Apache configuration

Requirements

PowerFolder Server v21.0.100 or higher
SSL setup with Apache and PowerFolder
Cluster only: Building a high-availability cluster.
Apache module mod_shib
Enabled ECP (Enhanced Client or Proxy):
- https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
- https://www.aai.dfn.de/dokumentation/identity-provider/konfiguration/ecp/

Virtual host configuration file

The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.

Server name: powerfolder.organization.net
Server admin email: support@organization.net
SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
Shibboleth entitlements (optional):
- http://idm.org/entitlement/organization-PowerFolder
- http://powerfolder.organization.net/entitlement/DFN-Cloud
PowerFolder Server web portal port: 8080
PowerFolder Server hostnames:
- pf01.organization.net
- pf02.organization.net
- pf03.organization.net
PowerFolder Server nodeIDs:
- nodeID01
- nodeID02
- nodeID03

<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

        DocumentRoot "/var/www/default"
 
        # Set strict transport security:  https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
        Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key
 
		RewriteEngine On
 
        <Location /login/shibboleth>
                AuthType shibboleth
                ShibRequestSetting requireSession 1
                <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>

        <Location /Shibboleth.sso>
            satisfy Any
			Header set Access-Control-Allow-Origin "*"
        </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
        ProxyPass               /Shibboleth.sso         !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
		# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
		# Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth
		RequestHeader set SAMLShib-Session-ID %{SAMLShib-Session-ID}e env=SAMLShib-Session-ID
		RequestHeader set SAMLShib-Session-ID "" env=!SAMLShib-Session-ID
		RequestHeader set SAMLpersistent-id %{SAMLpersistent-id}e env=SAMLpersistent-id
		RequestHeader set SAMLpersistent-id "" env=!SAMLpersistent-id
		RequestHeader set SAMLuniqueID %{SAMLuniqueID}e env=SAMLuniqueID
		RequestHeader set SAMLuniqueID "" env=!SAMLuniqueID
		RequestHeader set SAMLpairwise-id %{SAMLpairwise-id}e env=SAMLpairwise-id
		RequestHeader set SAMLpairwise-id "" env=!SAMLupairwise-id
		RequestHeader set SAMLeduPersonPrincipalName %{SAMLeduPersonPrincipalName}e env=SAMLeduPersonPrincipalName
		RequestHeader set SAMLeduPersonPrincipalName "" env=!SAMLeduPersonPrincipalName
		RequestHeader set SAMLeppn %{SAMLeppn}e env=SAMLeppn
		RequestHeader set SAMLeppn "" env=!SAMLeppn
		RequestHeader set SAMLEPPN %{SAMLEPPN}e env=SAMLEPPN
		RequestHeader set SAMLEPPN "" env=!SAMLEPPN
		RequestHeader set SAMLmail %{SAMLmail}e env=SAMLmail
		RequestHeader set SAMLmail "" env=!SAMLmail
		RequestHeader set SAMLemail %{SAMLemail}e env=SAMLemail
		RequestHeader set SAMLemail "" env=!SAMLemail
		RequestHeader set SAMLgivenName %{SAMLgivenName}e env=SAMLgivenName
		RequestHeader set SAMLgivenName "" env=!SAMLgivenName
		RequestHeader set SAMLsn %{SAMLsn}e env=SAMLsn
		RequestHeader set SAMLsn "" env=!SAMLsn
		RequestHeader set SAMLsurname %{SAMLsurname}e env=SAMLsurname
		RequestHeader set SAMLsurname "" env=!SAMLsurname
		RequestHeader set SAMLaffiliation %{SAMLaffiliation}e env=SAMLaffiliation
		RequestHeader set SAMLaffiliation "" env=!SAMLaffiliation
		RequestHeader set SAMLeduPersonScopedAffiliation %{SAMLeduPersonScopedAffiliation}e env=SAMLeduPersonScopedAffiliation
		RequestHeader set SAMLeduPersonScopedAffiliation "" env=!SAMLeduPersonScopedAffiliation
		RequestHeader set SAMLentitlement %{SAMLentitlement}e env=SAMLentitlement
		RequestHeader set SAMLentitlement "" env=!SAMLentitlement
		RequestHeader set SAMLeduPersonEntitlement %{SAMLeduPersonEntitlement}e env=SAMLeduPersonEntitlement
		RequestHeader set SAMLeduPersonEntitlement "" env=!SAMLeduPersonEntitlement
		# Organization attribute. Must match entry 'shibboleth.organizations.attribute' in PowerFolder.config. Default: o
		RequestHeader set SAMLo %{SAMLo}e env=SAMLo
		RequestHeader set SAMLo "" env=!SAMLo
</VirtualHost>