Versions Compared

Version Old Version 6 New Version Current
Changes made by

Christian Sprajc

Ahmad Abdullah

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

General configuration

Apache 2.4 requires V2.5.1 or later of the Shibboleth SP software

...

Requirements

...


Virtual host configuration file

The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.

  • Server name: powerfolder.organization.net
  • Server admin email: support@organization support@organization.net
  • SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
  • SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
  • Shibboleth entitlements (optional):
    • http://idm.org/entitlement/organization-PowerFolder
    • http://powerfolder.organization.net/entitlement/DFN-Cloud
  • PowerFolder Server web portal port: 8080
  • PowerFolder Server hostnames:
    • pf01.organization.net
    • pf02.organization.net
    • pf03.organization.net
  • PowerFolder Server nodeIDs:
    • nodeID01
    • nodeID02
    • nodeID03

...

Code Block
<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ? 	ErrorLog "|/usr/local/sbin/syslogRedirect.pl"
# ? 	CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

  # ?     DocumentRoot "/var/www/sasdefault"
# 
?     FileETag None # ?     Header unset Cache-Control
# ?Set strict transport   Header unset ETag
# ?     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ?security:  https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
        Header set Pragma "no-cache"
# ?     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
# ?     Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key

#
?     ErrorDocument   500 /error/500.html
# ?     ErrorDocument   503 /error/503.html 
 
# ? # Allow OPTIONS requests
        RewriteEngine On
# ? # RewriteLog /var/log/apache2/rewrite.log
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [L,R=200]

# ?     Header always set Access-Control-Allow-Origin "*"
# ?     Header always set Access-Control-Allow-Methods "POST, GET,OPTIONS"
# ?     Header always set Access-Control-Allow-Headers "PAOS,Content-Type"
 
		RewriteEngine On
 
        <Location /login/shibboleth>
                AuthType shibboleth
 #  ?             ShibRequestSetting requireSession 1
# ?             ShibRequireSession On                 <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>


        <Location /Shibboleth.sso>
            satisfy Any
        </Location>

# ?     <Location /download>
# ?         Header add cache-control "private, max-age=0, no-cache"
# ?			Header set Access-Control-Allow-Origin "*"
        </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
# ?     ProxyPass               /oo                     !
# ?     ProxyPass               /test                   !
# ?     ProxyPass               /imprint                !
# ?     ProxyPass               /error                  !
        ProxyPass               /Shibboleth.sso         !
# ?     ProxyPass               /server-status          !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
        		# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        		# Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth

        		RequestHeader set HTTP_ShibSAMLShib-Session-ID %{HTTP_ShibSAMLShib-Session-ID}e env=SAMLShib-Session-ID
		RequestHeader set SAMLShib-Session-ID ""    env=!SAMLShib-Session-ID
		RequestHeader set HTTP_persistentSAMLpersistent-id %{HTTP_persistentSAMLpersistent-id}e env=SAMLpersistent-id
		RequestHeader set SAMLpersistent-id ""    env=!SAMLpersistent-id
		RequestHeader set HTTP_uniqueIDSAMLuniqueID %{HTTP_uniqueIDSAMLuniqueID}e env=SAMLuniqueID
		RequestHeader set SAMLuniqueID ""    env=!SAMLuniqueID
		RequestHeader set HTTP_eduPersonPrincipalNameSAMLpairwise-id %{HTTP_eduPersonPrincipalNameSAMLpairwise-id}e env=SAMLpairwise-id
		RequestHeader set SAMLpairwise-id ""    env=!SAMLupairwise-id
		RequestHeader set HTTP_eppnSAMLeduPersonPrincipalName %{HTTP_eppnSAMLeduPersonPrincipalName}e env=SAMLeduPersonPrincipalName
		RequestHeader set SAMLeduPersonPrincipalName ""    env=!SAMLeduPersonPrincipalName
		RequestHeader set HTTP_EPPNSAMLeppn %{HTTP_EPPNSAMLeppn}e env=SAMLeppn
		RequestHeader set SAMLeppn ""    env=!SAMLeppn
		RequestHeader set HTTP_mailSAMLEPPN %{HTTP_mailSAMLEPPN}e env=SAMLEPPN
		RequestHeader set SAMLEPPN ""    env=!SAMLEPPN
		RequestHeader set HTTP_emailSAMLmail %{HTTP_emailSAMLmail}e env=SAMLmail
		RequestHeader set SAMLmail ""    env=!SAMLmail
		RequestHeader set HTTP_givenNameSAMLemail %{HTTP_givenNameSAMLemail}e env=SAMLemail
		RequestHeader set SAMLemail ""    env=!SAMLemail
		RequestHeader set HTTP_snSAMLgivenName %{HTTP_snSAMLgivenName}e env=SAMLgivenName
		RequestHeader set SAMLgivenName ""    env=!SAMLgivenName
		RequestHeader set HTTP_surnameSAMLsn %{HTTP_surnameSAMLsn}e env=SAMLsn
		RequestHeader set SAMLsn ""    env=!SAMLsn
		RequestHeader set HTTP_oSAMLsurname %{HTTP_oSAMLsurname}e env=SAMLsurname
		RequestHeader set SAMLsurname ""    env=!SAMLsurname
		RequestHeader set HTTP_affiliationSAMLaffiliation %{HTTP_affiliationSAMLaffiliation}e env=SAMLaffiliation
		RequestHeader set SAMLaffiliation ""    env=!SAMLaffiliation
		RequestHeader set HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliationSAMLeduPersonScopedAffiliation}e env=SAMLeduPersonScopedAffiliation
		RequestHeader set SAMLeduPersonScopedAffiliation ""    env=!SAMLeduPersonScopedAffiliation
		RequestHeader set HTTP_entitlementSAMLentitlement %{HTTP_entitlementSAMLentitlement}e env=SAMLentitlement
		RequestHeader set SAMLentitlement ""    env=!SAMLentitlement
		RequestHeader set HTTP_eduPersonEntitlementSAMLeduPersonEntitlement %{HTTP_eduPersonEntitlementSAMLeduPersonEntitlement}e         env=SAMLeduPersonEntitlement
		RequestHeader set HTTP_location %{HTTP_location}e

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdownSAMLeduPersonEntitlement "" env=!SAMLeduPersonEntitlement
		# Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o
		RequestHeader set SAMLo %{SAMLo}e env=SAMLo
		RequestHeader set SAMLo "" env=!SAMLo
</VirtualHost>