From 0fe71f6517ec5edc99c4fbdb4d9128acba5a900a Mon Sep 17 00:00:00 2001
From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com>
Date: Thu, 13 Jun 2024 14:45:04 +0200
Subject: [PATCH] force ServerName
---
.../templates/apache-config-httpd.yaml | 459 +++++++++---------
1 file changed, 230 insertions(+), 229 deletions(-)
diff --git a/apache-mod-mellon/templates/apache-config-httpd.yaml b/apache-mod-mellon/templates/apache-config-httpd.yaml
index 8525ab4..68603e0 100644
--- a/apache-mod-mellon/templates/apache-config-httpd.yaml
+++ b/apache-mod-mellon/templates/apache-config-httpd.yaml
@@ -7,257 +7,258 @@ metadata:
name: {{ include "apache-mod-mellon.fullname" . }}-httpd
data:
httpd.conf: |
- ServerRoot "/usr/local/apache2"
- Listen 80
+ ServerRoot "/usr/local/apache2"
+ Listen 80
- #
- # Dynamic Shared Object (DSO) Support
- #
- # To be able to use the functionality of a module which was built as a DSO you
- # have to place corresponding `LoadModule' lines at this location so the
- # directives contained in it are actually available _before_ they are used.
- # Statically compiled modules (those listed by `httpd -l') do not need
- # to be loaded here.
- #
- # Example:
- # LoadModule foo_module modules/mod_foo.so
- LoadModule mpm_event_module modules/mod_mpm_event.so
- LoadModule authn_file_module modules/mod_authn_file.so
- LoadModule authn_core_module modules/mod_authn_core.so
- LoadModule authz_host_module modules/mod_authz_host.so
- LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
- LoadModule authz_user_module modules/mod_authz_user.so
- LoadModule authz_core_module modules/mod_authz_core.so
- LoadModule access_compat_module modules/mod_access_compat.so
- LoadModule auth_mellon_module modules/mod_auth_mellon.so
- LoadModule reqtimeout_module modules/mod_reqtimeout.so
- LoadModule filter_module modules/mod_filter.so
- LoadModule log_config_module modules/mod_log_config.so
- LoadModule env_module modules/mod_env.so
- LoadModule headers_module modules/mod_headers.so
- LoadModule setenvif_module modules/mod_setenvif.so
- LoadModule version_module modules/mod_version.so
- LoadModule unixd_module modules/mod_unixd.so
- LoadModule status_module modules/mod_status.so
- LoadModule autoindex_module modules/mod_autoindex.so
- LoadModule dir_module modules/mod_dir.so
- LoadModule rewrite_module modules/mod_rewrite.so
-
- #
- # If you wish httpd to run as a different user or group, you must run
- # httpd as root initially and it will switch.
- #
- # User/Group: The name (or #number) of the user/group to run httpd as.
- # It is usually good practice to create a dedicated user and group for
- # running httpd, as with most system services.
- #
- User www-data
- Group www-data
+ #
+ # Dynamic Shared Object (DSO) Support
+ #
+ # To be able to use the functionality of a module which was built as a DSO you
+ # have to place corresponding `LoadModule' lines at this location so the
+ # directives contained in it are actually available _before_ they are used.
+ # Statically compiled modules (those listed by `httpd -l') do not need
+ # to be loaded here.
+ #
+ # Example:
+ # LoadModule foo_module modules/mod_foo.so
+ LoadModule mpm_event_module modules/mod_mpm_event.so
+ LoadModule authn_file_module modules/mod_authn_file.so
+ LoadModule authn_core_module modules/mod_authn_core.so
+ LoadModule authz_host_module modules/mod_authz_host.so
+ LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+ LoadModule authz_user_module modules/mod_authz_user.so
+ LoadModule authz_core_module modules/mod_authz_core.so
+ LoadModule access_compat_module modules/mod_access_compat.so
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+ LoadModule reqtimeout_module modules/mod_reqtimeout.so
+ LoadModule filter_module modules/mod_filter.so
+ LoadModule log_config_module modules/mod_log_config.so
+ LoadModule env_module modules/mod_env.so
+ LoadModule headers_module modules/mod_headers.so
+ LoadModule setenvif_module modules/mod_setenvif.so
+ LoadModule version_module modules/mod_version.so
+ LoadModule unixd_module modules/mod_unixd.so
+ LoadModule status_module modules/mod_status.so
+ LoadModule autoindex_module modules/mod_autoindex.so
+ LoadModule dir_module modules/mod_dir.so
+ LoadModule rewrite_module modules/mod_rewrite.so
+
+ #
+ # If you wish httpd to run as a different user or group, you must run
+ # httpd as root initially and it will switch.
+ #
+ # User/Group: The name (or #number) of the user/group to run httpd as.
+ # It is usually good practice to create a dedicated user and group for
+ # running httpd, as with most system services.
+ #
+ User www-data
+ Group www-data
-
+
- # 'Main' server configuration
- #
- # The directives in this section set up the values used by the 'main'
- # server, which responds to any requests that aren't handled by a
- # definition. These values also provide defaults for
- # any containers you may define later in the file.
