Skip to end of banner
Go to start of banner

Apache configuration

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

Requirements

Apache mod_ajp or mod_jk should not be used anymore.


Virtual host configuration file

The following section contains an example Apache configuration file for a virtual host and three PowerFolder Servers as cluster.

  • Server name: powerfolder.organization.net
  • Server admin email: support@organization.net
  • SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
  • SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
  • Shibboleth entitlements (optional):
    • http://idm.org/entitlement/organization-PowerFolder
    • http://powerfolder.organization.net/entitlement/DFN-Cloud
  • PowerFolder Server web portal port: 8080
  • PowerFolder Server hostnames:
    • pf01.organization.net
    • pf02.organization.net
    • pf03.organization.net
  • PowerFolder Server nodeIDs:
    • nodeID01
    • nodeID02
    • nodeID03
<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ? 	ErrorLog "|/usr/local/sbin/syslogRedirect.pl"
# ? 	CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

# ?     DocumentRoot "/var/www/sas"
        # Disable ETag: http://www.websiteoptimization.com/secrets/advanced/configure-etags.html
	    FileETag None
        Header unset ETag
# ?     Header unset Cache-Control
# ?     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ?     Header set Pragma "no-cache"
# ?     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
 
        # Set strict transport security:  https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
        Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key
 
		RewriteEngine On
 
# ? # Allow OPTIONS requests
# ? # RewriteLog /var/log/apache2/rewrite.log
		# http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [L,R=200]
        Header always set Access-Control-Allow-Origin "*"
        Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS"
        Header always set Access-Control-Allow-Headers "PAOS,Content-Type"
 
        <Location /login/shibboleth>
                AuthType shibboleth
                ShibRequestSetting requireSession 1
                <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>

        <Location /Shibboleth.sso>
            satisfy Any
        </Location>

# ?     <Location /download>
# ?         Header add cache-control "private, max-age=0, no-cache"
# ?     </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
# ?     ProxyPass               /oo                     !
# ?     ProxyPass               /test                   !
        ProxyPass               /Shibboleth.sso         !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
        # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        # Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth
        RequestHeader set HTTP_Shib-Session-ID %{HTTP_Shib-Session-ID}e
        RequestHeader set HTTP_persistent-id %{HTTP_persistent-id}e
        RequestHeader set HTTP_uniqueID %{HTTP_uniqueID}e
        RequestHeader set HTTP_eduPersonPrincipalName %{HTTP_eduPersonPrincipalName}e
        RequestHeader set HTTP_eppn %{HTTP_eppn}e
        RequestHeader set HTTP_EPPN %{HTTP_EPPN}e
        RequestHeader set HTTP_mail %{HTTP_mail}e
        RequestHeader set HTTP_email %{HTTP_email}e
        RequestHeader set HTTP_givenName %{HTTP_givenName}e
        RequestHeader set HTTP_sn %{HTTP_sn}e
        RequestHeader set HTTP_surname %{HTTP_surname}e
        RequestHeader set HTTP_o %{HTTP_o}e
        RequestHeader set HTTP_affiliation %{HTTP_affiliation}e
        RequestHeader set HTTP_eduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliation}e
        RequestHeader set HTTP_entitlement %{HTTP_entitlement}e
        RequestHeader set HTTP_eduPersonEntitlement %{HTTP_eduPersonEntitlement}e
        RequestHeader set HTTP_location %{HTTP_location}e

# ?     <FilesMatch "\.(cgi|shtml|phtml|php)$">
# ?             SSLOptions +StdEnvVars
# ?     </FilesMatch>
# ?     <Directory /usr/lib/cgi-bin>
# ?             SSLOptions +StdEnvVars
# ?     </Directory>
# ?     BrowserMatch "MSIE [2-6]" \
# ?             nokeepalive ssl-unclean-shutdown \
# ?             downgrade-1.0 force-response-1.0
# ?     # MSIE 7 and newer should be able to use keepalive
# ?     BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
  • No labels