source-git / mod_auth_gssapi

Clone
Source Code
GIT

Files

  1.   41df641abe68d1c941f36c715261c44370cd05ef
  2.   tests
  3.   httpd.conf
Blob Blame History Raw 
ServerRoot "{HTTPROOT}"
ServerName "{HTTPNAME}"
Listen {HTTPADDR}:{HTTPPORT}
Listen {HTTPADDR}:{PROXYPORT}

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule data_module modules/mod_data.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule echo_module modules/mod_echo.so
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
<IfModule !log_config_module>
    LoadModule log_config_module modules/mod_log_config.so
</IfModule>
<IfModule !logio_module>
    LoadModule logio_module modules/mod_logio.so
</IfModule>
LoadModule macro_module modules/mod_macro.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule unique_id_module modules/mod_unique_id.so
<IfModule !unixd_module>
    LoadModule unixd_module modules/mod_unixd.so
</IfModule>
LoadModule userdir_module modules/mod_userdir.so
<IfModule !version_module>
    LoadModule version_module modules/mod_version.so
</IfModule>
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule auth_gssapi_module mod_auth_gssapi.so

Mutex file:{HTTPROOT}

<Directory />
    Options +Includes
    AddOutputFilter INCLUDES .html
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "{HTTPROOT}/html"
<Directory "{HTTPROOT}">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>
<Directory "{HTTPROOT}/html">
    Options Indexes FollowSymLinks
    Options +Includes
    AddOutputFilter INCLUDES .html
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

PidFile "{HTTPROOT}/logs/httpd.pid"

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{{Referer}}i\" \"%{{User-Agent}}i\"" combined
CustomLog "logs/access_log" combined
</IfModule>

ErrorDocument 401 /401.html
ErrorLog "logs/error_log"
LogLevel debug

<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

IncludeOptional conf.d/*.conf

CoreDumpDirectory "{HTTPROOT}"


<Location /spnego>
  AuthType GSSAPI
  AuthName "Login"
  GssapiSSLonly Off
  GssapiUseSessions On
  Session On
  SessionCookieName gssapi_session path=/spnego;httponly
  GssapiSessionKey file:{HTTPROOT}/session.key
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiDelegCcacheDir {HTTPROOT}
  GssapiDelegCcachePerms mode:0666
  GssapiBasicAuth Off
  GssapiAllowedMech krb5
  Require valid-user
</Location>

<Location /spnego_rewrite>
  Options +Includes
  AddOutputFilter INCLUDES .html

  AuthType GSSAPI
  AuthName "Login"
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiAllowedMech krb5
  Require valid-user

  RewriteEngine on
  RewriteCond %{{REQUEST_FILENAME}} !-d
  RewriteCond %{{REQUEST_FILENAME}} !-f
  RewriteRule . /spnego_rewrite/index.html [L]
</Location>

<Location /spnego_negotiate_once>
  AuthType GSSAPI
  AuthName "Login Negotiate Once"
  GssapiSSLonly Off
  GssapiUseSessions On
  Session On
  SessionCookieName gssapi_session path=/spnego_negotiate_once;httponly
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiBasicAuth Off
  GssapiAllowedMech krb5
  GssapiNegotiateOnce On
  Require valid-user
</Location>

<Location /basic_auth_krb5>
  Options +Includes
  AddOutputFilter INCLUDES .html
  AuthType GSSAPI
  AuthName "Password Login"
  GssapiSSLonly Off
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiBasicAuth On
  GssapiBasicAuthMech krb5
  GssapiConnectionBound On
  GssapiPublishErrors On
  Require valid-user
</Location>

<Location /bad_acceptor_name>
  AuthType GSSAPI
  AuthName "Bad Acceptor Name"
  GssapiSSLonly Off
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiAcceptorName BAD@example.com
  Require valid-user
</Location>

<Location /nonego>
  BrowserMatch NONEGO gssapi-no-negotiate
  AuthType GSSAPI
  AuthName "Login"
  GssapiSSLonly Off
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiBasicAuth On
  GssapiAllowedMech krb5
  Require valid-user
</Location>

<Location /hostname_acceptor>
  AuthType GSSAPI
  AuthName "Login"
  GssapiSSLonly Off
  GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
  GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiBasicAuth Off
  GssapiAllowedMech krb5
  GssapiAcceptorName {{HOSTNAME}}
  Require valid-user
</Location>

<Location /required_name_attr1>
  AuthType GSSAPI
  AuthName "Required Name Attributes"
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiRequiredNameAttributes auth-indicators=na1
  LogLevel debug
  Require valid-user
</Location>

<Location /required_name_attr2>
  AuthType GSSAPI
  AuthName "Required Name Attributes"
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiRequiredNameAttributes auth-indicators:=bmEx
  LogLevel debug
  Require valid-user
</Location>

<Location /required_name_attr3>
  AuthType GSSAPI
  AuthName "Required Name Attributes"
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiRequiredNameAttributes (auth-indicators=foo and auth-indicators=na2) or auth-indicators=na3
  LogLevel debug
  Require valid-user
</Location>

<Location /required_name_attr4>
  AuthType GSSAPI
  AuthName "Required Name Attributes"
  GssapiCredStore keytab:{HTTPROOT}/http.keytab
  GssapiRequiredNameAttributes auth-indicators=foo
  LogLevel debug
  Require valid-user
</Location>

<VirtualHost *:{PROXYPORT}>
  ProxyRequests On
  ProxyVia On

  <Proxy *>
    AuthType GSSAPI
    AuthName "Proxy Login"
    GssapiCredStore ccache:{HTTPROOT}/tmp/httpd_krb5_ccache
    GssapiCredStore client_keytab:{HTTPROOT}/http.keytab
    GssapiCredStore keytab:{HTTPROOT}/http.keytab
    GssapiBasicAuth On
    Require valid-user
  </Proxy>
</VirtualHost>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation