URL: https://github.com/freeipa/freeipa/pull/673 Author: tjaalton Title: #673: Conf template Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/673/head:pr673 git checkout pr673
From 134fec33ecbbb462a18fb9dd135b3b3cf23d80fd Mon Sep 17 00:00:00 2001 From: Timo Aaltonen <tjaal...@debian.org> Date: Wed, 15 Mar 2017 19:28:07 +0200 Subject: [PATCH 1/3] Move config templates from install/conf to install/share --- configure.ac | 1 - freeipa.spec.in | 3 - install/Makefile.am | 1 - install/conf/Makefile.am | 13 -- install/conf/ipa-kdc-proxy.conf.template | 30 ---- install/conf/ipa-pki-proxy.conf | 46 ------ install/conf/ipa-rewrite.conf | 22 --- install/conf/ipa.conf | 227 ------------------------------ install/share/Makefile.am | 4 + install/share/ipa-kdc-proxy.conf.template | 30 ++++ install/share/ipa-pki-proxy.conf.template | 46 ++++++ install/share/ipa-rewrite.conf.template | 22 +++ install/share/ipa.conf.template | 227 ++++++++++++++++++++++++++++++ ipaserver/install/dogtaginstance.py | 2 +- ipaserver/install/httpinstance.py | 4 +- ipaserver/install/server/upgrade.py | 6 +- 16 files changed, 335 insertions(+), 349 deletions(-) delete mode 100644 install/conf/Makefile.am delete mode 100644 install/conf/ipa-kdc-proxy.conf.template delete mode 100644 install/conf/ipa-pki-proxy.conf delete mode 100644 install/conf/ipa-rewrite.conf delete mode 100644 install/conf/ipa.conf create mode 100644 install/share/ipa-kdc-proxy.conf.template create mode 100644 install/share/ipa-pki-proxy.conf.template create mode 100644 install/share/ipa-rewrite.conf.template create mode 100644 install/share/ipa.conf.template diff --git a/configure.ac b/configure.ac index f5c5270..2125d05 100644 --- a/configure.ac +++ b/configure.ac @@ -538,7 +538,6 @@ AC_CONFIG_FILES([ init/Makefile install/Makefile install/certmonger/Makefile - install/conf/Makefile install/html/Makefile install/migration/Makefile install/share/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index 829c3f0..5235e13 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1312,9 +1312,6 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec -%{_usr}/share/ipa/ipa.conf -%{_usr}/share/ipa/ipa-rewrite.conf -%{_usr}/share/ipa/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con diff --git a/install/Makefile.am b/install/Makefile.am index f895bcc..f0ec9c7 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -6,7 +6,6 @@ NULL = SUBDIRS = \ certmonger \ - conf \ html \ migration \ share \ diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am deleted file mode 100644 index 751bb16..0000000 --- a/install/conf/Makefile.am +++ /dev/null @@ -1,13 +0,0 @@ -NULL = - -appdir = $(IPA_DATA_DIR) -app_DATA = \ - ipa.conf \ - ipa-kdc-proxy.conf.template \ - ipa-pki-proxy.conf \ - ipa-rewrite.conf \ - $(NULL) - -EXTRA_DIST = \ - $(app_DATA) \ - $(NULL) diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template deleted file mode 100644 index 9290ceb..0000000 --- a/install/conf/ipa-kdc-proxy.conf.template +++ /dev/null @@ -1,30 +0,0 @@ -# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy) -# -# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained -# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in -# httpd.service. The service also sets the environment variable -# KDCPROXY_CONFIG to $KDCPROXY_CONFIG. -# -# Disable KDC Proxy on the current host: -# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif -# # systemctl restart httpd.service -# -# Enable KDC Proxy on the current host: -# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif -# # systemctl restart httpd.service -# - -WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \ - user=kdcproxy group=kdcproxy display-name=%{GROUP} -WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ - process-group=kdcproxy application-group=kdcproxy -WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py -WSGIScriptReloading Off - -<Location "/KdcProxy"> - Satisfy Any - Order Deny,Allow - Allow from all - WSGIProcessGroup kdcproxy - WSGIApplicationGroup kdcproxy -</Location> diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf deleted file mode 100644 index b48a302..0000000 --- a/install/conf/ipa-pki-proxy.conf +++ /dev/null @@ -1,46 +0,0 @@ -# VERSION 10 - DO NOT REMOVE THIS LINE - -ProxyRequests Off - -# matches for ee port -<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> - NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient none - ProxyPassMatch ajp://localhost:$DOGTAG_PORT - ProxyPassReverse ajp://localhost:$DOGTAG_PORT -</LocationMatch> - -# matches for admin port and installer -<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries"> - NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient none - ProxyPassMatch ajp://localhost:$DOGTAG_PORT - ProxyPassReverse ajp://localhost:$DOGTAG_PORT -</LocationMatch> - -# matches for agent port and eeca port -<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector"> - NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient require - ProxyPassMatch ajp://localhost:$DOGTAG_PORT - ProxyPassReverse ajp://localhost:$DOGTAG_PORT -</LocationMatch> - -# matches for CA REST API -<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove"> - NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient optional - ProxyPassMatch ajp://localhost:$DOGTAG_PORT - ProxyPassReverse ajp://localhost:$DOGTAG_PORT -</LocationMatch> - -# matches for KRA REST API -<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys"> - NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - NSSVerifyClient optional - ProxyPassMatch ajp://localhost:$DOGTAG_PORT - ProxyPassReverse ajp://localhost:$DOGTAG_PORT -</LocationMatch> - -# Only enable this on servers that are not generating a CRL -${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf deleted file mode 100644 index 37661b8..0000000 --- a/install/conf/ipa-rewrite.conf +++ /dev/null @@ -1,22 +0,0 @@ -# VERSION 6 - DO NOT REMOVE THIS LINE - -RewriteEngine on - -# By default forward all requests to /ipa. If you don't want IPA -# to be the default on your web server comment this line out. -${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301] - -# Redirect to the fully-qualified hostname. Not redirecting to secure -# port so configuration files can be retrieved without requiring SSL. -RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] -RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301] - -# Redirect to the secure port if not displaying an error or retrieving -# configuration. -RewriteCond %{SERVER_PORT} !^443$$ -RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) -RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$ -RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC] - -# Rewrite for plugin index, make it like it's a static file -RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$ /ipa/wsgi/plugins.py [PT] diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf deleted file mode 100644 index e1f1a58..0000000 --- a/install/conf/ipa.conf +++ /dev/null @@ -1,227 +0,0 @@ -# -# VERSION 25 - DO NOT REMOVE THIS LINE -# -# This file may be overwritten on upgrades. -# - -# Load lookup_identity module in case it has not been loaded yet -# The module is used to search users according the certificate. -<IfModule !lookup_identity_module> - LoadModule lookup_identity_module modules/mod_lookup_identity.so -</IfModule> - -ProxyRequests Off - -#We use xhtml, a file format that the browser validates -DirectoryIndex index.html - - -# Substantially increase the request field size to support MS-PAC -# requests, ticket #2767. This should easily support a 64KiB PAC. -LimitRequestFieldSize 100000 - -# Increase connection keep alive time. Default value is 5 seconds, which is too -# short for interactive ipa commands. 30 seconds is a good compromise. -KeepAlive On -KeepAliveTimeout 30 - -# ipa-rewrite.conf is loaded separately - -# This is required so the auto-configuration works with Firefox 2+ -AddType application/java-archive jar -AddType application/x-xpinstall xpi - -# Proper header for .tff fonts -AddType application/x-font-ttf ttf - -# Enable compression -AddOutputFilterByType DEFLATE text/html text/plain text/xml \ - application/javascript application/json text/css \ - application/x-font-ttf - -# Disable etag http header. Doesn't work well with mod_deflate -# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 -# Usage of last-modified header and modified-since validator is sufficient. -Header unset ETag -FileETag None - -# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package -# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: -WSGISocketPrefix /run/httpd/wsgi - - -# Configure mod_wsgi handler for /ipa -WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ - user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 -WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa -WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -WSGIScriptReloading Off - - -# Turn off mod_msgi handler for errors, config, crl: -<Location "/ipa/errors"> - SetHandler None -</Location> -<Location "/ipa/config"> - SetHandler None -</Location> -<Location "/ipa/crl"> - SetHandler None -</Location> - -# Protect /ipa and everything below it in webspace