Requirements
- PowerFolder Server v10v21.30.254 100 or higher
- SSL setup with Apache and PowerFolder
- Cluster only: Building a high-availability cluster.
- Apache module mod_shib
- Enabled ECP (Enhanced Client or Proxy):
| Warning |
|---|
Apache mod_ajp or mod_jk should not be used anymore. |
Virtual host configuration file
The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.
- Server name: powerfolder.organization.net
- Server admin email: support@organization.net
- SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
- SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
- Shibboleth entitlements (optional):
- http://idm.org/entitlement/organization-PowerFolder
- http://powerfolder.organization.net/entitlement/DFN-Cloud
- PowerFolder Server web portal port: 8080
- PowerFolder Server hostnames:
- pf01.organization.net
- pf02.organization.net
- pf03.organization.net
- PowerFolder Server nodeIDs:
- nodeID01
- nodeID02
- nodeID03
| Info | ||
|---|---|---|
| ||
You are welcome to extend the documentation and/or leave comments |
| Code Block |
|---|
<VirtualHost _default_:443>
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ?
ErrorLog "|/usr/local/sbin/syslogRedirect.pl" # ? CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined ServerName powerfolder.organization.net
ServerAdmin support@organization.net
# ? DocumentRoot "/var/www/sas"
# Disable ETag: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html
FileETag None
Header unset ETag
# ? Header unset Cache-Control
# ? Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ? Header set Pragma "no-cache"
# ? Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
default"
# Set strict transport security: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Header always set Strict-Transport-Security "max-age=31536000;"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/powerfolder.organization.net.pem
SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key
RewriteEngine On
# ? # Allow OPTIONS requests
# ? # RewriteLog /var/log/apache2/rewrite.log
# http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [L,R=200]
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS"
Header always set Access-Control-Allow-Headers "PAOS,Content-Type"
<Location /login/shibboleth>
AuthType shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require valid-user
Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
</RequireAll>
</Location>
<Location /Shibboleth.sso>
satisfy Any
</Location>
# ? <Location /download>
# ? Header add cache-control "private, max-age=0, no-cache"
# ? Header set Access-Control-Allow-Origin "*"
</Location>
<Proxy balancer://pfcluster>
BalancerMember http://pf01.organization.net:8080 route=nodeID01
BalancerMember http://pf02.organization.net:8080 route=nodeID02
BalancerMember http://pf03.organization.net:8080 route=nodeID03
ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
</Proxy>
ProxyPass /rpc balancer://pfcluster/rpc nocanon
ProxyPass /rpc !
ProxyPass /eds !
# ? ProxyPass /oo !
# ? ProxyPass /test !
ProxyPass /Shibboleth.sso !
ProxyPass / balancer://pfcluster/ nocanon
# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
# Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth
RequestHeader set HTTP_ShibSAMLShib-Session-ID %{HTTP_ShibSAMLShib-Session-ID}e env=HTTP_ShibSAMLShib-Session-ID
RequestHeader RequestHeader set HTTP_ShibSAMLShib-Session-ID "" env=!HTTP_ShibSAMLShib-Session-ID
RequestHeader set HTTP_persistentSAMLpersistent-id %{HTTP_persistentSAMLpersistent-id}e env=HTTP_persistentSAMLpersistent-id
RequestHeader set HTTP_persistentSAMLpersistent-id "" env=!HTTP_persistentSAMLpersistent-id
RequestHeader set SAMLuniqueID %{SAMLuniqueID}e env=SAMLuniqueID
RequestHeader set SAMLuniqueID "" env=!SAMLuniqueID
RequestHeader set HTTP_uniqueIDSAMLpairwise-id %{HTTP_uniqueIDSAMLpairwise-id}e env=HTTP_uniqueID
SAMLpairwise-id
RequestHeader set HTTP_uniqueIDSAMLpairwise-id "" env=!HTTP_uniqueID
SAMLupairwise-id
RequestHeader set HTTP_eduPersonPrincipalNameSAMLeduPersonPrincipalName %{HTTP_eduPersonPrincipalNameSAMLeduPersonPrincipalName}e env=HTTP_eduPersonPrincipalName
SAMLeduPersonPrincipalName
RequestHeader set HTTP_eduPersonPrincipalNameSAMLeduPersonPrincipalName "" env=!HTTP_eduPersonPrincipalName
SAMLeduPersonPrincipalName
RequestHeader set HTTP_eppnSAMLeppn %{HTTP_eppnSAMLeppn}e env=HTTP_eppn
SAMLeppn
RequestHeader set HTTP_eppnSAMLeppn "" env=!HTTP_eppn
SAMLeppn
RequestHeader set HTTP_EPPNSAMLEPPN %{HTTP_EPPNSAMLEPPN}e env=HTTP_EPPN
SAMLEPPN
RequestHeader set HTTP_EPPNSAMLEPPN "" env=!HTTP_EPPN
SAMLEPPN
RequestHeader set HTTP_mailSAMLmail %{HTTP_mailSAMLmail}e env=HTTP_mail
SAMLmail
RequestHeader set HTTP_mailSAMLmail "" env=!HTTP_mail
SAMLmail
RequestHeader set HTTP_emailSAMLemail %{HTTP_emailSAMLemail}e env=HTTP_email
SAMLemail
RequestHeader set HTTP_emailSAMLemail "" env=!HTTP_email
SAMLemail
RequestHeader set HTTP_givenNameSAMLgivenName %{HTTP_givenNameSAMLgivenName}e env=HTTP_givenName
SAMLgivenName
RequestHeader set HTTP_givenNameSAMLgivenName "" env=!HTTP_givenName
SAMLgivenName
RequestHeader set HTTP_snSAMLsn %{HTTP_snSAMLsn}e env=HTTP_sn
SAMLsn
RequestHeader set HTTP_snSAMLsn "" env=!HTTP_sn
SAMLsn
RequestHeader set HTTP_surnameSAMLsurname %{HTTP_surnameSAMLsurname}e env=HTTP_surname
SAMLsurname
RequestHeader set HTTP_surnameSAMLsurname "" env=!HTTP_surname
SAMLsurname
RequestHeader set HTTP_affiliationSAMLaffiliation %{HTTP_affiliationSAMLaffiliation}e env=HTTP_affiliation
SAMLaffiliation
RequestHeader set HTTP_affiliationSAMLaffiliation "" env=!HTTP_affiliation
SAMLaffiliation
RequestHeader set HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation}e env=HTTP_eduPersonScopedAffiliation
SAMLeduPersonScopedAffiliation
RequestHeader set HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation "" env=!HTTP_eduPersonScopedAffiliation
SAMLeduPersonScopedAffiliation
RequestHeader set HTTP_entitlementSAMLentitlement %{HTTP_entitlementSAMLentitlement}e env=HTTP_entitlement
SAMLentitlement
RequestHeader set HTTP_entitlementSAMLentitlement "" env=!HTTP_entitlement
SAMLentitlement
RequestHeader set HTTP_eduPersonEntitlementSAMLeduPersonEntitlement %{HTTP_eduPersonEntitlementSAMLeduPersonEntitlement}e env=HTTP_eduPersonEntitlementSAMLeduPersonEntitlement
RequestHeader set HTTP_eduPersonEntitlementSAMLeduPersonEntitlement "" env=!HTTP_eduPersonEntitlementSAMLeduPersonEntitlement
# Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o
RequestHeader set HTTP_oSAMLo %{HTTP_oSAMLo}e env=HTTP_oSAMLo
RequestHeader set HTTP_oSAMLo "" env=!HTTP_o
# ? <FilesMatch "\.(cgi|shtml|phtml|php)$">
# ? SSLOptions +StdEnvVars
# ? </FilesMatch>
# ? <Directory /usr/lib/cgi-bin>
# ? SSLOptions +StdEnvVars
# ? </Directory>
# ? BrowserMatch "MSIE [2-6]" \
# ? nokeepalive ssl-unclean-shutdown \
# ? downgrade-1.0 force-response-1.0
# ? # MSIE 7 and newer should be able to use keepalive
# ? BrowserMatch "MSIE [17-9]" ssl-unclean-shutdownSAMLo
</VirtualHost>
|