files/etc/apache2/sites-available/ssl.mako

   1 <%
   2 from invirt.config import structs as cfg
   3 hostname = cfg.web.hostname
   4 errmail  = cfg.web.errormail
   5 tracuri  = cfg.trac.uri
   6 %>
   7 Listen 442
   8 Listen 446
   9
  10 <%def name="invirt_webinterface()">
  11         DocumentRoot /var/www/invirt-web
  12         <Directory /var/www/invirt-web>
  13                 Options Indexes FollowSymLinks MultiViews ExecCGI
  14                 AllowOverride None
  15                 Order allow,deny
  16                 allow from all
  17         </Directory>
  18         <Location />
  19 ${caller.body()}
  20         </Location>
  21
  22         RewriteEngine On
  23         RewriteRule ^/favicon.ico - [L]
  24         RewriteRule ^/static(.*) - [L]
  25         RewriteRule ^/overlord/static(.*) /static/$1 [L]
  26         RewriteRule ^/admin/static(.*) /static/$1 [L]
  27         RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
  28         RewriteRule ^/kill.cgi - [L]
  29         RewriteRule ^/~ - [L]
  30         RewriteRule ^/(.*) /var/www/invirt-web/main.fcgi/$1 [L]
  31
  32         RewriteLog /var/log/apache2/rewrite.log
  33         RewriteLogLevel 0
  34
  35         ErrorLog /var/log/apache2/error.log
  36
  37         # Possible values include: debug, info, notice, warn, error, crit,
  38         # alert, emerg.
  39         LogLevel warn
  40
  41         CustomLog /var/log/apache2/ssl_access.log combined
  42         ServerSignature On
  43
  44         SSLEngine on
  45
  46         SSLCertificateFile ssl/server.crt
  47         SSLCertificateKeyFile ssl/server.key
  48
  49         SSLCACertificateFile ssl/mitCAclient.pem
  50         SSLVerifyDepth 10
  51
  52         SSLOptions +StdEnvVars
  53
  54         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  55
  56         Redirect /wiki ${tracuri}
  57 </%def>
  58 <VirtualHost *:443>
  59         ServerAdmin ${errmail}
  60         ServerName ${hostname}:443
  61         <%call expr="invirt_webinterface()">
  62                 Require valid-user
  63                 AuthType SSLCert
  64                 AuthSSLCertVar SSL_CLIENT_S_DN_Email
  65                 AuthSSLCertStripSuffix "@MIT.EDU"
  66         </%call>
  67         SSLVerifyClient require
  68 </VirtualHost>
  69 <VirtualHost *:442>
  70         ServerAdmin ${errmail}
  71         ServerName ${hostname}:442
  72         <%call expr="invirt_webinterface()">
  73                 Require valid-user
  74                 AuthType Kerberos
  75                 KrbMethodNegotiate on
  76                 KrbMethodK5Passwd off
  77                 KrbAuthoritative off
  78                 KrbAuthRealms ${cfg.kerberos.realm}
  79                 Krb5Keytab /etc/invirt/keytab
  80                 KrbSaveCredentials off
  81         </%call>
  82         SSLVerifyClient optional
  83 </VirtualHost>
  84
  85 <VirtualHost *:446>
  86         ServerAdmin ${errmail}
  87         ServerName ${hostname}:446
  88
  89         DocumentRoot /var/www/invirt-web
  90         <Directory />
  91                 Options Indexes FollowSymLinks MultiViews ExecCGI
  92                 AllowOverride None
  93                 Order allow,deny
  94                 allow from all
  95         </Directory>
  96
  97         ErrorLog /var/log/apache2/error.log
  98
  99         # Possible values include: debug, info, notice, warn, error, crit,
 100         # alert, emerg.
 101         LogLevel warn
 102
 103         CustomLog /var/log/apache2/ssl_nocert_access.log combined
 104         ServerSignature On
 105
 106         SSLEngine on
 107
 108         SSLCertificateFile ssl/server.crt
 109         SSLCertificateKeyFile ssl/server.key
 110
 111         SSLVerifyClient none
 112
 113         SSLOptions +StdEnvVars
 114
 115         SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 116 </VirtualHost>