- #
- # All of these directives may appear inside containers,
- # in which case these default settings will be overridden for the
- # virtual host being defined.
- #
+ # 'Main' server configuration
+ #
+ # The directives in this section set up the values used by the 'main'
+ # server, which responds to any requests that aren't handled by a
+ # definition. These values also provide defaults for
+ # any containers you may define later in the file.
+ #
+ # All of these directives may appear inside containers,
+ # in which case these default settings will be overridden for the
+ # virtual host being defined.
+ #
- #
- # ServerAdmin: Your address, where problems with the server should be
- # e-mailed. This address appears on some server-generated pages, such
- # as error documents. e.g. admin@your-domain.com
- #
- ServerAdmin you@example.com
+ #
+ # ServerAdmin: Your address, where problems with the server should be
+ # e-mailed. This address appears on some server-generated pages, such
+ # as error documents. e.g. admin@your-domain.com
+ #
+ ServerAdmin you@example.com
- #
- # ServerName gives the name and port that the server uses to identify itself.
- # This can often be determined automatically, but we recommend you specify
- # it explicitly to prevent problems during startup.
- #
- # If your host doesn't have a registered DNS name, enter its IP address here.
- #
- #ServerName www.example.com:80
+ #
+ # ServerName gives the name and port that the server uses to identify itself.
+ # This can often be determined automatically, but we recommend you specify
+ # it explicitly to prevent problems during startup.
+ #
+ # If your host doesn't have a registered DNS name, enter its IP address here.
+ #
+ ServerName {{ .Values.hostname }}
+ UseCanonicalName On
- #
- # Deny access to the entirety of your server's filesystem. You must
- # explicitly permit access to web content directories in other
- # blocks below.
- #
-
- AllowOverride none
- Require all denied
-
+ #
+ # Deny access to the entirety of your server's filesystem. You must
+ # explicitly permit access to web content directories in other
+ # blocks below.
+ #
+
+ AllowOverride none
+ Require all denied
+
- #
- # Note that from this point forward you must specifically allow
- # particular features to be enabled - so if something's not working as
- # you might expect, make sure that you have specifically enabled it
- # below.
- #
+ #
+ # Note that from this point forward you must specifically allow
+ # particular features to be enabled - so if something's not working as
+ # you might expect, make sure that you have specifically enabled it
+ # below.
+ #
- #
- # DocumentRoot: The directory out of which you will serve your
- # documents. By default, all requests are taken from this directory, but
- # symbolic links and aliases may be used to point to other locations.
- #
- DocumentRoot "/usr/local/apache2/htdocs"
-
- #
- # Possible values for the Options directive are "None", "All",
- # or any combination of:
- # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
- #
- # Note that "MultiViews" must be named *explicitly* --- "Options All"
- # doesn't give it to you.
- #
- # The Options directive is both complicated and important. Please see
- # http://httpd.apache.org/docs/2.4/mod/core.html#options
- # for more information.
- #
- Options Indexes FollowSymLinks
+ #
+ # DocumentRoot: The directory out of which you will serve your
+ # documents. By default, all requests are taken from this directory, but
+ # symbolic links and aliases may be used to point to other locations.
+ #
+ DocumentRoot "/usr/local/apache2/htdocs"
+
+ #
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
+ # for more information.
+ #
+ Options Indexes FollowSymLinks
- #
- # AllowOverride controls what directives may be placed in .htaccess files.
- # It can be "All", "None", or any combination of the keywords:
- # AllowOverride FileInfo AuthConfig Limit
- #
- AllowOverride None
+ #
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # AllowOverride FileInfo AuthConfig Limit
+ #
+ AllowOverride None
- #
- # Controls who can get stuff from this server.
- #
- Require all granted
-
+ #
+ # Controls who can get stuff from this server.
+ #
+ Require all granted
+
- #
- # DirectoryIndex: sets the file that Apache will serve if a directory
- # is requested.
- #
-
- DirectoryIndex index.html
-
+ #
+ # DirectoryIndex: sets the file that Apache will serve if a directory
+ # is requested.
+ #
+
+ DirectoryIndex index.html
+
- #
- # The following lines prevent .htaccess and .htpasswd files from being
- # viewed by Web clients.
- #
-
- Require all denied
-
+ #
+ # The following lines prevent .htaccess and .htpasswd files from being
+ # viewed by Web clients.
+ #
+
+ Require all denied
+
- #
- # ErrorLog: The location of the error log file.
- # If you do not specify an ErrorLog directive within a
- # container, error messages relating to that virtual host will be
- # logged here. If you *do* define an error logfile for a
- # container, that host's errors will be logged there and not here.
- #
- ErrorLog /proc/self/fd/2
+ #
+ # ErrorLog: The location of the error log file.
+ # If you do not specify an ErrorLog directive within a
+ # container, error messages relating to that virtual host will be
+ # logged here. If you *do* define an error logfile for a
+ # container, that host's errors will be logged there and not here.
+ #
+ ErrorLog /proc/self/fd/2
- #
- # LogLevel: Control the number of messages logged to the error_log.
