X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/5c16d2fe0fb1cd0c28a104ddb384c672dda73c44..b622ba2e1ede5ef997215b634d931d494201f537:/files/etc/apache2/sites-available/ssl.mako
diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index d43eda1..6b7e414 100644
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -4,24 +4,19 @@ hostname = cfg.web.hostname
errmail = cfg.web.errormail
tracuri = cfg.trac.uri
%>
+Listen 442
Listen 446
-<VirtualHost *:443>
- ServerAdmin ${errmail}
- ServerName ${hostname}:443
-
- DocumentRoot /var/www/sipb-xen-www
- <Directory /var/www/sipb-xen-www>
+<%def name="invirt_webinterface()">
+ DocumentRoot /var/www/invirt-web
+ <Directory /var/www/invirt-web>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location />
- Require valid-user
- AuthType SSLCert
- AuthSSLCertVar SSL_CLIENT_S_DN_Email
- AuthSSLCertStripSuffix "@MIT.EDU"
+${caller.body()}
</Location>
RewriteEngine On
@@ -29,14 +24,8 @@ Listen 446
RewriteRule ^/static(.*) - [L]
RewriteRule ^/overlord/static(.*) /static/$1 [L]
RewriteRule ^/admin/static(.*) /static/$1 [L]
- RewriteRule ^/trac.fcgi(.*) - [L]
- RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L]
- RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L]
- RewriteRule ^/var(.*) - [L]
- RewriteRule ^/wiki(.*) - [L]
- RewriteRule ^/kill.cgi - [L]
- RewriteRule ^/~ - [L]
- RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L]
+ RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
+ RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 0
@@ -53,24 +42,52 @@ Listen 446
SSLEngine on
SSLCertificateFile ssl/server.crt
+ SSLCertificateChainFile ssl/server.crt
SSLCertificateKeyFile ssl/server.key
- SSLCACertificateFile ssl/mitCAclient.pem
- SSLVerifyClient require
+ SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
SSLVerifyDepth 10
SSLOptions +StdEnvVars
+ SSLProtocol all -SSLv2
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
Redirect /wiki ${tracuri}
+</%def>
+<VirtualHost *:443>
+ ServerAdmin ${errmail}
+ ServerName ${hostname}:443
+ <%call expr="invirt_webinterface()">
+ Require valid-user
+ AuthType SSLCert
+ AuthSSLCertVar SSL_CLIENT_S_DN_Email
+ AuthSSLCertStripSuffix "@MIT.EDU"
+ </%call>
+ SSLVerifyClient require
+</VirtualHost>
+<VirtualHost *:442>
+ ServerAdmin ${errmail}
+ ServerName ${hostname}:442
+ <%call expr="invirt_webinterface()">
+ Require valid-user
+ AuthType Kerberos
+ KrbMethodNegotiate on
+ KrbMethodK5Passwd off
+ KrbAuthoritative off
+ KrbAuthRealms ${cfg.kerberos.realm}
+ Krb5Keytab /etc/invirt/keytab
+ KrbSaveCredentials off
+ </%call>
+ SSLVerifyClient optional
</VirtualHost>
<VirtualHost *:446>
ServerAdmin ${errmail}
ServerName ${hostname}:446
- DocumentRoot /var/www/sipb-xen-www
+ DocumentRoot /var/www/invirt-web
<Directory />
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride None
@@ -90,11 +107,14 @@ Listen 446
SSLEngine on
SSLCertificateFile ssl/server.crt
+ SSLCertificateChainFile ssl/server.crt
SSLCertificateKeyFile ssl/server.key
SSLVerifyClient none
SSLOptions +StdEnvVars
+ SSLProtocol all -SSLv2
+ SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>