X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/5c16d2fe0fb1cd0c28a104ddb384c672dda73c44..b622ba2e1ede5ef997215b634d931d494201f537:/files/etc/apache2/sites-available/ssl.mako

diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index d43eda1..6b7e414 100644
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -4,24 +4,19 @@ hostname = cfg.web.hostname
 errmail  = cfg.web.errormail
 tracuri  = cfg.trac.uri
 %>
+Listen 442
 Listen 446
 
-<VirtualHost *:443>
-	ServerAdmin ${errmail}
-	ServerName ${hostname}:443
-	
-	DocumentRoot /var/www/sipb-xen-www
-	<Directory /var/www/sipb-xen-www>
+<%def name="invirt_webinterface()">
+	DocumentRoot /var/www/invirt-web
+	<Directory /var/www/invirt-web>
 		Options Indexes FollowSymLinks MultiViews ExecCGI
 		AllowOverride None
 		Order allow,deny
 		allow from all
 	</Directory>
 	<Location />
-		Require valid-user
-		AuthType SSLCert
-		AuthSSLCertVar SSL_CLIENT_S_DN_Email
-		AuthSSLCertStripSuffix "@MIT.EDU"
+${caller.body()}
 	</Location>
 
 	RewriteEngine On
@@ -29,14 +24,8 @@ Listen 446
 	RewriteRule ^/static(.*) - [L]
 	RewriteRule ^/overlord/static(.*) /static/$1 [L]
 	RewriteRule ^/admin/static(.*) /static/$1 [L]
-	RewriteRule ^/trac.fcgi(.*) - [L]
-	RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L]
-	RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L]
-	RewriteRule ^/var(.*) - [L]
-	RewriteRule ^/wiki(.*) - [L]
-	RewriteRule ^/kill.cgi - [L]
-	RewriteRule ^/~ - [L]
-	RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L]
+	RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
+	RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
 
 	RewriteLog /var/log/apache2/rewrite.log
 	RewriteLogLevel 0 
@@ -53,24 +42,52 @@ Listen 446
 	SSLEngine on
 
 	SSLCertificateFile ssl/server.crt
+	SSLCertificateChainFile ssl/server.crt
 	SSLCertificateKeyFile ssl/server.key
 	
-	SSLCACertificateFile ssl/mitCAclient.pem
-	SSLVerifyClient require
+	SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
 	SSLVerifyDepth 10
 
 	SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
 	
 	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
 	Redirect /wiki ${tracuri}	
+</%def>
+<VirtualHost *:443>
+	ServerAdmin ${errmail}
+	ServerName ${hostname}:443
+	<%call expr="invirt_webinterface()">
+		Require valid-user
+		AuthType SSLCert
+		AuthSSLCertVar SSL_CLIENT_S_DN_Email
+		AuthSSLCertStripSuffix "@MIT.EDU"
+	</%call>
+	SSLVerifyClient require
+</VirtualHost>
+<VirtualHost *:442>
+	ServerAdmin ${errmail}
+	ServerName ${hostname}:442
+	<%call expr="invirt_webinterface()">
+		Require valid-user
+		AuthType Kerberos
+		KrbMethodNegotiate on
+		KrbMethodK5Passwd off
+		KrbAuthoritative off
+		KrbAuthRealms ${cfg.kerberos.realm}
+		Krb5Keytab /etc/invirt/keytab
+		KrbSaveCredentials off
+	</%call>
+	SSLVerifyClient optional
 </VirtualHost>
 
 <VirtualHost *:446>
 	ServerAdmin ${errmail}
 	ServerName ${hostname}:446
 	
-	DocumentRoot /var/www/sipb-xen-www
+	DocumentRoot /var/www/invirt-web
 	<Directory />
 		Options Indexes FollowSymLinks MultiViews ExecCGI
 		AllowOverride None
@@ -90,11 +107,14 @@ Listen 446
 	SSLEngine on
 
 	SSLCertificateFile ssl/server.crt
+	SSLCertificateChainFile ssl/server.crt
 	SSLCertificateKeyFile ssl/server.key
 	
 	SSLVerifyClient none
 
 	SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
 	
 	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0	
 </VirtualHost>