-
Notifications
You must be signed in to change notification settings - Fork 3
/
apache.conf
107 lines (89 loc) · 2.95 KB
/
apache.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Reference apache config file for hosting wsgi application
# Several variables related to OIDC connection paramters and reverse proxy urls
# will need to be filled in
<VirtualHost *:80>
# Default server configuration
ServerName localhost
ServerAdmin admin@localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
Options Indexes
AllowOverride None
</Directory>
# Require OIDC auth at every location
<Location "/">
<RequireAny>
Require valid-user
</RequireAny>
AuthType openid-connect
</Location>
# Reverse proxy API requests to local uvicorn instance
<Location "/api">
ProxyPass http://localhost:8089
ProxyPassReverse http://localhost:8089
</Location>
# Allow public access to the root url
<LocationMatch "^/$">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</LocationMatch>
# Allow public access to the landing page of the frontend, and any static assets
<LocationMatch "^/ui(/?|.*js|.*css)$">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</LocationMatch>
# Allow public access to the "list institutions" endpoint
<Location "/api/institution_ids">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</Location>
<Location "/callback">
<RequireAny>
Require valid-user
</RequireAny>
AuthType openid-connect
</Location>
<Directory "/srv">
AllowOverride none
<RequireAny>
Require all granted
</RequireAny>
</Directory>
# Redirect the root url to the frontend
RedirectMatch "^/$" "/ui"
# Reverse proxy the frontend to an internal service
ProxyPass "/ui" "http://institutions-ui/"
ProxyPassReverse "/ui" "http://institutions-ui/"
## Logging
ErrorLog "/var/log/httpd/local_default_ssl_error_ssl.log"
LogLevel info
ServerSignature Off
CustomLog "/var/log/httpd/local_default_ssl_access_ssl.log" combined
# # WSGI application
# WSGIDaemonProcess topology-institutions
# WSGIProcessGroup topology-institutions
# WSGIScriptAlias / /srv/wsgi.py
# # Syslog CA issuer require examination of the authorization header
# WSGIPassAuthorization On
# # OIDC configuration
# OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
# OIDCClientID <oidc client id>
# OIDCClientSecret <oidc client secret>
# OIDCRedirectURI https://{{getenv "EXTERNAL_HOSTNAME"}}/callback
# # Used to encrypt the session cookie and the local cache.
# OIDCCryptoPassphrase <oidc passphrase>
# # Control the information in the returned token.
# OIDCScope "openid email org.cilogon.userinfo"
# # The value of this scope is used as the username in the environment
# # variables provided to WSGI, e.g. REMOTE_USERNAME. If not
# # specified, defaults to "sub@iss" from OIDC_CLAIM_sub and
# # OIDC_CLAIM_iss. Use 'osgid' since anyone associated with the OSG
# # CO will have this claim
# OIDCRemoteUserClaim osgid
</VirtualHost>