Apache configuration

Requirements

SSL setup with Apache and PowerFolder. For instructions please following this guide: Using Apache with mod_proxy and mod_ssl.
If you setup a clustered scenario please also following this guide: Building a high-availability cluster.
Apache module mod_rewrite (for passing Shibboleth-Attributes from Apache Environment to PowerFolder Server as HTTP headers)
mod_ajp or mod_jk should not be used anymore.
Apache 2.4 with module mod_shib (V2.5.1 or later of the Shibboleth SP software)
ECP (Enhanced Client or Proxy) needs to be enabled:
- https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
- https://www.aai.dfn.de/dokumentation/identity-provider/konfiguration/ecp/

General configuration

Virtual host configuration file

Server name: powerfolder.organization.net
Server admin email: support@organization.net
SSL certificate file: /etc/ssl/certs/powerfolder.organization.net.pem
SSL private key file: /etc/ssl/private/powerfolder.organization.net.key
Shibboleth entitlements (optional):
- http://idm.org/entitlement/organization-PowerFolder
- http://powerfolder.organization.net/entitlement/DFN-Cloud
PowerFolder Server web portal port: 8080
PowerFolder Server hostnames:
- pf01.organization.net
- pf02.organization.net
- pf03.organization.net
PowerFolder Server nodeIDs:
- nodeID01
- nodeID02
- nodeID03

<VirtualHost _default_:443>
        ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log vhost_combined
# ? 	ErrorLog "|/usr/local/sbin/syslogRedirect.pl"
# ? 	CustomLog "|/usr/local/sbin/syslogRedirect.pl" vhost_combined
        ServerName powerfolder.organization.net
        ServerAdmin support@organization.net

# ?     DocumentRoot "/var/www/sas"
# ?     FileETag None
# ?     Header unset Cache-Control
# ?     Header unset ETag
# ?     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
# ?     Header set Pragma "no-cache"
# ?     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
# ?     Header always set Strict-Transport-Security "max-age=31536000;"

        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/powerfolder.organization.net.pem
        SSLCertificateKeyFile /etc/ssl/private/powerfolder.organization.net.key

# ?     ErrorDocument   500 /error/500.html
# ?     ErrorDocument   503 /error/503.html 
 
# ? # Allow OPTIONS requests
        RewriteEngine On
# ? # RewriteLog /var/log/apache2/rewrite.log
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [L,R=200]

# ?     Header always set Access-Control-Allow-Origin "*"
# ?     Header always set Access-Control-Allow-Methods "POST, GET,OPTIONS"
# ?     Header always set Access-Control-Allow-Headers "PAOS,Content-Type"
 
        <Location /login/shibboleth>
                AuthType shibboleth
# ?             ShibRequestSetting requireSession 1
# ?             ShibRequireSession On
                <RequireAll>
                       Require valid-user
                       Require shib-attr entitlement ~ http://idm.org/entitlement/organization-PowerFolder http://powerfolder.organization.net/entitlement/DFN-Cloud
                </RequireAll>
        </Location>


        <Location /Shibboleth.sso>
            satisfy Any
        </Location>

# ?     <Location /download>
# ?         Header add cache-control "private, max-age=0, no-cache"
# ?     </Location>

        <Proxy balancer://pfcluster>
			BalancerMember http://pf01.organization.net:8080 route=nodeID01
			BalancerMember http://pf02.organization.net:8080 route=nodeID02
			BalancerMember http://pf03.organization.net:8080 route=nodeID03
			ProxySet stickysession=rpcid|JSESSIONID|jsessionid scolonpathdelim=On lbmethod=bybusyness
        </Proxy>

        ProxyPass               /rpc                    balancer://pfcluster/rpc nocanon
        ProxyPass               /rpc                    !
        ProxyPass               /eds                    !
# ?     ProxyPass               /oo                     !
# ?     ProxyPass               /test                   !
# ?     ProxyPass               /imprint                !
# ?     ProxyPass               /error                  !
        ProxyPass               /Shibboleth.sso         !
# ?     ProxyPass               /server-status          !
        ProxyPass               /                       balancer://pfcluster/    nocanon
 
        # Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
        # Source: https://wiki.powerfolder.com/display/EDUDE/Shibboleth

        RequestHeader set HTTP_Shib-Session-ID %{HTTP_Shib-Session-ID}e
        RequestHeader set HTTP_persistent-id %{HTTP_persistent-id}e
        RequestHeader set HTTP_uniqueID %{HTTP_uniqueID}e
        RequestHeader set HTTP_eduPersonPrincipalName %{HTTP_eduPersonPrincipalName}e
        RequestHeader set HTTP_eppn %{HTTP_eppn}e
        RequestHeader set HTTP_EPPN %{HTTP_EPPN}e
        RequestHeader set HTTP_mail %{HTTP_mail}e
        RequestHeader set HTTP_email %{HTTP_email}e
        RequestHeader set HTTP_givenName %{HTTP_givenName}e
        RequestHeader set HTTP_sn %{HTTP_sn}e
        RequestHeader set HTTP_surname %{HTTP_surname}e
        RequestHeader set HTTP_o %{HTTP_o}e
        RequestHeader set HTTP_affiliation %{HTTP_affiliation}e
        RequestHeader set HTTP_eduPersonScopedAffiliation %{HTTP_eduPersonScopedAffiliation}e
        RequestHeader set HTTP_entitlement %{HTTP_entitlement}e
        RequestHeader set HTTP_eduPersonEntitlement %{HTTP_eduPersonEntitlement}e
        RequestHeader set HTTP_location %{HTTP_location}e

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>