From f4a5bd770d678bf0a3763c8a27bbfe5e69404e24 Mon Sep 17 00:00:00 2001
From: Emilien Devos <121870973+edevosc2c@users.noreply.github.com>
Date: Wed, 12 Jun 2024 18:20:03 +0200
Subject: [PATCH] switch to httpd.conf
---
.../templates/apache-config-httpd.yaml | 255 ++++++++++++++++++
.../templates/apache-config-virtualhost.yaml | 104 -------
apache-mod-mellon/templates/apache-depl.yaml | 10 +-
3 files changed, 260 insertions(+), 109 deletions(-)
create mode 100644 apache-mod-mellon/templates/apache-config-httpd.yaml
delete mode 100644 apache-mod-mellon/templates/apache-config-virtualhost.yaml
diff --git a/apache-mod-mellon/templates/apache-config-httpd.yaml b/apache-mod-mellon/templates/apache-config-httpd.yaml
new file mode 100644
index 0000000..9362134
--- /dev/null
+++ b/apache-mod-mellon/templates/apache-config-httpd.yaml
@@ -0,0 +1,255 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ annotations:
+ labels:
+ {{- include "apache-mod-mellon.labels" . | nindent 4 }}-apache
+ name: {{ include "apache-mod-mellon.fullname" . }}-httpd
+data:
+ httpd.conf: |
+ ServerRoot "/usr/local/apache2"
+ Listen 80
+
+ #
+ # Dynamic Shared Object (DSO) Support
+ #
+ # To be able to use the functionality of a module which was built as a DSO you
+ # have to place corresponding `LoadModule' lines at this location so the
+ # directives contained in it are actually available _before_ they are used.
+ # Statically compiled modules (those listed by `httpd -l') do not need
+ # to be loaded here.
+ #
+ # Example:
+ # LoadModule foo_module modules/mod_foo.so
+ LoadModule auth_mellon_module modules/mod_auth_mellon.so
+ LoadModule reqtimeout_module modules/mod_reqtimeout.so
+ LoadModule filter_module modules/mod_filter.so
+ LoadModule log_config_module modules/mod_log_config.so
+ LoadModule env_module modules/mod_env.so
+ LoadModule headers_module modules/mod_headers.so
+ LoadModule setenvif_module modules/mod_setenvif.so
+ LoadModule version_module modules/mod_version.so
+ LoadModule unixd_module modules/mod_unixd.so
+ LoadModule status_module modules/mod_status.so
+ LoadModule autoindex_module modules/mod_autoindex.so
+ LoadModule dir_module modules/mod_dir.so
+
+
+ #
+ # If you wish httpd to run as a different user or group, you must run
+ # httpd as root initially and it will switch.
+ #
+ # User/Group: The name (or #number) of the user/group to run httpd as.
+ # It is usually good practice to create a dedicated user and group for
+ # running httpd, as with most system services.
+ #
+ User www-data
+ Group www-data
+
+
+
+ # 'Main' server configuration
+ #
+ # The directives in this section set up the values used by the 'main'
+ # server, which responds to any requests that aren't handled by a
+ # definition. These values also provide defaults for
+ # any containers you may define later in the file.
+ #
+ # All of these directives may appear inside containers,
+ # in which case these default settings will be overridden for the
+ # virtual host being defined.
+ #
+
+ #
+ # ServerAdmin: Your address, where problems with the server should be
+ # e-mailed. This address appears on some server-generated pages, such
+ # as error documents. e.g. admin@your-domain.com
+ #
+ ServerAdmin you@example.com
+
+ #
+ # ServerName gives the name and port that the server uses to identify itself.
+ # This can often be determined automatically, but we recommend you specify
+ # it explicitly to prevent problems during startup.
+ #
+ # If your host doesn't have a registered DNS name, enter its IP address here.
+ #
+ #ServerName www.example.com:80
+
+ #
+ # Deny access to the entirety of your server's filesystem. You must
+ # explicitly permit access to web content directories in other
+ # blocks below.
+ #
+
+ AllowOverride none
+ Require all denied
+
+
+ #
+ # Note that from this point forward you must specifically allow
+ # particular features to be enabled - so if something's not working as
+ # you might expect, make sure that you have specifically enabled it
+ # below.
+ #
+
+ #
+ # DocumentRoot: The directory out of which you will serve your
+ # documents. By default, all requests are taken from this directory, but
+ # symbolic links and aliases may be used to point to other locations.
+ #
+ DocumentRoot "/usr/local/apache2/htdocs"
+
+ #
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
+ # for more information.
+ #
+ Options Indexes FollowSymLinks
+
+ #
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # AllowOverride FileInfo AuthConfig Limit
+ #
+ AllowOverride None
+
+ #
+ # Controls who can get stuff from this server.
+ #
+ Require all granted
+
+
+ #
+ # DirectoryIndex: sets the file that Apache will serve if a directory
+ # is requested.
+ #
+
+ DirectoryIndex index.html
+
+
+ #
+ # The following lines prevent .htaccess and .htpasswd files from being
+ # viewed by Web clients.
+ #
+
+ Require all denied
+
+
+ #
+ # ErrorLog: The location of the error log file.
+ # If you do not specify an ErrorLog directive within a
+ # container, error messages relating to that virtual host will be
+ # logged here. If you *do* define an error logfile for a
+ # container, that host's errors will be logged there and not here.
+ #
+ ErrorLog /proc/self/fd/2
+
+ #
+ # LogLevel: Control the number of messages logged to the error_log.