with Apache Kerberos auth -<Location "/ipa"> - AuthType GSSAPI - AuthName "Kerberos Login" - GssapiUseSessions On - Session On - SessionCookieName ipa_session path=/ipa;httponly;secure; - SessionHeader IPASESSION - SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key - - GssapiImpersonate On - GssapiDelegCcacheDir /var/run/ipa/ccaches - GssapiDelegCcachePerms mode:0660 gid:ipaapi - GssapiUseS4U2Proxy on - GssapiAllowedMech krb5 - Require valid-user - ErrorDocument 401 /ipa/errors/unauthorized.html - WSGIProcessGroup ipa - WSGIApplicationGroup ipa - Header always append X-Frame-Options DENY - Header always append Content-Security-Policy "frame-ancestors 'none'" - - # mod_session always sets two copies of the cookie, and this confuses our - # legacy clients, the unset here works because it ends up unsetting only one - # of the 2 header tables set by mod_session, leaving the other intact - Header unset Set-Cookie -</Location> - -# Target for login with internal connections -Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" - -# Turn off Apache authentication for password/token based login pages -<Location "/ipa/session/login_password"> - Satisfy Any - Order Deny,Allow - Allow from all -</Location> - -# Login with user certificate/smartcard configuration -# This configuration needs to be loaded after <Location "/ipa"> -<Location "/ipa/session/login_x509"> - AuthType none - GssapiDelegCcacheDir /var/run/ipa/ccaches - GssapiDelegCcachePerms mode:0660 gid:ipaapi - NSSVerifyClient require - NSSUserName SSL_CLIENT_CERT - LookupUserByCertificate On - WSGIProcessGroup ipa - WSGIApplicationGroup ipa - GssapiImpersonate On - - GssapiUseSessions On - Session On - SessionCookieName ipa_session path=/ipa;httponly;secure; - SessionHeader IPASESSION - SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key - - Header unset Set-Cookie -</Location> - -<Location "/ipa/session/change_password"> - Satisfy Any - Order Deny,Allow - Allow from all -</Location> - -<Location "/ipa/session/sync_token"> - Satisfy Any - Order Deny,Allow - Allow from all -</Location> - -# Custodia stuff is redirected to the custodia daemon -# after authentication -<Location "/ipa/keys/"> - ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" - RequestHeader set GSS_NAME %{GSS_NAME}s - RequestHeader set REMOTE_USER %{REMOTE_USER}s -</Location> - -# This is where we redirect on failed auth -Alias /ipa/errors "/usr/share/ipa/html" - -# For the MIT Windows config files -Alias /ipa/config "/usr/share/ipa/html" - -# Do no authentication on the directory that contains error messages -<Directory "/usr/share/ipa/html"> - SetHandler None - AllowOverride None - Satisfy Any - Allow from all - ExpiresActive On - ExpiresDefault "access plus 0 seconds" -</Directory> - - -# For CRL publishing -Alias /ipa/crl "$CRL_PUBLISH_PATH" -<Directory "$CRL_PUBLISH_PATH"> - SetHandler None - AllowOverride None - Options Indexes FollowSymLinks - Satisfy Any - Allow from all -</Directory> - - -# List explicitly only the fonts we want to serve -Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" -Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" -<Directory "/usr/share/fonts"> - SetHandler None - AllowOverride None - Satisfy Any - Allow from all - ExpiresActive On - ExpiresDefault "access plus 1 year" -</Directory> - - -# webUI is now completely static, and served out of that directory -Alias /ipa/ui "/usr/share/ipa/ui" -<Directory "/usr/share/ipa/ui"> - SetHandler None - AllowOverride None - Satisfy Any - Allow from all - ExpiresActive On - ExpiresDefault "access plus 1 year" - <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> - ExpiresDefault "access plus 0 seconds" - </FilesMatch> -</Directory> - -# Simple wsgi scripts required by ui -Alias /ipa/wsgi "/usr/share/ipa/wsgi" -<Directory "/usr/share/ipa/wsgi"> - AllowOverride None - Satisfy Any - Allow from all - Options ExecCGI - AddHandler wsgi-script .py -</Directory> - -# migration related pages -Alias /ipa/migration "/usr/share/ipa/migration" -<Directory "/usr/share/ipa/migration"> - AllowOverride None - Satisfy Any - Allow from all - Options ExecCGI - AddHandler wsgi-script .py -</Directory> diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 9e539a3..11359ae 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -90,6 +90,10 @@ dist_app_DATA = \ gssapi.login \ ipa.conf.tmpfiles \ gssproxy.conf.template \ + ipa.conf.template \ + ipa-kdc-proxy.conf.template \ + ipa-pki-proxy.conf.template \ + ipa-rewrite.conf.template \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/ipa-kdc-proxy.conf.template