Add SSLCertificateChainFile, pointing to the certificate file, to support intermediat...
[invirt/packages/invirt-web.git] / files / etc / apache2 / sites-available / ssl.mako
1 <%
2 from invirt.config import structs as cfg
3 hostname = cfg.web.hostname
4 errmail  = cfg.web.errormail
5 tracuri  = cfg.trac.uri
6 %>
7 Listen 442
8 Listen 446
9
10 <%def name="invirt_webinterface()">
11         DocumentRoot /var/www/invirt-web
12         <Directory /var/www/invirt-web>
13                 Options Indexes FollowSymLinks MultiViews ExecCGI
14                 AllowOverride None
15                 Order allow,deny
16                 allow from all
17         </Directory>
18         <Location />
19 ${caller.body()}
20         </Location>
21
22         RewriteEngine On
23         RewriteRule ^/favicon.ico - [L]
24         RewriteRule ^/static(.*) - [L]
25         RewriteRule ^/overlord/static(.*) /static/$1 [L]
26         RewriteRule ^/admin/static(.*) /static/$1 [L]
27         RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
28         RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
29
30         RewriteLog /var/log/apache2/rewrite.log
31         RewriteLogLevel 0 
32
33         ErrorLog /var/log/apache2/error.log
34
35         # Possible values include: debug, info, notice, warn, error, crit,
36         # alert, emerg.
37         LogLevel warn
38
39         CustomLog /var/log/apache2/ssl_access.log combined
40         ServerSignature On
41
42         SSLEngine on
43
44         SSLCertificateFile ssl/server.crt
45         SSLCertificateChainFile ssl/server.crt
46         SSLCertificateKeyFile ssl/server.key
47         
48         SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
49         SSLVerifyDepth 10
50
51         SSLOptions +StdEnvVars
52         
53         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
54
55         Redirect /wiki ${tracuri}       
56 </%def>
57 <VirtualHost *:443>
58         ServerAdmin ${errmail}
59         ServerName ${hostname}:443
60         <%call expr="invirt_webinterface()">
61                 Require valid-user
62                 AuthType SSLCert
63                 AuthSSLCertVar SSL_CLIENT_S_DN_Email
64                 AuthSSLCertStripSuffix "@MIT.EDU"
65         </%call>
66         SSLVerifyClient require
67 </VirtualHost>
68 <VirtualHost *:442>
69         ServerAdmin ${errmail}
70         ServerName ${hostname}:442
71         <%call expr="invirt_webinterface()">
72                 Require valid-user
73                 AuthType Kerberos
74                 KrbMethodNegotiate on
75                 KrbMethodK5Passwd off
76                 KrbAuthoritative off
77                 KrbAuthRealms ${cfg.kerberos.realm}
78                 Krb5Keytab /etc/invirt/keytab
79                 KrbSaveCredentials off
80         </%call>
81         SSLVerifyClient optional
82 </VirtualHost>
83
84 <VirtualHost *:446>
85         ServerAdmin ${errmail}
86         ServerName ${hostname}:446
87         
88         DocumentRoot /var/www/invirt-web
89         <Directory />
90                 Options Indexes FollowSymLinks MultiViews ExecCGI
91                 AllowOverride None
92                 Order allow,deny
93                 allow from all
94         </Directory>
95
96         ErrorLog /var/log/apache2/error.log
97
98         # Possible values include: debug, info, notice, warn, error, crit,
99         # alert, emerg.
100         LogLevel warn
101
102         CustomLog /var/log/apache2/ssl_nocert_access.log combined
103         ServerSignature On
104
105         SSLEngine on
106
107         SSLCertificateFile ssl/server.crt
108         SSLCertificateKeyFile ssl/server.key
109         
110         SSLVerifyClient none
111
112         SSLOptions +StdEnvVars
113         
114         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0        
115 </VirtualHost>