files/etc/apache2/sites-available/ssl.mako

   1 <%
   2 from invirt.config import structs as cfg
   3 hostname = cfg.web.hostname
   4 errmail  = cfg.web.errormail
   5 tracuri  = cfg.trac.uri
   6 %>
   7 Listen 442
   8 Listen 446
   9
  10 <%def name="invirt_webinterface()">
  11         DocumentRoot /var/www/invirt-web
  12         <Directory /var/www/invirt-web>
  13                 Options Indexes FollowSymLinks MultiViews ExecCGI
  14                 AllowOverride None
  15                 Order allow,deny
  16                 allow from all
  17         </Directory>
  18         <Location />
  19 ${caller.body()}
  20         </Location>
  21
  22         RewriteEngine On
  23         RewriteRule ^/favicon.ico - [L]
  24         RewriteRule ^/static(.*) - [L]
  25         RewriteRule ^/overlord/static(.*) /static/$1 [L]
  26         RewriteRule ^/admin/static(.*) /static/$1 [L]
  27         RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
  28         RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
  29
  30         RewriteLog /var/log/apache2/rewrite.log
  31         RewriteLogLevel 0
  32
  33         ErrorLog /var/log/apache2/error.log
  34
  35         # Possible values include: debug, info, notice, warn, error, crit,
  36         # alert, emerg.
  37         LogLevel warn
  38
  39         CustomLog /var/log/apache2/ssl_access.log combined
  40         ServerSignature On
  41
  42         SSLEngine on
  43
  44         SSLCertificateFile ssl/server.crt
  45         SSLCertificateKeyFile ssl/server.key
  46
  47         SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
  48         SSLVerifyDepth 10
  49
  50         SSLOptions +StdEnvVars
  51
  52         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  53
  54         Redirect /wiki ${tracuri}
  55 </%def>
  56 <VirtualHost *:443>
  57         ServerAdmin ${errmail}
  58         ServerName ${hostname}:443
  59         <%call expr="invirt_webinterface()">
  60                 Require valid-user
  61                 AuthType SSLCert
  62                 AuthSSLCertVar SSL_CLIENT_S_DN_Email
  63                 AuthSSLCertStripSuffix "@MIT.EDU"
  64         </%call>
  65         SSLVerifyClient require
  66 </VirtualHost>
  67 <VirtualHost *:442>
  68         ServerAdmin ${errmail}
  69         ServerName ${hostname}:442
  70         <%call expr="invirt_webinterface()">
  71                 Require valid-user
  72                 AuthType Kerberos
  73                 KrbMethodNegotiate on
  74                 KrbMethodK5Passwd off
  75                 KrbAuthoritative off
  76                 KrbAuthRealms ${cfg.kerberos.realm}
  77                 Krb5Keytab /etc/invirt/keytab
  78                 KrbSaveCredentials off
  79         </%call>
  80         SSLVerifyClient optional
  81 </VirtualHost>
  82
  83 <VirtualHost *:446>
  84         ServerAdmin ${errmail}
  85         ServerName ${hostname}:446
  86
  87         DocumentRoot /var/www/invirt-web
  88         <Directory />
  89                 Options Indexes FollowSymLinks MultiViews ExecCGI
  90                 AllowOverride None
  91                 Order allow,deny
  92                 allow from all
  93         </Directory>
  94
  95         ErrorLog /var/log/apache2/error.log
  96
  97         # Possible values include: debug, info, notice, warn, error, crit,
  98         # alert, emerg.
  99         LogLevel warn
 100
 101         CustomLog /var/log/apache2/ssl_nocert_access.log combined
 102         ServerSignature On
 103
 104         SSLEngine on
 105
 106         SSLCertificateFile ssl/server.crt
 107         SSLCertificateKeyFile ssl/server.key
 108
 109         SSLVerifyClient none
 110
 111         SSLOptions +StdEnvVars
 112
 113         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 114 </VirtualHost>