X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/63d843c012135d0b3f415b9ba614aff30097aadc..847f56a9d4a79f7dd574bbbf38023a6a5f96999e:/files/etc/apache2/sites-available/ssl.mako diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako index d47a0bf..6b7e414 100644 --- a/files/etc/apache2/sites-available/ssl.mako +++ b/files/etc/apache2/sites-available/ssl.mako @@ -4,25 +4,19 @@ hostname = cfg.web.hostname errmail = cfg.web.errormail tracuri = cfg.trac.uri %> -Listen 443 +Listen 442 Listen 446 - - ServerAdmin ${errmail} - ServerName ${hostname}:443 - - DocumentRoot /var/www/sipb-xen-www - +<%def name="invirt_webinterface()"> + DocumentRoot /var/www/invirt-web + Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride None Order allow,deny allow from all - Require valid-user - AuthType SSLCert - AuthSSLCertVar SSL_CLIENT_S_DN_Email - AuthSSLCertStripSuffix "@MIT.EDU" +${caller.body()} RewriteEngine On @@ -30,14 +24,8 @@ Listen 446 RewriteRule ^/static(.*) - [L] RewriteRule ^/overlord/static(.*) /static/$1 [L] RewriteRule ^/admin/static(.*) /static/$1 [L] - RewriteRule ^/trac.fcgi(.*) - [L] - RewriteRule ^/trac/chrome/common(.*) /usr/share/trac/htdocs$1 [L] - RewriteRule ^/trac(.*) /var/www/trac/trac.fcgi$1 [L] - RewriteRule ^/var(.*) - [L] - RewriteRule ^/wiki(.*) - [L] - RewriteRule ^/kill.cgi - [L] - RewriteRule ^/~ - [L] - RewriteRule ^/(.*) /var/www/sipb-xen-www/main.fcgi/$1 [L] + RewriteRule ^/trac(.*) ${tracuri}$1 [R,L] + RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L] RewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 0 @@ -54,24 +42,52 @@ Listen 446 SSLEngine on SSLCertificateFile ssl/server.crt + SSLCertificateChainFile ssl/server.crt SSLCertificateKeyFile ssl/server.key - SSLCACertificateFile ssl/mitCAclient.pem - SSLVerifyClient require + SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem SSLVerifyDepth 10 SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Redirect /wiki ${tracuri} + + + ServerAdmin ${errmail} + ServerName ${hostname}:443 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType SSLCert + AuthSSLCertVar SSL_CLIENT_S_DN_Email + AuthSSLCertStripSuffix "@MIT.EDU" + + SSLVerifyClient require + + + ServerAdmin ${errmail} + ServerName ${hostname}:442 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType Kerberos + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbAuthoritative off + KrbAuthRealms ${cfg.kerberos.realm} + Krb5Keytab /etc/invirt/keytab + KrbSaveCredentials off + + SSLVerifyClient optional ServerAdmin ${errmail} ServerName ${hostname}:446 - DocumentRoot /var/www/sipb-xen-www + DocumentRoot /var/www/invirt-web Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride None @@ -91,11 +107,14 @@ Listen 446 SSLEngine on SSLCertificateFile ssl/server.crt + SSLCertificateChainFile ssl/server.crt SSLCertificateKeyFile ssl/server.key SSLVerifyClient none SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0