Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Requirements

...


Virtual host configuration file

The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.

  • Server name: powerfolder.organization.net
  • Server admin email: support@organization support@organization.net
  • SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
  • SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
  • Shibboleth entitlements (optional):
    • http://idm.org/entitlement/organization-PowerFolder
    • http://powerfolder.organization.net/entitlement/DFN-Cloud
  • PowerFolder Server web portal port: 8080
  • PowerFolder Server hostnames:
    • pf01.organization.net
    • pf02.organization.net
    • pf03.organization.net
  • PowerFolder Server nodeIDs:
    • nodeID01
    • nodeID02
    • nodeID03

...

Code Block
<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ? 	ErrorLog "|/usr/local/sbin/syslogRedirect.pl"
# ? 	CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

 #  ?     DocumentRoot "/var/www/sas"
        # Disable ETag: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html
	    FileETag None
        Header unset ETag
# ?     Header unset Cache-Control
# ?     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ?     Header set Pragma "no-cache"
# ?     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
default"
 
        # Set strict transport security:  https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
        Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key

# ?     ErrorDocument   500 /error/500.html
# ?     ErrorDocument 
 503 /error/503.html 
 
		RewriteEngine On
 
# ? # Allow OPTIONS requests
# ? # RewriteLog /var/log/apache2/rewrite.log
		# http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [L,R=200]
        Header always set Access-Control-Allow-Origin "*"
        Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS"
        Header always set
Access-Control-Allow-Headers "PAOS,Content-Type"
 
        <Location /login/shibboleth>
                AuthType shibboleth
				# http://shibboleth.net/pipermail/users/2012-February/002685.html
                ShibRequestSetting requireSession 1
                <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>

        <Location /Shibboleth.sso>
            satisfy Any
        </Location>

# ?     <Location /download>
# ?         Header add cache-control "private, max-age=0, no-cache"
# ?			Header set Access-Control-Allow-Origin "*"
        </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
# ?     ProxyPass               /oo                     !
# ?     ProxyPass               /test                   !
# ?     ProxyPass               /imprint                !
# ?     ProxyPass               /error                  !
        ProxyPass               /Shibboleth.sso         !
# ?     ProxyPass               /server-status          !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
        		# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        		# Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth
        		RequestHeader set HTTP_ShibSAMLShib-Session-ID %{HTTP_ShibSAMLShib-Session-ID}e env=SAMLShib-Session-ID
		RequestHeader set SAMLShib-Session-ID ""    env=!SAMLShib-Session-ID
		RequestHeader set HTTP_persistentSAMLpersistent-id %{HTTP_persistentSAMLpersistent-id}e env=SAMLpersistent-id
		RequestHeader set SAMLpersistent-id ""    env=!SAMLpersistent-id
		RequestHeader set HTTP_uniqueIDSAMLuniqueID %{HTTP_uniqueIDSAMLuniqueID}e env=SAMLuniqueID
		RequestHeader set SAMLuniqueID ""    env=!SAMLuniqueID
		RequestHeader set HTTP_eduPersonPrincipalNameSAMLpairwise-id %{HTTP_eduPersonPrincipalNameSAMLpairwise-id}e env=SAMLpairwise-id
		RequestHeader set SAMLpairwise-id ""    env=!SAMLupairwise-id
		RequestHeader set HTTP_eppnSAMLeduPersonPrincipalName %{HTTP_eppnSAMLeduPersonPrincipalName}e env=SAMLeduPersonPrincipalName
		RequestHeader set SAMLeduPersonPrincipalName ""    env=!SAMLeduPersonPrincipalName
		RequestHeader set HTTP_EPPNSAMLeppn %{HTTP_EPPNSAMLeppn}e env=SAMLeppn
		RequestHeader set SAMLeppn ""    env=!SAMLeppn
		RequestHeader set HTTP_mailSAMLEPPN %{HTTP_mailSAMLEPPN}e env=SAMLEPPN
		RequestHeader set SAMLEPPN ""    env=!SAMLEPPN
		RequestHeader set HTTP_emailSAMLmail %{HTTP_emailSAMLmail}e env=SAMLmail
		RequestHeader set SAMLmail ""    env=!SAMLmail
		RequestHeader set HTTP_givenNameSAMLemail %{HTTP_givenNameSAMLemail}e env=SAMLemail
		RequestHeader set SAMLemail ""    env=!SAMLemail
		RequestHeader set HTTP_snSAMLgivenName %{HTTP_snSAMLgivenName}e env=SAMLgivenName
		RequestHeader set SAMLgivenName ""    env=!SAMLgivenName
		RequestHeader set HTTP_surnameSAMLsn %{HTTP_surnameSAMLsn}e env=SAMLsn
		RequestHeader set SAMLsn ""    env=!SAMLsn
		RequestHeader set HTTP_oSAMLsurname %{HTTP_oSAMLsurname}e env=SAMLsurname
		RequestHeader set SAMLsurname ""    env=!SAMLsurname
		RequestHeader set HTTP_affiliationSAMLaffiliation %{HTTP_affiliationSAMLaffiliation}e env=SAMLaffiliation
		RequestHeader set SAMLaffiliation ""    env=!SAMLaffiliation
		RequestHeader set HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation}e env=SAMLeduPersonScopedAffiliation
		RequestHeader set SAMLeduPersonScopedAffiliation ""    env=!SAMLeduPersonScopedAffiliation
		RequestHeader set HTTP_entitlementSAMLentitlement %{HTTP_entitlementSAMLentitlement}e env=SAMLentitlement
		RequestHeader set SAMLentitlement ""    env=!SAMLentitlement
		RequestHeader set HTTP_eduPersonEntitlementSAMLeduPersonEntitlement %{HTTP_eduPersonEntitlementSAMLeduPersonEntitlement}e         env=SAMLeduPersonEntitlement
		RequestHeader set HTTP_location %{HTTP_location}e

# ?     <FilesMatch "\.(cgi|shtml|phtml|php)$">
# ?             SSLOptions +StdEnvVars
# ?     </FilesMatch>
# ?     <Directory /usr/lib/cgi-bin>
# ?             SSLOptions +StdEnvVars
# ?     </Directory>
# ?     BrowserMatch "MSIE [2-6]" \
# ?             nokeepalive ssl-unclean-shutdown \
# ?             downgrade-1.0 force-response-1.0
# ?     # MSIE 7 and newer should be able to use keepalive
# ?     BrowserMatch "MSIE [17-9]" ssl-unclean-shutdownSAMLeduPersonEntitlement "" env=!SAMLeduPersonEntitlement
		# Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o
		RequestHeader set SAMLo %{SAMLo}e env=SAMLo
		RequestHeader set SAMLo "" env=!SAMLo
</VirtualHost>