of a module which was built as a DSO you + # have to place corresponding `LoadModule' lines at this location so the + # directives contained in it are actually available _before_ they are used. + # Statically compiled modules (those listed by `httpd -l') do not need + # to be loaded here. + # + # Example: + # LoadModule foo_module modules/mod_foo.so + LoadModule mpm_event_module modules/mod_mpm_event.so + LoadModule authn_file_module modules/mod_authn_file.so + LoadModule authn_core_module modules/mod_authn_core.so + LoadModule authz_host_module modules/mod_authz_host.so + LoadModule authz_groupfile_module modules/mod_authz_groupfile.so + LoadModule authz_user_module modules/mod_authz_user.so + LoadModule authz_core_module modules/mod_authz_core.so + LoadModule access_compat_module modules/mod_access_compat.so + LoadModule auth_mellon_module modules/mod_auth_mellon.so + LoadModule reqtimeout_module modules/mod_reqtimeout.so + LoadModule filter_module modules/mod_filter.so + LoadModule log_config_module modules/mod_log_config.so + LoadModule env_module modules/mod_env.so + LoadModule headers_module modules/mod_headers.so + LoadModule setenvif_module modules/mod_setenvif.so + LoadModule version_module modules/mod_version.so + LoadModule unixd_module modules/mod_unixd.so + LoadModule status_module modules/mod_status.so + LoadModule autoindex_module modules/mod_autoindex.so + LoadModule dir_module modules/mod_dir.so + LoadModule rewrite_module modules/mod_rewrite.so + + # + # If you wish httpd to run as a different user or group, you must run + # httpd as root initially and it will switch. + # + # User/Group: The name (or #number) of the user/group to run httpd as. + # It is usually good practice to create a dedicated user and group for + # running httpd, as with most system services. + # + User www-data + Group www-data - + - # 'Main' server configuration - # - # The directives in this section set up the values used by the 'main' - # server, which responds to any requests that aren't handled by a - # definition. These values also provide defaults for - # any containers you may define later in the file. - # - # All of these directives may appear inside containers, - # in which case these default settings will be overridden for the - # virtual host being defined. - # + # 'Main' server configuration + # + # The directives in this section set up the values used by the 'main' + # server, which responds to any requests that aren't handled by a + # definition. These values also provide defaults for + # any containers you may define later in the file. + # + # All of these directives may appear inside containers, + # in which case these default settings will be overridden for the + # virtual host being defined. + # - # - # ServerAdmin: Your address, where problems with the server should be - # e-mailed. This address appears on some server-generated pages, such - # as error documents. e.g. admin@your-domain.com - # - ServerAdmin you@example.com + # + # ServerAdmin: Your address, where problems with the server should be + # e-mailed. This address appears on some server-generated pages, such + # as error documents. e.g. admin@your-domain.com + # + ServerAdmin you@example.com - # - # ServerName gives the name and port that the server uses to identify itself. - # This can often be determined automatically, but we recommend you specify - # it explicitly to prevent problems during startup. - # - # If your host doesn't have a registered DNS name, enter its IP address here. - # - #ServerName www.example.com:80 + # + # ServerName gives the name and port that the server uses to identify itself. + # This can often be determined automatically, but we recommend you specify + # it explicitly to prevent problems during startup. + # + # If your host doesn't have a registered DNS name, enter its IP address here. + # + ServerName {{ .Values.hostname }} + UseCanonicalName On - # - # Deny access to the entirety of your server's filesystem. You must - # explicitly permit access to web content directories in other - # blocks below. - # - - AllowOverride none - Require all denied - + # + # Deny access to the entirety of your server's filesystem. You must + # explicitly permit access to web content directories in other + # blocks below. + # + + AllowOverride none + Require all denied + - # - # Note that from this point forward you must specifically allow - # particular features to be enabled - so if something's not working as - # you might expect, make sure that you have specifically enabled it - # below. - # + # + # Note that from this point forward you must specifically allow + # particular features to be enabled - so if something's not working as + # you might expect, make sure that you have specifically enabled it + # below. + # - # - # DocumentRoot: The directory out of which you will serve your - # documents. By default, all requests are taken from this directory, but - # symbolic links and aliases may be used to point to other locations. - # - DocumentRoot "/usr/local/apache2/htdocs" - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks + # + # DocumentRoot: The directory out of which you will serve your + # documents. By default, all requests are taken from this directory, but + # symbolic links and aliases may be used to point to other locations. + # + DocumentRoot "/usr/local/apache2/htdocs" + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # AllowOverride FileInfo AuthConfig Limit - # - AllowOverride None + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None - # - # Controls who can get stuff from this server. - # - Require all granted - + # + # Controls who can get stuff from this server. + # + Require all granted + - # - # DirectoryIndex: sets the file that Apache will serve if a directory - # is requested. - # - - DirectoryIndex index.html - + # + # DirectoryIndex: sets the file that Apache will serve if a directory + # is requested. + # + + DirectoryIndex index.html + - # - # The following lines prevent .htaccess and .htpasswd files from being - # viewed by Web clients. - # - - Require all denied - + # + # The following lines prevent .htaccess and .htpasswd files from being + # viewed by Web clients. + # + + Require all denied + - # - # ErrorLog: The location of the error log file. - # If you do not specify an ErrorLog directive within a - # container, error messages relating to that virtual host will be - # logged here. If you *do* define an error logfile for a - # container, that host's errors will be logged there and not here. - # - ErrorLog /proc/self/fd/2 + # + # ErrorLog: The location of the error log file. + # If you do not specify an ErrorLog directive within a + # container, error messages relating to that virtual host will be + # logged here. If