Permalink
Showing
with
239 additions
and 54 deletions.
- +22 −15 Dockerfile
- +0 −6 container_files/etc/httpd/conf.d/ssl.conf
- +0 −1 container_files/etc/httpd/conf.modules.d/00-shib.conf
- +0 −32 container_files/etc/shibboleth/attribute-map.xml
- +217 −0 container_files/httpd/ssl.conf
- 0 container_files/{etc → }/shibboleth/inc-md-cert.pem
- 0 container_files/{bin → system}/httpd-shib-foreground
- 0 container_files/{bin → system}/shibboleth_keygen.sh
@@ -0,0 +1,217 @@ | ||
# | ||
# When we also provide SSL we have to listen to the | ||
# the HTTPS port in addition. | ||
# | ||
Listen 443 https | ||
|
||
## | ||
## SSL Global Context | ||
## | ||
## All SSL configuration in this context applies both to | ||
## the main server and all SSL-enabled virtual hosts. | ||
## | ||
|
||
# Pass Phrase Dialog: | ||
# Configure the pass phrase gathering process. | ||
# The filtering dialog program (`builtin' is a internal | ||
# terminal dialog) has to provide the pass phrase on stdout. | ||
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog | ||
|
||
# Inter-Process Session Cache: | ||
# Configure the SSL Session Cache: First the mechanism | ||
# to use and second the expiring timeout (in seconds). | ||
SSLSessionCache shmcb:/run/httpd/sslcache(512000) | ||
SSLSessionCacheTimeout 300 | ||
|
||
# Pseudo Random Number Generator (PRNG): | ||
# Configure one or more sources to seed the PRNG of the | ||
# SSL library. The seed data should be of good random quality. | ||
# WARNING! On some platforms /dev/random blocks if not enough entropy | ||
# is available. This means you then cannot use the /dev/random device | ||
# because it would lead to very long connection times (as long as | ||
# it requires to make more entropy available). But usually those | ||
# platforms additionally provide a /dev/urandom device which doesn't | ||
# block. So, if available, use this one instead. Read the mod_ssl User | ||
# Manual for more details. | ||
SSLRandomSeed startup file:/dev/urandom 256 | ||
SSLRandomSeed connect builtin | ||
#SSLRandomSeed startup file:/dev/random 512 | ||
#SSLRandomSeed connect file:/dev/random 512 | ||
#SSLRandomSeed connect file:/dev/urandom 512 | ||
|
||
# | ||
# Use "SSLCryptoDevice" to enable any supported hardware | ||
# accelerators. Use "openssl engine -v" to list supported | ||
# engine names. NOTE: If you enable an accelerator and the | ||
# server does not start, consult the error logs and ensure | ||
# your accelerator is functioning properly. | ||
# | ||
SSLCryptoDevice builtin | ||
#SSLCryptoDevice ubsec | ||
|
||
## | ||
## SSL Virtual Host Context | ||
## | ||
|
||
<VirtualHost _default_:443> | ||
|
||
# General setup for the virtual host, inherited from global configuration | ||
#DocumentRoot "/var/www/html" | ||
#ServerName www.example.com:443 | ||
|
||
# Use separate log files for the SSL virtual host; note that LogLevel | ||
# is not inherited from httpd.conf. | ||
ErrorLog logs/ssl_error_log | ||
TransferLog logs/ssl_access_log | ||
LogLevel warn | ||
|
||
# SSL Engine Switch: | ||
# Enable/Disable SSL for this virtual host. | ||
SSLEngine on | ||
|
||
# SSL Protocol support: | ||
# List the enable protocol levels with which clients will be able to | ||
# connect. Disable SSLv2 access by default: | ||
SSLProtocol all -SSLv2 -SSLv3 | ||
|
||
# SSL Cipher Suite: | ||
# List the ciphers that the client is permitted to negotiate. | ||
# See the mod_ssl documentation for a complete list. | ||
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA | ||
|
||
# Speed-optimized SSL Cipher configuration: | ||
# If speed is your main concern (on busy HTTPS servers e.g.), | ||
# you might want to force clients to specific, performance | ||
# optimized ciphers. In this case, prepend those ciphers | ||
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. | ||
# Caveat: by giving precedence to RC4-SHA and AES128-SHA | ||
# (as in the example below), most connections will no longer | ||
# have perfect forward secrecy - if the server's key is | ||
# compromised, captures of past or future traffic must be | ||
# considered compromised, too. | ||
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 | ||
#SSLHonorCipherOrder on | ||
|
||
# Server Certificate: | ||
# Point SSLCertificateFile at a PEM encoded certificate. If | ||
# the certificate is encrypted, then you will be prompted for a | ||
# pass phrase. Note that a kill -HUP will prompt again. A new | ||
# certificate can be generated using the genkey(1) command. | ||
SSLCertificateFile /etc/pki/tls/certs/localhost.crt | ||
|
||
# Server Private Key: | ||
# If the key is not combined with the certificate, use this | ||
# directive to point at the key file. Keep in mind that if | ||
# you've both a RSA and a DSA private key you can configure | ||
# both in parallel (to also allow the use of DSA ciphers, etc.) | ||
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key | ||
|
||
# Server Certificate Chain: | ||
# Point SSLCertificateChainFile at a file containing the | ||
# concatenation of PEM encoded CA certificates which form the | ||
# certificate chain for the server certificate. Alternatively | ||
# the referenced file can be the same as SSLCertificateFile | ||
# when the CA certificates are directly appended to the server | ||
# certificate for convinience. | ||
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt | ||
