get mitCAclient.pem from debathena-ssl-certificates

[invirt/packages/invirt-web.git] / files / etc / apache2 / sites-available / ssl.mako

diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index d43eda1..3ce7e5f 100644 (file)
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -4,24 +4,19 @@ hostname = cfg.web.hostname
 errmail  = cfg.web.errormail
 tracuri  = cfg.trac.uri
 %>
+Listen 442
 Listen 446
 
-<VirtualHost *:443>
-       ServerAdmin ${errmail}
-       ServerName ${hostname}:443
-       
-       DocumentRoot /var/www/sipb-xen-www
-       <Directory /var/www/sipb-xen-www>
+<%def name="invirt_webinterface()">
+       DocumentRoot /var/www/invirt-web
+       <Directory /var/www/invirt-web>
                Options Indexes FollowSymLinks MultiViews ExecCGI
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        <Location />
-               Require valid-user
-               AuthType SSLCert
-               AuthSSLCertVar SSL_CLIENT_S_DN_Email
-               AuthSSLCertStripSuffix "@MIT.EDU"
+${caller.body()}
        </Location>
 
        RewriteEngine On
@@ -29,14 +24,10 @@ Listen 446
        RewriteRule ^/static(.*) - [L]
        RewriteRule ^/overlord/static(.*) /static/$1 [L]
        RewriteRule ^/admin/static(.*) /static/$1 [L]
-       RewriteRule ^/trac.fcgi(.*) - [L]
-       RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L]
-       RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L]
-       RewriteRule ^/var(.*) - [L]
-       RewriteRule ^/wiki(.*) - [L]
+       RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
        RewriteRule ^/kill.cgi - [L]
        RewriteRule ^/~ - [L]
-       RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L]
+       RewriteRule ^/(.*) /var/www/invirt-web/main.fcgi/$1 [L]
 
        RewriteLog /var/log/apache2/rewrite.log
        RewriteLogLevel 0 
@@ -55,8 +46,7 @@ Listen 446
        SSLCertificateFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
-       SSLCACertificateFile ssl/mitCAclient.pem
-       SSLVerifyClient require
+       SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
@@ -64,13 +54,39 @@ Listen 446
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
        Redirect /wiki ${tracuri}       
+</%def>
+<VirtualHost *:443>
+       ServerAdmin ${errmail}
+       ServerName ${hostname}:443
+       <%call expr="invirt_webinterface()">
+               Require valid-user
+               AuthType SSLCert
+               AuthSSLCertVar SSL_CLIENT_S_DN_Email
+               AuthSSLCertStripSuffix "@MIT.EDU"
+       </%call>
+       SSLVerifyClient require
+</VirtualHost>
+<VirtualHost *:442>
+       ServerAdmin ${errmail}
+       ServerName ${hostname}:442
+       <%call expr="invirt_webinterface()">
+               Require valid-user
+               AuthType Kerberos
+               KrbMethodNegotiate on
+               KrbMethodK5Passwd off
+               KrbAuthoritative off
+               KrbAuthRealms ${cfg.kerberos.realm}
+               Krb5Keytab /etc/invirt/keytab
+               KrbSaveCredentials off
+       </%call>
+       SSLVerifyClient optional
 </VirtualHost>
 
 <VirtualHost *:446>
        ServerAdmin ${errmail}
        ServerName ${hostname}:446
        
-       DocumentRoot /var/www/sipb-xen-www
+       DocumentRoot /var/www/invirt-web
        <Directory />
                Options Indexes FollowSymLinks MultiViews ExecCGI
                AllowOverride None