- # Possible values include: debug, info, notice, warn, error, crit,
- # alert, emerg.
- #
- LogLevel warn
+ #
+ # LogLevel: Control the number of messages logged to the error_log.
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ #
+ LogLevel warn
-
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
- LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
- # You need to enable mod_logio.c to use %I and %O
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-
- CustomLog /proc/self/fd/1 common
-
+
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+ CustomLog /proc/self/fd/1 common
+
-
- Options -Indexes
+
+ Options -Indexes
- MellonEnable "info"
- MellonSecureCookie On
- MellonUser eppn
- MellonMergeEnvVars On
- MellonSubjectConfirmationDataAddressCheck Off
- MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key
- MellonSPCertFile /etc/mod-mellon-config/mellon.cert
- MellonSPentityId {{ .Values.mellon_config.entity_id }}
- MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
- MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
- MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
- MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}"
- MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem
- MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
- MellonProbeDiscoveryTimeout 1
- MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
- MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
- MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
- MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
- MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
- MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
+ MellonEnable "info"
+ MellonSecureCookie On
+ MellonUser eppn
+ MellonMergeEnvVars On
+ MellonSubjectConfirmationDataAddressCheck Off
+ MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key
+ MellonSPCertFile /etc/mod-mellon-config/mellon.cert
+ MellonSPentityId {{ .Values.mellon_config.entity_id }}
+ MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
+ MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
+ MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
+ MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}"
+ MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem
+ MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
+ MellonProbeDiscoveryTimeout 1
+ MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
+ MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
+ MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
+ MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
+ MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
+ MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
- MellonEndpointPath /mellon
+ MellonEndpointPath /mellon
- # it is this proxy's responsability to make sure the value of these headers are legit
- # See a list of headers used by geOrchestra here:
- # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
- RequestHeader unset sec-georchestra-preauthenticated
- RequestHeader unset sec-mellon-name-id
- RequestHeader unset sec-username
- RequestHeader unset sec-name
- RequestHeader unset sec-givenname
- RequestHeader unset sec-email
- RequestHeader unset sec-org
- RequestHeader unset sec-proxy
- RequestHeader unset sec-user
- RequestHeader unset sec-organization
- RequestHeader unset sec-userid
- RequestHeader unset sec-lastupdated
- RequestHeader unset sec-roles
- RequestHeader unset sec-firstname
- RequestHeader unset sec-lastname
- RequestHeader unset sec-tel
- RequestHeader unset sec-orgid
- RequestHeader unset sec-orgname
- RequestHeader unset sec-org-lastupdated
- RequestHeader unset imp-roles
- RequestHeader unset imp-username
+ # it is this proxy's responsability to make sure the value of these headers are legit
+ # See a list of headers used by geOrchestra here:
+ # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
+ RequestHeader unset sec-georchestra-preauthenticated
+ RequestHeader unset sec-mellon-name-id
+ RequestHeader unset sec-username
+ RequestHeader unset sec-name
+ RequestHeader unset sec-givenname
+ RequestHeader unset sec-email
+ RequestHeader unset sec-org
+ RequestHeader unset sec-proxy
+ RequestHeader unset sec-user
+ RequestHeader unset sec-organization
+ RequestHeader unset sec-userid
+ RequestHeader unset sec-lastupdated
+ RequestHeader unset sec-roles
+ RequestHeader unset sec-firstname
+ RequestHeader unset sec-lastname
+ RequestHeader unset sec-tel
+ RequestHeader unset sec-orgid
+ RequestHeader unset sec-orgname
+ RequestHeader unset sec-org-lastupdated
+ RequestHeader unset imp-roles
+ RequestHeader unset imp-username
- {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
- {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
- {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
- {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
- {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
- {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
- {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
+ {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
+ {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
+ {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
+ {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
+ {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
+ {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
+ {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
- {{- if .Values.georchestra_proxypass_endpoint -}}
- ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
- ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
- ProxyPreserveHost On
- {{- end }}
+ {{- if .Values.georchestra_proxypass_endpoint -}}
+ ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
+ ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
+ ProxyPreserveHost On
+ {{- end }}
- RewriteEngine on
- RewriteCond %{QUERY_STRING} ^$
- RewriteCond %{REQUEST_METHOD} =GET
- RewriteCond %{REQUEST_URI} ^/login$
- RewriteRule /login /login/mellon [R,L]
- RewriteCond %{ENV:MELLON_NAME_ID} !^$
- RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
+ RewriteEngine on
+ RewriteCond %{QUERY_STRING} ^$
+ RewriteCond %{REQUEST_METHOD} =GET
+ RewriteCond %{REQUEST_URI} ^/login$
+ RewriteRule /login /login/mellon [R,L]
+ RewriteCond %{ENV:MELLON_NAME_ID} !^$
+ RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
-
+
-
- AuthType Mellon
- MellonEnable auth
- Require valid-user
- RewriteEngine on
- RewriteRule (.*) / [R]
-
\ No newline at end of file
+
+ AuthType Mellon
+ MellonEnable auth
+ Require valid-user
+ RewriteEngine on
+ RewriteRule (.*) / [R]
+
\ No newline at end of file