Skip to end of banner
Go to start of banner

Apache configuration

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

Requirements

Apache mod_ajp or mod_jk should not be used anymore.


Virtual host configuration file

The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.

  • Server name: powerfolder.organization.net
  • Server admin email: support@organization.net
  • SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
  • SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
  • Shibboleth entitlements (optional):
    • http://idm.org/entitlement/organization-PowerFolder
    • http://powerfolder.organization.net/entitlement/DFN-Cloud
  • PowerFolder Server web portal port: 8080
  • PowerFolder Server hostnames:
    • pf01.organization.net
    • pf02.organization.net
    • pf03.organization.net
  • PowerFolder Server nodeIDs:
    • nodeID01
    • nodeID02
    • nodeID03
<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ? 	ErrorLog "|/usr/local/sbin/syslogRedirect.pl"
# ? 	CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

# ?     DocumentRoot "/var/www/sas"
        # Disable ETag: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html
	    FileETag None
        Header unset ETag
# ?     Header unset Cache-Control
# ?     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ?     Header set Pragma "no-cache"
# ?     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
 
        # Set strict transport security:  https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
        Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key
 
		RewriteEngine On
 
# ? # Allow OPTIONS requests
# ? # RewriteLog /var/log/apache2/rewrite.log
		# http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [L,R=200]
        Header always set Access-Control-Allow-Origin "*"
        Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS"
        Header always set Access-Control-Allow-Headers "PAOS,Content-Type"
 
        <Location /login/shibboleth>
                AuthType shibboleth
                ShibRequestSetting requireSession 1
                <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>

        <Location /Shibboleth.sso>
            satisfy Any
        </Location>

# ?     <Location /download>
# ?         Header add cache-control "private, max-age=0, no-cache"
# ?     </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
# ?     ProxyPass               /oo                     !
# ?     ProxyPass               /test                   !
        ProxyPass               /Shibboleth.sso         !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
        # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        # Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth
        RequestHeader set HTTP_Shib-Session-ID %{HTTP_Shib-Session-ID}e env=HTTP_Shib-Session-ID
        RequestHeader set HTTP_Shib-Session-ID "" !env=HTTP_Shib-Session-ID
		RequestHeader set HTTP_persistent-id %{HTTP_persistent-id}e env=HTTP_persistent-id
        RequestHeader set HTTP_persistent-id "" !env=HTTP_persistent-id
        RequestHeader set HTTP_uniqueID %{HTTP_uniqueID}e env=HTTP_uniqueID
        RequestHeader set HTTP_uniqueID %{HTTP_uniqueID}e env=HTTP_uniqueID
        RequestHeader set HTTP_eduPersonPrincipalName %{HTTP_eduPersonPrincipalName}e env=HTTP_eduPersonPrincipalName
        RequestHeader set HTTP_eduPersonPrincipalName %{HTTP_eduPersonPrincipalName}e env=HTTP_eduPersonPrincipalName
        RequestHeader set HTTP_eppn %{HTTP_eppn}e env=HTTP_eppn
        RequestHeader set HTTP_eppn %{HTTP_eppn}e env=HTTP_eppn
        RequestHeader set HTTP_EPPN %{HTTP_EPPN}e env=HTTP_EPPN
        RequestHeader set HTTP_EPPN %{HTTP_EPPN}e env=HTTP_EPPN
        RequestHeader set HTTP_mail %{HTTP_mail}e env=HTTP_mail
        RequestHeader set HTTP_mail %{HTTP_mail}e env=HTTP_mail
        RequestHeader set HTTP_email %{HTTP_email}e env=HTTP_email
        RequestHeader set HTTP_email %{HTTP_email}e env=HTTP_email
        RequestHeader set HTTP_givenName %{HTTP_givenName}e env=HTTP_givenName
        RequestHeader set HTTP_givenName %{HTTP_givenName}e env=HTTP_givenName
        RequestHeader set HTTP_sn %{HTTP_sn}e env=HTTP_sn
        RequestHeader set HTTP_sn %{HTTP_sn}e env=HTTP_sn
        RequestHeader set HTTP_surname %{HTTP_surname}e env=HTTP_surname
        RequestHeader set HTTP_surname %{HTTP_surname}e env=HTTP_surname
        RequestHeader set HTTP_affiliation %{HTTP_affiliation}e env=HTTP_affiliation
        RequestHeader set HTTP_affiliation %{HTTP_affiliation}e env=HTTP_affiliation
        RequestHeader set HTTP_eduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliation}e env=HTTP_eduPersonScopedAffiliation
        RequestHeader set HTTP_eduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliation}e env=HTTP_eduPersonScopedAffiliation
        RequestHeader set HTTP_entitlement %{HTTP_entitlement}e env=HTTP_entitlement
        RequestHeader set HTTP_entitlement %{HTTP_entitlement}e env=HTTP_entitlement
        RequestHeader set HTTP_eduPersonEntitlement %{HTTP_eduPersonEntitlement}e env=HTTP_eduPersonEntitlement
		RequestHeader set HTTP_eduPersonEntitlement %{HTTP_eduPersonEntitlement}e env=HTTP_eduPersonEntitlement
		# Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o
        RequestHeader set HTTP_o %{HTTP_o}e env=HTTP_o
		RequestHeader set HTTP_o %{HTTP_o}e env=HTTP_o

# ?     <FilesMatch "\.(cgi|shtml|phtml|php)$">
# ?             SSLOptions +StdEnvVars
# ?     </FilesMatch>
# ?     <Directory /usr/lib/cgi-bin>
# ?             SSLOptions +StdEnvVars
# ?     </Directory>
# ?     BrowserMatch "MSIE [2-6]" \
# ?             nokeepalive ssl-unclean-shutdown \
# ?             downgrade-1.0 force-response-1.0
# ?     # MSIE 7 and newer should be able to use keepalive
# ?     BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
  • No labels