files/etc/apache2/sites-available/ssl.mako

   1 <%
   2 from invirt.config import structs as cfg
   3 hostname = cfg.web.hostname
   4 errmail  = cfg.web.errormail
   5 tracuri  = cfg.trac.uri
   6 %>
   7 Listen 442
   8 Listen 446
   9
  10 <%def name="invirt_webinterface()">
  11         DocumentRoot /var/www/invirt-web
  12         <Directory /var/www/invirt-web>
  13                 Options Indexes FollowSymLinks MultiViews ExecCGI
  14                 AllowOverride None
  15                 Order allow,deny
  16                 allow from all
  17         </Directory>
  18         <Location />
  19 ${caller.body()}
  20         </Location>
  21
  22         RewriteEngine On
  23         RewriteRule ^/favicon.ico - [L]
  24         RewriteRule ^/static(.*) - [L]
  25         RewriteRule ^/overlord/static(.*) /static/$1 [L]
  26         RewriteRule ^/admin/static(.*) /static/$1 [L]
  27         RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
  28         RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
  29
  30         RewriteLog /var/log/apache2/rewrite.log
  31         RewriteLogLevel 0
  32
  33         ErrorLog /var/log/apache2/error.log
  34
  35         # Possible values include: debug, info, notice, warn, error, crit,
  36         # alert, emerg.
  37         LogLevel warn
  38
  39         CustomLog /var/log/apache2/ssl_access.log combined
  40         ServerSignature On
  41
  42         SSLEngine on
  43
  44         SSLCertificateFile ssl/server.crt
  45         SSLCertificateChainFile ssl/server.crt
  46         SSLCertificateKeyFile ssl/server.key
  47
  48         SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
  49         SSLVerifyDepth 10
  50
  51         SSLOptions +StdEnvVars
  52
  53         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  54
  55         Redirect /wiki ${tracuri}
  56 </%def>
  57 <VirtualHost *:443>
  58         ServerAdmin ${errmail}
  59         ServerName ${hostname}:443
  60         <%call expr="invirt_webinterface()">
  61                 Require valid-user
  62                 AuthType SSLCert
  63                 AuthSSLCertVar SSL_CLIENT_S_DN_Email
  64                 AuthSSLCertStripSuffix "@MIT.EDU"
  65         </%call>
  66         SSLVerifyClient require
  67 </VirtualHost>
  68 <VirtualHost *:442>
  69         ServerAdmin ${errmail}
  70         ServerName ${hostname}:442
  71         <%call expr="invirt_webinterface()">
  72                 Require valid-user
  73                 AuthType Kerberos
  74                 KrbMethodNegotiate on
  75                 KrbMethodK5Passwd off
  76                 KrbAuthoritative off
  77                 KrbAuthRealms ${cfg.kerberos.realm}
  78                 Krb5Keytab /etc/invirt/keytab
  79                 KrbSaveCredentials off
  80         </%call>
  81         SSLVerifyClient optional
  82 </VirtualHost>
  83
  84 <VirtualHost *:446>
  85         ServerAdmin ${errmail}
  86         ServerName ${hostname}:446
  87
  88         DocumentRoot /var/www/invirt-web
  89         <Directory />
  90                 Options Indexes FollowSymLinks MultiViews ExecCGI
  91                 AllowOverride None
  92                 Order allow,deny
  93                 allow from all
  94         </Directory>
  95
  96         ErrorLog /var/log/apache2/error.log
  97
  98         # Possible values include: debug, info, notice, warn, error, crit,
  99         # alert, emerg.
 100         LogLevel warn
 101
 102         CustomLog /var/log/apache2/ssl_nocert_access.log combined
 103         ServerSignature On
 104
 105         SSLEngine on
 106
 107         SSLCertificateFile ssl/server.crt
 108         SSLCertificateChainFile ssl/server.crt
 109         SSLCertificateKeyFile ssl/server.key
 110
 111         SSLVerifyClient none
 112
 113         SSLOptions +StdEnvVars
 114
 115         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 116 </VirtualHost>