b/install/share/ipa-kdc-proxy.conf.template new file mode 100644 index 0000000..9290ceb --- /dev/null +++ b/install/share/ipa-kdc-proxy.conf.template @@ -0,0 +1,30 @@ +# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy) +# +# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained +# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in +# httpd.service. The service also sets the environment variable +# KDCPROXY_CONFIG to $KDCPROXY_CONFIG. +# +# Disable KDC Proxy on the current host: +# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif +# # systemctl restart httpd.service +# +# Enable KDC Proxy on the current host: +# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif +# # systemctl restart httpd.service +# + +WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \ + user=kdcproxy group=kdcproxy display-name=%{GROUP} +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ + process-group=kdcproxy application-group=kdcproxy +WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py +WSGIScriptReloading Off + +<Location "/KdcProxy"> + Satisfy Any + Order Deny,Allow + Allow from all + WSGIProcessGroup kdcproxy + WSGIApplicationGroup kdcproxy +</Location> diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template new file mode 100644 index 0000000..b48a302 --- /dev/null +++ b/install/share/ipa-pki-proxy.conf.template @@ -0,0 +1,46 @@ +# VERSION 10 - DO NOT REMOVE THIS LINE + +ProxyRequests Off + +# matches for ee port +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT +</LocationMatch> + +# matches for admin port and installer +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT +</LocationMatch> + +# matches for agent port and eeca port +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT +</LocationMatch> + +# matches for CA REST API +<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient optional + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT +</LocationMatch> + +# matches for KRA REST API +<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient optional + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT +</LocationMatch> + +# Only enable this on servers that are not generating a CRL +${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] diff --git a/install/share/ipa-rewrite.conf.template b/install/share/ipa-rewrite.conf.template new file mode 100644 index 0000000..37661b8 --- /dev/null +++ b/install/share/ipa-rewrite.conf.template @@ -0,0 +1,22 @@ +# VERSION 6 - DO NOT REMOVE THIS LINE + +RewriteEngine on + +# By default forward all requests to /ipa. If you don't want IPA +# to be the default on your web server comment this line out. +${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301] + +# Redirect to the fully-qualified hostname. Not redirecting to secure +# port so configuration files can be retrieved without requiring SSL. +RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] +RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301] + +# Redirect to the secure port if not displaying an error or retrieving +# configuration. +RewriteCond %{SERVER_PORT} !^443$$ +RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) +RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$ +RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC] + +# Rewrite for plugin index, make it like it's a static file +RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$ /ipa/wsgi/plugins.py [PT] diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template new file mode 100644 index 0000000..e1f1a58 --- /dev/null +++ b/install/share/ipa.conf.template @@ -0,0 +1,227 @@ +# +# VERSION 25 - DO NOT REMOVE THIS LINE +# +# This file may be overwritten on upgrades. +# + +# Load lookup_identity module in case it has not been loaded yet +# The module is used to search users according the certificate. +<IfModule !lookup_identity_module> + LoadModule lookup_identity_module modules/mod_lookup_identity.so +</IfModule> + +ProxyRequests Off + +#We use xhtml, a file format that the browser validates +DirectoryIndex index.html + + +# Substantially increase the request field size to support MS-PAC +# requests, ticket #2767. This should easily support a 64KiB PAC. +LimitRequestFieldSize 100000 + +# Increase connection keep alive time. Default value is 5 seconds, which is too +# short for interactive ipa commands. 