site_mentat_vagrant.conf 4.30 KiB
#-------------------------------------------------------------------------------
# Example APACHE web server configuration file for HAWAT - development version
#
# This is an example configuration for authentication based on SSO service
# Shibboleth. Please adjust the configuration file according to your needs.
# In most cases customization of following directives should be enough to
# get it working properly and quickly:
#
# * ServerAdmin
# * ServerName
# * SSLCertificateFile
# * SSLCertificateKeyFile
# * SSLCertificateChainFile
#
# This file is part of Mentat system (https://mentat.cesnet.cz/).
#
# Copyright (C) since 2011 CESNET, z.s.p.o (http://www.ces.net/)
# Use of this source is governed by the MIT license, see LICENSE file.
#-------------------------------------------------------------------------------
WSGIPythonHome /var/mentat/venv
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@mentat.organization.org
ServerName mentat.organization.org
<IfModule mod_headers.c>
# Enforce HTTPS protocol at all times.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Deny access to content via HTML iframe.
Header always set X-Frame-Options DENY
</IfModule>
DocumentRoot /var/www
WSGIDaemonProcess hawat user=mentat group=mentat threads=5 python-home=/var/mentat/venv
WSGIScriptAlias /mentat /vagrant/bin/mentat-hawat-dev.wsgi
<Location />
Require all granted
</Location>
<Directory /vagrant/lib/hawat>
WSGIProcessGroup hawat
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
<Location /mentat/auth_env/login>
AuthType Basic
AuthName "Mentat system login"
AuthUserFile /etc/mentat/apache/htpasswd.example
Require valid-user
</Location>
<Location /mentat/auth_env/register>
AuthType Basic
AuthName "Mentat system registration"
AuthUserFile /etc/mentat/apache/htpasswd.example
Require valid-user
</Location>
RewriteEngine on
# Rewrite the path when accessed without a trailing slash.
RewriteRule ^/mentat$ /mentat/ [R]
# Rewrite webserver root to mentat application.
RewriteRule ^/$ /mentat/ [R]
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
# Using default self-signed server certificates
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Using custom server certificates
#SSLCertificateFile /etc/ssl/servercert/cert.pem
#SSLCertificateKeyFile /etc/ssl/servercert/key.pem
#SSLCertificateChainFile /etc/ssl/servercert/chain.pem
# Enforce only strong SSL protocols. Generator as of August 2016. This
# tool is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/
# Resource: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#onlystrong
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>