you *do* define an error logfile for a + # container, that host's errors will be logged there and not here. + # + ErrorLog /proc/self/fd/2 - # - # LogLevel: Control the number of messages logged to the error_log. - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - # - LogLevel warn + # + # LogLevel: Control the number of messages logged to the error_log. + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + # + LogLevel warn - - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - CustomLog /proc/self/fd/1 common - + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + CustomLog /proc/self/fd/1 common + - - Options -Indexes + + Options -Indexes - MellonEnable "info" - MellonSecureCookie On - MellonUser eppn - MellonMergeEnvVars On - MellonSubjectConfirmationDataAddressCheck Off - MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key - MellonSPCertFile /etc/mod-mellon-config/mellon.cert - MellonSPentityId {{ .Values.mellon_config.entity_id }} - MellonOrganizationName "{{ .Values.mellon_config.organization_url }}" - MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}" - MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml - MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}" - MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem - MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem - MellonProbeDiscoveryTimeout 1 - MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}" - MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}" - MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}" - MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}" - MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}" - MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}" + MellonEnable "info" + MellonSecureCookie On + MellonUser eppn + MellonMergeEnvVars On + MellonSubjectConfirmationDataAddressCheck Off + MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key + MellonSPCertFile /etc/mod-mellon-config/mellon.cert + MellonSPentityId {{ .Values.mellon_config.entity_id }} + MellonOrganizationName "{{ .Values.mellon_config.organization_url }}" + MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}" + MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml + MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}" + MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem + MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem + MellonProbeDiscoveryTimeout 1 + MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}" + MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}" + MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}" + MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}" + MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}" + MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}" - MellonEndpointPath /mellon + MellonEndpointPath /mellon - # it is this proxy's responsability to make sure the value of these headers are legit - # See a list of headers used by geOrchestra here: - # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67 - RequestHeader unset sec-georchestra-preauthenticated - RequestHeader unset sec-mellon-name-id - RequestHeader unset sec-username - RequestHeader unset sec-name - RequestHeader unset sec-givenname - RequestHeader unset sec-email - RequestHeader unset sec-org - RequestHeader unset sec-proxy - RequestHeader unset sec-user - RequestHeader unset sec-organization - RequestHeader unset sec-userid - RequestHeader unset sec-lastupdated - RequestHeader unset sec-roles - RequestHeader unset sec-firstname - RequestHeader unset sec-lastname - RequestHeader unset sec-tel - RequestHeader unset sec-orgid - RequestHeader unset sec-orgname - RequestHeader unset sec-org-lastupdated - RequestHeader unset imp-roles - RequestHeader unset imp-username + # it is this proxy's responsability to make sure the value of these headers are legit + # See a list of headers used by geOrchestra here: + # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67 + RequestHeader unset sec-georchestra-preauthenticated + RequestHeader unset sec-mellon-name-id + RequestHeader unset sec-username + RequestHeader unset sec-name + RequestHeader unset sec-givenname + RequestHeader unset sec-email + RequestHeader unset sec-org + RequestHeader unset sec-proxy + RequestHeader unset sec-user + RequestHeader unset sec-organization + RequestHeader unset sec-userid + RequestHeader unset sec-lastupdated + RequestHeader unset sec-roles + RequestHeader unset sec-firstname + RequestHeader unset sec-lastname + RequestHeader unset sec-tel + RequestHeader unset sec-orgid + RequestHeader unset sec-orgname + RequestHeader unset sec-org-lastupdated + RequestHeader unset imp-roles + RequestHeader unset imp-username - {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')" - {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')" - {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')" - {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')" - {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')" - {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')" - {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')" + {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')" + {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')" + {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')" + {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')" + {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')" + {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')" + {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')" - {{- if .Values.georchestra_proxypass_endpoint -}} - ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}" - ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}" - ProxyPreserveHost On - {{- end }} + {{- if .Values.georchestra_proxypass_endpoint -}} + ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}" + ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}" + ProxyPreserveHost On + {{- end }} - RewriteEngine on - RewriteCond %{QUERY_STRING} ^$ - RewriteCond %{REQUEST_METHOD} =GET - RewriteCond %{REQUEST_URI} ^/login$ - RewriteRule /login /login/mellon [R,L] - RewriteCond %{ENV:MELLON_NAME_ID} !^$ - RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }} + RewriteEngine on + RewriteCond %{QUERY_STRING} ^$ + RewriteCond %{REQUEST_METHOD} =GET + RewriteCond %{REQUEST_URI} ^/login$ + RewriteRule /login /login/mellon [R,L] + RewriteCond %{ENV:MELLON_NAME_ID} !^$ + RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }} - + - - AuthType Mellon - MellonEnable auth - Require valid-user - RewriteEngine on - RewriteRule (.*) / [R] - \ No newline at end of file + + AuthType Mellon + MellonEnable auth + Require valid-user + RewriteEngine on + RewriteRule (.*) / [R] + \ No newline at end of file