30 seconds is a good compromise. +KeepAlive On +KeepAliveTimeout 30 + +# ipa-rewrite.conf is loaded separately + +# This is required so the auto-configuration works with Firefox 2+ +AddType application/java-archive jar +AddType application/x-xpinstall xpi + +# Proper header for .tff fonts +AddType application/x-font-ttf ttf + +# Enable compression +AddOutputFilterByType DEFLATE text/html text/plain text/xml \ + application/javascript application/json text/css \ + application/x-font-ttf + +# Disable etag http header. Doesn't work well with mod_deflate +# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 +# Usage of last-modified header and modified-since validator is sufficient. +Header unset ETag +FileETag None + +# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package +# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: +WSGISocketPrefix /run/httpd/wsgi + + +# Configure mod_wsgi handler for /ipa +WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ + user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 +WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa +WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py +WSGIScriptReloading Off + + +# Turn off mod_msgi handler for errors, config, crl: +<Location "/ipa/errors"> + SetHandler None +</Location> +<Location "/ipa/config"> + SetHandler None +</Location> +<Location "/ipa/crl"> + SetHandler None +</Location> + +# Protect /ipa and everything below it in webspace with Apache Kerberos auth +<Location "/ipa"> + AuthType GSSAPI + AuthName "Kerberos Login" + GssapiUseSessions On + Session On + SessionCookieName ipa_session path=/ipa;httponly;secure; + SessionHeader IPASESSION + SessionMaxAge 1800 + GssapiSessionKey file:/etc/httpd/alias/ipasession.key + + GssapiImpersonate On + GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi + GssapiUseS4U2Proxy on + GssapiAllowedMech krb5 + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html + WSGIProcessGroup ipa + WSGIApplicationGroup ipa + Header always append X-Frame-Options DENY + Header always append Content-Security-Policy "frame-ancestors 'none'" + + # mod_session always sets two copies of the cookie, and this confuses our + # legacy clients, the unset here works because it ends up unsetting only one + # of the 2 header tables set by mod_session, leaving the other intact + Header unset Set-Cookie +</Location> + +# Target for login with internal connections +Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" + +# Turn off Apache authentication for password/token based login pages +<Location "/ipa/session/login_password"> + Satisfy Any + Order Deny,Allow + Allow from all +</Location> + +# Login with user certificate/smartcard configuration +# This configuration needs to be loaded after <Location "/ipa"> +<Location "/ipa/session/login_x509"> + AuthType none + GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi + NSSVerifyClient require + NSSUserName SSL_CLIENT_CERT + LookupUserByCertificate On + WSGIProcessGroup ipa + WSGIApplicationGroup ipa + GssapiImpersonate On + + GssapiUseSessions On + Session On + SessionCookieName ipa_session path=/ipa;httponly;secure; + SessionHeader IPASESSION + SessionMaxAge 1800 + GssapiSessionKey file:/etc/httpd/alias/ipasession.key + + Header unset Set-Cookie +</Location> + +<Location "/ipa/session/change_password"> + Satisfy Any + Order Deny,Allow + Allow from all +</Location> + +<Location "/ipa/session/sync_token"> + Satisfy Any + Order Deny,Allow + Allow from all +</Location> + +# Custodia stuff is redirected to the custodia daemon +# after authentication +<Location "/ipa/keys/"> + ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" + RequestHeader set GSS_NAME %{GSS_NAME}s + RequestHeader set REMOTE_USER %{REMOTE_USER}s +</Location> + +# This is where we redirect on failed auth +Alias /ipa/errors "/usr/share/ipa/html" + +# For the MIT Windows config files +Alias /ipa/config "/usr/share/ipa/html" + +# Do no authentication on the directory that contains error messages +<Directory "/usr/share/ipa/html"> + SetHandler None + AllowOverride None + Satisfy Any + Allow from all + ExpiresActive On + ExpiresDefault "access plus 0 seconds" +</Directory> + + +# For CRL publishing +Alias /ipa/crl "$CRL_PUBLISH_PATH" +<Directory "$CRL_PUBLISH_PATH"> + SetHandler None + AllowOverride None + Options Indexes FollowSymLinks + Satisfy Any + Allow from all +</Directory> + + +# List explicitly only the fonts we want to serve +Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" +Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" +<Directory "/usr/share/fonts"> + SetHandler None + AllowOverride None + Satisfy Any + Allow from all + ExpiresActive On + ExpiresDefault "access plus 1 year" +</Directory> + + +# webUI is now completely static, and served out of that directory +Alias /ipa/ui "/usr/share/ipa/ui" +<Directory "/usr/share/ipa/ui"> + SetHandler None + AllowOverride None + Satisfy Any + Allow from all + ExpiresActive On + ExpiresDefault "access plus 1 year" + <FilesMatch "(index.html|loader.js|login.html|reset_password.html)"> + ExpiresDefault "access plus 0 seconds" + </FilesMatch> +</Directory> + +# Simple wsgi scripts required by ui +Alias /ipa/wsgi "/usr/share/ipa/wsgi" +<Directory "/usr/share/ipa/wsgi"> + AllowOverride None + Satisfy Any + Allow from all + Options ExecCGI + AddHandler wsgi-script .py +</Directory> + +# migration related pages +Alias /ipa/migration "/usr/share/ipa/migration" +<Directory "/usr/share/ipa/migration"> + AllowOverride None + Satisfy Any + Allow from all + Options ExecCGI + AddHandler wsgi-script .py +</Directory> diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 356358a..d48f2ba 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -241,7 +241,7 @@ def uninstall(self): def http_proxy(self): """ Update the http proxy file """ template_filename = ( - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf")) + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template")) sub_dict = dict( DOGTAG_PORT=8009, CLONE='' if self.clone else '#', diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 01b55e7..2bd2c76 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -220,7 +220,7 @@ def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict) + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) @@ -229,7 +229,7 @@ def __configure_http(self): target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file( - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"), + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..0f10e9f 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1597,14 +1597,14 @@ def upgrade_configuration(): ds_dirname = dsinstance.config_dirname(ds_serverid) upgrade_file(sub_dict, paths.HTTPD_IPA_CONF, - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf")) + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template")) upgrade_file(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf")) + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template")) if ca.is_configured(): upgrade_file( sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, - os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf"), + os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template"), add=True) else: if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF): From ed0656c02b6c98c923d87a46787b7f81ba4f9316 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen <tjaal...@debian.org> Date: Wed, 29 Mar 2017 11:33:32 +0300 Subject: [PATCH 2/3] ipaplatform, ipa.conf: Use paths variables in ipa.conf.template --- install/share/ipa.conf.template | 18 +++++++++--------- ipaplatform/base/paths.py | 3 +++ ipaplatform/debian/paths.py | 3 +++ ipaserver/install/httpinstance.py | 5 +++++ 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template index e1f1a58..c6cf810 100644 --- a/install/share/ipa.conf.template +++ b/install/share/ipa.conf.template @@ -47,7 +47,7 @@ FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: -WSGISocketPrefix /run/httpd/wsgi +WSGISocketPrefix $WSGI_PREFIX_DIR # Configure mod_wsgi handler for /ipa @@ -78,10 +78,10 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:$GSSAPI_SESSION_KEY GssapiImpersonate On - GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 @@ -112,7 +112,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" # This configuration needs to be loaded after <Location "/ipa"> <Location "/ipa/session/login_x509"> AuthType none - GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi NSSVerifyClient require NSSUserName SSL_CLIENT_CERT @@ -126,7 +126,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:$GSSAPI_SESSION_KEY Header unset Set-Cookie </Location> @@ -146,7 +146,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" # Custodia stuff is redirected to the custodia daemon # after authentication <Location "/ipa/keys/"> - ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" + ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/" RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s </Location> @@ -180,9 +180,9 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH" # List explicitly only the fonts we want to serve -Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" -Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" -<Directory "/usr/share/fonts"> +Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans" +Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome" +<Directory "${FONTS_DIR}"> SetHandler None AllowOverride None Satisfy Any diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..3a3a906 