source: package_branches/invirt-web/cherrypy-rebased/files/etc/apache2/sites-available/ssl.mako @ 2901

Last change on this file since 2901 was 2729, checked in by broder, 15 years ago

Use separate fcgi files for the authed and unauthed site.

This allows both of them to be mounted on / in their respective
CherryPy? apps, which in turn eliminates any discrepancy between
"internal URLs" and "external URLs".

File size: 2.6 KB
Line 
1<%
2from invirt.config import structs as cfg
3hostname = cfg.web.hostname
4errmail  = cfg.web.errormail
5tracuri  = cfg.trac.uri
6%>
7Listen 442
8Listen 446
9
10<%def name="invirt_webinterface()">
11        DocumentRoot /var/www/invirt-web
12        <Directory /var/www/invirt-web>
13                Options Indexes FollowSymLinks MultiViews ExecCGI
14                AllowOverride None
15                Order allow,deny
16                allow from all
17        </Directory>
18        <Location />
19${caller.body()}
20        </Location>
21
22        RewriteEngine On
23        RewriteRule ^/favicon.ico - [L]
24        RewriteRule ^/static(.*) - [L]
25        RewriteRule ^/overlord/static(.*) /static/$1 [L]
26        RewriteRule ^/admin/static(.*) /static/$1 [L]
27        RewriteRule ^/trac(.*) ${tracuri}$1 [R,L]
28        RewriteRule ^/kill.cgi - [L]
29        RewriteRule ^/(.*) /var/www/invirt-web/auth.fcgi/$1 [L]
30
31        RewriteLog /var/log/apache2/rewrite.log
32        RewriteLogLevel 0
33
34        ErrorLog /var/log/apache2/error.log
35
36        # Possible values include: debug, info, notice, warn, error, crit,
37        # alert, emerg.
38        LogLevel warn
39
40        CustomLog /var/log/apache2/ssl_access.log combined
41        ServerSignature On
42
43        SSLEngine on
44
45        SSLCertificateFile ssl/server.crt
46        SSLCertificateKeyFile ssl/server.key
47       
48        SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
49        SSLVerifyDepth 10
50
51        SSLOptions +StdEnvVars
52       
53        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
54
55        Redirect /wiki ${tracuri}       
56</%def>
57<VirtualHost *:443>
58        ServerAdmin ${errmail}
59        ServerName ${hostname}:443
60        <%call expr="invirt_webinterface()">
61                Require valid-user
62                AuthType SSLCert
63                AuthSSLCertVar SSL_CLIENT_S_DN_Email
64                AuthSSLCertStripSuffix "@MIT.EDU"
65        </%call>
66        SSLVerifyClient require
67</VirtualHost>
68<VirtualHost *:442>
69        ServerAdmin ${errmail}
70        ServerName ${hostname}:442
71        <%call expr="invirt_webinterface()">
72                Require valid-user
73                AuthType Kerberos
74                KrbMethodNegotiate on
75                KrbMethodK5Passwd off
76                KrbAuthoritative off
77                KrbAuthRealms ${cfg.kerberos.realm}
78                Krb5Keytab /etc/invirt/keytab
79                KrbSaveCredentials off
80        </%call>
81        SSLVerifyClient optional
82</VirtualHost>
83
84<VirtualHost *:446>
85        ServerAdmin ${errmail}
86        ServerName ${hostname}:446
87       
88        DocumentRoot /var/www/invirt-web
89        <Directory />
90                Options Indexes FollowSymLinks MultiViews ExecCGI
91                AllowOverride None
92                Order allow,deny
93                allow from all
94        </Directory>
95
96        ErrorLog /var/log/apache2/error.log
97
98        # Possible values include: debug, info, notice, warn, error, crit,
99        # alert, emerg.
100        LogLevel warn
101
102        CustomLog /var/log/apache2/ssl_nocert_access.log combined
103        ServerSignature On
104
105        SSLEngine on
106
107        SSLCertificateFile ssl/server.crt
108        SSLCertificateKeyFile ssl/server.key
109       
110        SSLVerifyClient none
111
112        SSLOptions +StdEnvVars
113       
114        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0       
115</VirtualHost>
Note: See TracBrowser for help on using the repository browser.