Context Navigation

Back to ShibbolethSP2InstallDebianLenny

ShibbolethSP2InstallDebianLenny: shibboleth-sp.tmpl

File shibboleth-sp.tmpl, 7.4 kB (added by l.suhrbier, 16 months ago)
/etc/apache2/sites-available/shibboleth-sp

Line
1	<IfModule mod_ssl.c>
2	<VirtualHost ${shibSPHost}:443>
3	ServerName ${shibSPHost}
4	ServerAdmin webmaster@localhost
5	# ServerAdmin editsupport@bgbm.org
6
7	DocumentRoot /var/www/
8	<Directory />
9	Options FollowSymLinks
10	AllowOverride None
11	</Directory>
12	<Directory /var/www/>
13	Options Indexes FollowSymLinks MultiViews
14	AllowOverride None
15	Order allow,deny
16	allow from all
17	</Directory>
18
19	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
20	<Directory "/usr/lib/cgi-bin">
21	AllowOverride None
22	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
23	Order allow,deny
24	Allow from all
25	</Directory>
26
27	ErrorLog /var/log/apache2/error.log
28
29	# Possible values include: debug, info, notice, warn, error, crit,
30	# alert, emerg.
31	LogLevel warn
32
33	CustomLog /var/log/apache2/ssl_access.log combined
34
35	Alias /doc/ "/usr/share/doc/"
36	<Directory "/usr/share/doc/">
37	Options Indexes MultiViews FollowSymLinks
38	AllowOverride None
39	Order deny,allow
40	Deny from all
41	Allow from 127.0.0.0/255.0.0.0 ::1/128
42	</Directory>
43
44	# SSL Engine Switch:
45	# Enable/Disable SSL for this virtual host.
46	SSLEngine on
47
48	# A self-signed (snakeoil) certificate can be created by installing
49	# the ssl-cert package. See
50	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
51	# If both key and certificate are stored in the same file, only the
52	# SSLCertificateFile directive is needed.
53	SSLCertificateFile /etc/ssl/certs/${shibSPHost}-cert.pem
54	SSLCertificateKeyFile /etc/ssl/private/${shibSPHost}-key.pem
55
56	# Server Certificate Chain:
57	# Point SSLCertificateChainFile at a file containing the
58	# concatenation of PEM encoded CA certificates which form the
59	# certificate chain for the server certificate. Alternatively
60	# the referenced file can be the same as SSLCertificateFile
61	# when the CA certificates are directly appended to the server
62	# certificate for convinience.
63	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
64
65	# Certificate Authority (CA):
66	# Set the CA certificate verification path where to find CA
67	# certificates for client authentication or alternatively one
68	# huge file containing all of them (file must be PEM encoded)
69	# Note: Inside SSLCACertificatePath you need hash symlinks
70	# to point to the certificate files. Use the provided
71	# Makefile to update the hash symlinks after changes.
72	SSLCACertificatePath /etc/ssl/certs
73	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
74
75	# Certificate Revocation Lists (CRL):
76	# Set the CA revocation path where to find CA CRLs for client
77	# authentication or alternatively one huge file containing all
78	# of them (file must be PEM encoded)
79	# Note: Inside SSLCARevocationPath you need hash symlinks
80	# to point to the certificate files. Use the provided
81	# Makefile to update the hash symlinks after changes.
82	#SSLCARevocationPath /etc/apache2/ssl.crl/
83	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
84
85	# Client Authentication (Type):
86	# Client certificate verification type and depth. Types are
87	# none, optional, require and optional_no_ca. Depth is a
88	# number which specifies how deeply to verify the certificate
89	# issuer chain before deciding the certificate is not valid.
90	#SSLVerifyClient require
91	#SSLVerifyDepth 10
92
93	# Access Control:
94	# With SSLRequire you can do per-directory access control based
95	# on arbitrary complex boolean expressions containing server
96	# variable checks and other lookup directives. The syntax is a
97	# mixture between C and Perl. See the mod_ssl documentation
98	# for more details.
99	#<Location />
100	#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \
101	# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
102	# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
103	# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
104	# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
105	# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
106	#</Location>
107
108	Redirect seeother /shibboleth https://${shibSPHost}/Shibboleth.sso/Metadata
109
110	<Location />
111	AuthType Shibboleth
112	ShibRequireSession On
113	ShibUseHeaders On
114	require shibboleth
115	</Location>
116
117
118	# SSL Engine Options:
119	# Set various options for the SSL engine.
120	# o FakeBasicAuth:
121	# Translate the client X.509 into a Basic Authorisation. This means that
122	# the standard Auth/DBMAuth methods can be used for access control. The
123	# user name is the `one line' version of the client's X.509 certificate.
124	# Note that no password is obtained from the user. Every entry in the user
125	# file needs this password: `xxj31ZMTZzkVA'.
126	# o ExportCertData:
127	# This exports two additional environment variables: SSL_CLIENT_CERT and
128	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
129	# server (always existing) and the client (only existing when client
130	# authentication is used). This can be used to import the certificates
131	# into CGI scripts.
132	# o StdEnvVars:
133	# This exports the standard SSL/TLS related `SSL_*' environment variables.
134	# Per default this exportation is switched off for performance reasons,
135	# because the extraction step is an expensive operation and is usually
136	# useless for serving static content. So one usually enables the
137	# exportation for CGI and SSI requests only.
138	# o StrictRequire:
139	# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
140	# under a "Satisfy any" situation, i.e. when it applies access is denied
141	# and no other module can change it.
142	# o OptRenegotiate:
143	# This enables optimized SSL connection renegotiation handling when SSL
144	# directives are used in per-directory context.
145	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
146	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
147	SSLOptions +StdEnvVars
148	</FilesMatch>
149	<Directory /usr/lib/cgi-bin>
150	SSLOptions +StdEnvVars
151	</Directory>
152
153	# SSL Protocol Adjustments:
154	# The safe and default but still SSL/TLS standard compliant shutdown
155	# approach is that mod_ssl sends the close notify alert but doesn't wait for
156	# the close notify alert from client. When you need a different shutdown
157	# approach you can use one of the following variables:
158	# o ssl-unclean-shutdown:
159	# This forces an unclean shutdown when the connection is closed, i.e. no
160	# SSL close notify alert is send or allowed to received. This violates
161	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
162	# this when you receive I/O errors because of the standard approach where
163	# mod_ssl sends the close notify alert.
164	# o ssl-accurate-shutdown:
165	# This forces an accurate shutdown when the connection is closed, i.e. a
166	# SSL close notify alert is send and mod_ssl waits for the close notify
167	# alert of the client. This is 100% SSL/TLS standard compliant, but in
168	# practice often causes hanging connections with brain-dead browsers. Use
169	# this only for browsers where you know that their SSL implementation
170	# works correctly.
171	# Notice: Most problems of broken clients are also related to the HTTP
172	# keep-alive facility, so you usually additionally want to disable
173	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
174	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
175	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
176	# "force-response-1.0" for this.
177	BrowserMatch ".MSIE." \
178	nokeepalive ssl-unclean-shutdown \
179	downgrade-1.0 force-response-1.0
180
181	</VirtualHost>
182	</IfModule>

Download in other formats:

Original Format