X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/5c16d2fe0fb1cd0c28a104ddb384c672dda73c44..df4006d32d7e0af2cc6d03123bb083eb1fab704f:/files/etc/apache2/sites-available/ssl.mako?ds=inline diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako index d43eda1..6b7e414 100644 --- a/files/etc/apache2/sites-available/ssl.mako +++ b/files/etc/apache2/sites-available/ssl.mako @@ -4,24 +4,19 @@ hostname = cfg.web.hostname errmail = cfg.web.errormail tracuri = cfg.trac.uri %> +Listen 442 Listen 446 - - ServerAdmin ${errmail} - ServerName ${hostname}:443 - - DocumentRoot /var/www/sipb-xen-www - +<%def name="invirt_webinterface()"> + DocumentRoot /var/www/invirt-web + Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride None Order allow,deny allow from all - Require valid-user - AuthType SSLCert - AuthSSLCertVar SSL_CLIENT_S_DN_Email - AuthSSLCertStripSuffix "@MIT.EDU" +${caller.body()} RewriteEngine On @@ -29,14 +24,8 @@ Listen 446 RewriteRule ^/static(.*) - [L] RewriteRule ^/overlord/static(.*) /static/$1 [L] RewriteRule ^/admin/static(.*) /static/$1 [L] - RewriteRule ^/trac.fcgi(.*) - [L] - RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L] - RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L] - RewriteRule ^/var(.*) - [L] - RewriteRule ^/wiki(.*) - [L] - RewriteRule ^/kill.cgi - [L] - RewriteRule ^/~ - [L] - RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L] + RewriteRule ^/trac(.*) ${tracuri}$1 [R,L] + RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L] RewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 0 @@ -53,24 +42,52 @@ Listen 446 SSLEngine on SSLCertificateFile ssl/server.crt + SSLCertificateChainFile ssl/server.crt SSLCertificateKeyFile ssl/server.key - SSLCACertificateFile ssl/mitCAclient.pem - SSLVerifyClient require + SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem SSLVerifyDepth 10 SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Redirect /wiki ${tracuri} + + + ServerAdmin ${errmail} + ServerName ${hostname}:443 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType SSLCert + AuthSSLCertVar SSL_CLIENT_S_DN_Email + AuthSSLCertStripSuffix "@MIT.EDU" + + SSLVerifyClient require + + + ServerAdmin ${errmail} + ServerName ${hostname}:442 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType Kerberos + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbAuthoritative off + KrbAuthRealms ${cfg.kerberos.realm} + Krb5Keytab /etc/invirt/keytab + KrbSaveCredentials off + + SSLVerifyClient optional ServerAdmin ${errmail} ServerName ${hostname}:446 - DocumentRoot /var/www/sipb-xen-www + DocumentRoot /var/www/invirt-web Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride None @@ -90,11 +107,14 @@ Listen 446 SSLEngine on SSLCertificateFile ssl/server.crt + SSLCertificateChainFile ssl/server.crt SSLCertificateKeyFile ssl/server.key SSLVerifyClient none SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0