|
||
# Certificate Authority (CA): | ||
# Set the CA certificate verification path where to find CA | ||
# certificates for client authentication or alternatively one | ||
# huge file containing all of them (file must be PEM encoded) | ||
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt | ||
|
||
# Client Authentication (Type): | ||
# Client certificate verification type and depth. Types are | ||
# none, optional, require and optional_no_ca. Depth is a | ||
# number which specifies how deeply to verify the certificate | ||
# issuer chain before deciding the certificate is not valid. | ||
#SSLVerifyClient require | ||
#SSLVerifyDepth 10 | ||
|
||
# Access Control: | ||
# With SSLRequire you can do per-directory access control based | ||
# on arbitrary complex boolean expressions containing server | ||
# variable checks and other lookup directives. The syntax is a | ||
# mixture between C and Perl. See the mod_ssl documentation | ||
# for more details. | ||
#<Location /> | ||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ | ||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ | ||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ | ||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ | ||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ | ||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ | ||
#</Location> | ||
|
||
# SSL Engine Options: | ||
# Set various options for the SSL engine. | ||
# o FakeBasicAuth: | ||
# Translate the client X.509 into a Basic Authorisation. This means that | ||
# the standard Auth/DBMAuth methods can be used for access control. The | ||
# user name is the `one line' version of the client's X.509 certificate. | ||
# Note that no password is obtained from the user. Every entry in the user | ||
# file needs this password: `xxj31ZMTZzkVA'. | ||
# o ExportCertData: | ||
# This exports two additional environment variables: SSL_CLIENT_CERT and | ||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | ||
# server (always existing) and the client (only existing when client | ||
# authentication is used). This can be used to import the certificates | ||
# into CGI scripts. | ||
# o StdEnvVars: | ||
# This exports the standard SSL/TLS related `SSL_*' environment variables. | ||
# Per default this exportation is switched off for performance reasons, | ||
# because the extraction step is an expensive operation and is usually | ||
# useless for serving static content. So one usually enables the | ||
# exportation for CGI and SSI requests only. | ||
# o StrictRequire: | ||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even | ||
# under a "Satisfy any" situation, i.e. when it applies access is denied | ||
# and no other module can change it. | ||
# o OptRenegotiate: | ||
# This enables optimized SSL connection renegotiation handling when SSL | ||
# directives are used in per-directory context. | ||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | ||
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> | ||
SSLOptions +StdEnvVars | ||
</Files> | ||
<Directory "/var/www/cgi-bin"> | ||
SSLOptions +StdEnvVars | ||
</Directory> | ||
|
||
# SSL Protocol Adjustments: | ||
# The safe and default but still SSL/TLS standard compliant shutdown | ||
# approach is that mod_ssl sends the close notify alert but doesn't wait for | ||
# the close notify alert from client. When you need a different shutdown | ||
# approach you can use one of the following variables: | ||
# o ssl-unclean-shutdown: | ||
# This forces an unclean shutdown when the connection is closed, i.e. no | ||
# SSL close notify alert is send or allowed to received. This violates | ||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use | ||
# this when you receive I/O errors because of the standard approach where | ||
# mod_ssl sends the close notify alert. | ||
# o ssl-accurate-shutdown: | ||
# This forces an accurate shutdown when the connection is closed, i.e. a | ||
# SSL close notify alert is send and mod_ssl waits for the close notify | ||
# alert of the client. This is 100% SSL/TLS standard compliant, but in | ||
# practice often causes hanging connections with brain-dead browsers. Use | ||
# this only for browsers where you know that their SSL implementation | ||
# works correctly. | ||
# Notice: Most problems of broken clients are also related to the HTTP | ||
# keep-alive facility, so you usually additionally want to disable | ||
# keep-alive for those clients, too. Use variable "nokeepalive" for this. | ||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround | ||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | ||
# "force-response-1.0" for this. | ||
BrowserMatch "MSIE [2-5]" \ | ||
nokeepalive ssl-unclean-shutdown \ | ||
downgrade-1.0 force-response-1.0 | ||
|
||
# Per-Server Logging: | ||
# The home of a custom SSL log file. Use this when you want a | ||
# compact non-error SSL logfile on a virtual host basis. | ||
CustomLog logs/ssl_request_log \ | ||
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | ||
|
||
</VirtualHost> | ||
|
File renamed without changes.
File renamed without changes.
File renamed without changes.