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -39,6 +39,7 @@ class BasePathNamespace(object): HOSTS = "/etc/hosts" ETC_HTTPD_DIR = "/etc/httpd" HTTPD_ALIAS_DIR = "/etc/httpd/alias" + GSSAPI_SESSION_KEY = "/etc/httpd/alias/ipasession.key" OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem" HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/" HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf" @@ -227,6 +228,7 @@ class BasePathNamespace(object): SETUP_DS_PL = "/usr/sbin/setup-ds.pl" SMBD = "/usr/sbin/smbd" USERADD = "/usr/sbin/useradd" + FONTS_DIR = "/usr/share/fonts" USR_SHARE_IPA_DIR = "/usr/share/ipa/" CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" IPA_HTML_DIR = "/usr/share/ipa/html" @@ -354,5 +356,6 @@ class BasePathNamespace(object): GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' KRB5CC_HTTPD = '/tmp/krb5cc-httpd' IF_INET6 = '/proc/net/if_inet6' + WSGI_PREFIX_DIR = "/run/httpd/wsgi" path_namespace = BasePathNamespace diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index 331afa0..f8be056 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -56,6 +56,7 @@ class DebianPathNamespace(BasePathNamespace): SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/" SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf" DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key" + GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key" OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem" SBIN_SERVICE = "/usr/sbin/service" CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" @@ -77,6 +78,7 @@ class DebianPathNamespace(BasePathNamespace): HTTPD = "/usr/sbin/apache2ctl" REMOVE_DS_PL = "/usr/sbin/remove-ds" SETUP_DS_PL = "/usr/sbin/setup-ds" + FONTS_DIR = "/usr/share/fonts/truetype" VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/" VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5." CACERT_PEM = "/var/lib/krb5kdc/cacert.pem" @@ -93,5 +95,6 @@ class DebianPathNamespace(BasePathNamespace): IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' + WSGI_PREFIX_DIR = "/run/apache2/wsgi" paths = DebianPathNamespace() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 2bd2c76..ff6c4af 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -152,6 +152,11 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, DOMAIN=self.domain, AUTOREDIR='' if auto_redirect else '#', CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + FONTS_DIR=paths.FONTS_DIR, + GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY, + IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, + IPA_CCACHES=paths.IPA_CCACHES, + WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR, ) self.ca_file = ca_file if ca_is_configured is not None: From 8ce3ac3aeaeebe897d01ebda8e02d558ed5a2215 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen <tjaal...@debian.org> Date: Wed, 29 Mar 2017 18:17:28 +0300 Subject: [PATCH 3/3] named.conf: Disable duplicate zone on debian, and modify data dir zone already imported via default zones. --- install/share/bind.named.conf.template | 16 ++++++++-------- ipaserver/install/bindinstance.py | 2 ++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index b7c3a0b..1cfd61d 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -4,9 +4,9 @@ options { // Put files that named is allowed to write in the data/ directory: directory "$NAMED_VAR_DIR"; // the default - dump-file "data/cache_dump.db"; - statistics-file "data/named_stats.txt"; - memstatistics-file "data/named_mem_stats.txt"; + dump-file "${DATA_DIR}cache_dump.db"; + statistics-file "${DATA_DIR}named_stats.txt"; + memstatistics-file "${DATA_DIR}named_mem_stats.txt"; // Any host is permitted to issue recursive queries allow-recursion { any; }; @@ -29,16 +29,16 @@ options { */ logging { channel default_debug { - file "data/named.run"; + file "${DATA_DIR}named.run"; severity dynamic; print-time yes; }; }; -zone "." IN { - type hint; - file "named.ca"; -}; +${DISABLE_DEBIAN}zone "." IN { +${DISABLE_DEBIAN} type hint; +${DISABLE_DEBIAN} file "named.ca"; +${DISABLE_DEBIAN}}; include "$RFC1912_ZONES"; include "$ROOT_KEY"; diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 03dce56..2da0e57 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -775,6 +775,8 @@ def __setup_sub_dict(self): NAMED_PID=paths.NAMED_PID, NAMED_VAR_DIR=paths.NAMED_VAR_DIR, BIND_LDAP_SO=paths.BIND_LDAP_SO, + DATA_DIR='' if ipaplatform.NAME == 'debian' else 'data/', + DISABLE_DEBIAN='//' if ipaplatform.NAME == 'debian' else '', ) def __setup_dns_container(self):
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code