Requirements
- PowerFolder Server v21.0.100 or higher
- SSL setup with Apache and PowerFolder
- For a cluster please also following this guideCluster only: Building a high-availability cluster.
- Apache module mod_rewriteApache module mod_shib
- Enabled ECP (Enhanced Client or Proxy):
...
Virtual host configuration file
The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.
- Server name: powerfolder.organization.net
- Server admin email: support@organization support@organization.net
- SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
- SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
- Shibboleth entitlements (optional):
- http://idm.org/entitlement/organization-PowerFolder
- http://powerfolder.organization.net/entitlement/DFN-Cloud
- PowerFolder Server web portal port: 8080
- PowerFolder Server hostnames:
- pf01.organization.net
- pf02.organization.net
- pf03.organization.net
- PowerFolder Server nodeIDs:
- nodeID01
- nodeID02
- nodeID03
...
Code Block |
---|
<VirtualHost _default_:443> ErrorLog ${APACHE_LOG_DIR}/ssl_error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined # ? ErrorLog "|/usr/local/sbin/syslogRedirect.pl" # ? CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined ServerName powerfolder.organization.net ServerAdmin support@organization.net # ? DocumentRoot "/var/www/sas" # Disable ETag: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html FileETag None Header unset ETag # ? Header unset Cache-Control # ? Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" # ? Header set Pragma "no-cache" # ? Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" default" # Set strict transport security: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Header always set Strict-Transport-Security "max-age=31536000;" SSLEngine on SSLCertificateFile /etc/ssl/certs/powerfolder.organization.net.pem SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key # ? ErrorDocument 500 /error/500.html # ? ErrorDocument 503 /error/503.html RewriteEngine On # ? # Allow OPTIONS requests # ? # RewriteLog /var/log/apache2/rewrite.log # http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [L,R=200] Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS" Header always set Access-Control-Allow-Headers "PAOS,Content-Type" <Location /login/shibboleth> AuthType shibboleth # http://shibboleth.net/pipermail/users/2012-February/002685.html ShibRequestSetting requireSession 1 <RequireAll> Require valid-user Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud </RequireAll> </Location> <Location /Shibboleth.sso> satisfy Any </Location> # ? <Location /download> # ? Header add cache-control "private, max-age=0, no-cache" # ? Header set Access-Control-Allow-Origin "*" </Location> <Proxy balancer://pfcluster> BalancerMember http://pf01.organization.net:8080 route=nodeID01 BalancerMember http://pf02.organization.net:8080 route=nodeID02 BalancerMember http://pf03.organization.net:8080 route=nodeID03 ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness </Proxy> ProxyPass /rpc balancer://pfcluster/rpc nocanon ProxyPass /rpc ! ProxyPass /eds ! # ? ProxyPass /oo ! # ? ProxyPass /test ! # ? ProxyPass /imprint ! # ? ProxyPass /error ! ProxyPass /Shibboleth.sso ! # ? ProxyPass /server-status ! ProxyPass / balancer://pfcluster/ nocanon # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server # Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth RequestHeader set HTTP_ShibSAMLShib-Session-ID %{HTTP_ShibSAMLShib-Session-ID}e env=SAMLShib-Session-ID RequestHeader set SAMLShib-Session-ID "" env=!SAMLShib-Session-ID RequestHeader set HTTP_persistentSAMLpersistent-id %{HTTP_persistentSAMLpersistent-id}e env=SAMLpersistent-id RequestHeader set SAMLpersistent-id "" env=!SAMLpersistent-id RequestHeader set HTTP_uniqueIDSAMLuniqueID %{HTTP_uniqueIDSAMLuniqueID}e env=SAMLuniqueID RequestHeader set SAMLuniqueID "" env=!SAMLuniqueID RequestHeader set HTTP_eduPersonPrincipalNameSAMLpairwise-id %{HTTP_eduPersonPrincipalNameSAMLpairwise-id}e env=SAMLpairwise-id RequestHeader set SAMLpairwise-id "" env=!SAMLupairwise-id RequestHeader set HTTP_eppnSAMLeduPersonPrincipalName %{HTTP_eppnSAMLeduPersonPrincipalName}e env=SAMLeduPersonPrincipalName RequestHeader set SAMLeduPersonPrincipalName "" env=!SAMLeduPersonPrincipalName RequestHeader set HTTP_EPPNSAMLeppn %{HTTP_EPPNSAMLeppn}e env=SAMLeppn RequestHeader set SAMLeppn "" env=!SAMLeppn RequestHeader set HTTP_mailSAMLEPPN %{HTTP_mailSAMLEPPN}e env=SAMLEPPN RequestHeader set SAMLEPPN "" env=!SAMLEPPN RequestHeader set HTTP_emailSAMLmail %{HTTP_emailSAMLmail}e env=SAMLmail RequestHeader set SAMLmail "" env=!SAMLmail RequestHeader set HTTP_givenNameSAMLemail %{HTTP_givenNameSAMLemail}e env=SAMLemail RequestHeader set SAMLemail "" env=!SAMLemail RequestHeader set HTTP_snSAMLgivenName %{HTTP_snSAMLgivenName}e env=SAMLgivenName RequestHeader set SAMLgivenName "" env=!SAMLgivenName RequestHeader set HTTP_surnameSAMLsn %{HTTP_surnameSAMLsn}e env=SAMLsn RequestHeader set SAMLsn "" env=!SAMLsn RequestHeader set HTTP_oSAMLsurname %{HTTP_oSAMLsurname}e env=SAMLsurname RequestHeader set SAMLsurname "" env=!SAMLsurname RequestHeader set HTTP_affiliationSAMLaffiliation %{HTTP_affiliationSAMLaffiliation}e env=SAMLaffiliation RequestHeader set SAMLaffiliation "" env=!SAMLaffiliation RequestHeader set HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation}e env=SAMLeduPersonScopedAffiliation RequestHeader set SAMLeduPersonScopedAffiliation "" env=!SAMLeduPersonScopedAffiliation RequestHeader set HTTP_entitlementSAMLentitlement %{HTTP_entitlementSAMLentitlement}e env=SAMLentitlement RequestHeader set SAMLentitlement "" env=!SAMLentitlement RequestHeader set HTTP_eduPersonEntitlementSAMLeduPersonEntitlement %{HTTP_eduPersonEntitlementSAMLeduPersonEntitlement}e env=SAMLeduPersonEntitlement RequestHeader set HTTP_location %{HTTP_location}e # ? <FilesMatch "\.(cgi|shtml|phtml|php)$"> # ? SSLOptions +StdEnvVars # ? </FilesMatch> # ? <Directory /usr/lib/cgi-bin> # ? SSLOptions +StdEnvVars # ? </Directory> # ? BrowserMatch "MSIE [2-6]" \ # ? nokeepalive ssl-unclean-shutdown \ # ? downgrade-1.0 force-response-1.0 # ? # MSIE 7 and newer should be able to use keepalive # ? BrowserMatch "MSIE [17-9]" ssl-unclean-shutdownSAMLeduPersonEntitlement "" env=!SAMLeduPersonEntitlement # Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o RequestHeader set SAMLo %{SAMLo}e env=SAMLo RequestHeader set SAMLo "" env=!SAMLo </VirtualHost> |