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ #
+ LogLevel warn
+
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+ CustomLog /proc/self/fd/1 common
+
+
+
+ Options -Indexes
+
+ MellonEnable "info"
+ MellonSecureCookie On
+ MellonUser eppn
+ MellonMergeEnvVars On
+ MellonSubjectConfirmationDataAddressCheck Off
+ MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key
+ MellonSPCertFile /etc/mod-mellon-config/mellon.cert
+ MellonSPentityId {{ .Values.mellon_config.entity_id }}
+ MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
+ MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
+ MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
+ MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}"
+ MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem
+ MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
+ MellonProbeDiscoveryTimeout 1
+ MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
+ MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
+ MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
+ MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
+ MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
+ MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
+
+ MellonEndpointPath /mellon
+
+ # it is this proxy's responsability to make sure the value of these headers are legit
+ # See a list of headers used by geOrchestra here:
+ # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
+ RequestHeader unset sec-georchestra-preauthenticated
+ RequestHeader unset sec-mellon-name-id
+ RequestHeader unset sec-username
+ RequestHeader unset sec-name
+ RequestHeader unset sec-givenname
+ RequestHeader unset sec-email
+ RequestHeader unset sec-org
+ RequestHeader unset sec-proxy
+ RequestHeader unset sec-user
+ RequestHeader unset sec-organization
+ RequestHeader unset sec-userid
+ RequestHeader unset sec-lastupdated
+ RequestHeader unset sec-roles
+ RequestHeader unset sec-firstname
+ RequestHeader unset sec-lastname
+ RequestHeader unset sec-tel
+ RequestHeader unset sec-orgid
+ RequestHeader unset sec-orgname
+ RequestHeader unset sec-org-lastupdated
+ RequestHeader unset imp-roles
+ RequestHeader unset imp-username
+
+ {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
+ {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
+ {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
+ {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
+ {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
+ {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
+ {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
+
+ {{- if .Values.georchestra_proxypass_endpoint -}}
+ ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
+ ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
+ ProxyPreserveHost On
+ {{- end }}
+
+ RewriteEngine on
+ RewriteCond %{QUERY_STRING} ^$
+ RewriteCond %{REQUEST_METHOD} =GET
+ RewriteCond %{REQUEST_URI} ^/login$
+ RewriteRule /login /login/mellon [R,L]
+ RewriteCond %{ENV:MELLON_NAME_ID} !^$
+ RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
+
+
+
+
+ AuthType Mellon
+ MellonEnable auth
+ Require valid-user
+ RewriteEngine on
+ RewriteRule (.*) / [R]
+
\ No newline at end of file
diff --git a/apache-mod-mellon/templates/apache-config-virtualhost.yaml b/apache-mod-mellon/templates/apache-config-virtualhost.yaml
deleted file mode 100644
index 5d14f5a..0000000
--- a/apache-mod-mellon/templates/apache-config-virtualhost.yaml
+++ /dev/null
@@ -1,104 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- annotations:
- labels:
- {{- include "apache-mod-mellon.labels" . | nindent 4 }}-apache
- name: {{ include "apache-mod-mellon.fullname" . }}-virtualhost
-data:
- 000-default.conf: |
-
- ServerName {{ .Values.hostname }}
- UseCanonicalName On
- ProxyTimeout 300
- ServerAdmin webmaster@localhost
- DocumentRoot /var/www/html
-
- ErrorLog /dev/stderr
- CustomLog /dev/stdout combined
-
-
- Options -Indexes
-
- MellonEnable "info"
- MellonSecureCookie On
- MellonUser eppn
- MellonMergeEnvVars On
- MellonSubjectConfirmationDataAddressCheck Off
- MellonSPPrivateKeyFile /etc/mod-mellon-config/mellon.key
- MellonSPCertFile /etc/mod-mellon-config/mellon.cert
- MellonSPentityId {{ .Values.mellon_config.entity_id }}
- MellonOrganizationName "{{ .Values.mellon_config.organization_url }}"
- MellonOrganizationURL "{{ .Values.mellon_config.organization_url }}"
- MellonIdPMetadataFile /etc/mod-mellon-config/metadata-idps.xml
- MellonDiscoveryURL "{{ .Values.mellon_config.discovery_url }}"
- MellonIdPCAFile /etc/mod-mellon-config/metadata-signing-cert.pem
- MellonIdPPublicKeyFile /etc/mod-mellon-config/metadata-signing-cert.pem
- MellonProbeDiscoveryTimeout 1
- MellonSetEnv "MAIL" "{{ .Values.mellon_config.set_env.mail }}"
- MellonSetEnv "EPPN" "{{ .Values.mellon_config.set_env.eppn }}"
- MellonSetEnv "CN" "{{ .Values.mellon_config.set_env.cn }}"
- MellonSetEnv "O" "{{ .Values.mellon_config.set_env.o }}"
- MellonSetEnv "SN" "{{ .Values.mellon_config.set_env.sn }}"
- MellonSetEnv "GIVEN_NAME" "{{ .Values.mellon_config.set_env.given_name }}"
-
- MellonEndpointPath /mellon
-
- # it is this proxy's responsability to make sure the value of these headers are legit
- # See a list of headers used by geOrchestra here:
- # https://github.com/georchestra/georchestra/blob/master/commons/src/main/java/org/georchestra/commons/security/SecurityHeaders.java#L41-L67
- RequestHeader unset sec-georchestra-preauthenticated
- RequestHeader unset sec-mellon-name-id
- RequestHeader unset sec-username
- RequestHeader unset sec-name
- RequestHeader unset sec-givenname
- RequestHeader unset sec-email
- RequestHeader unset sec-org
- RequestHeader unset sec-proxy
- RequestHeader unset sec-user
- RequestHeader unset sec-organization
- RequestHeader unset sec-userid
- RequestHeader unset sec-lastupdated
- RequestHeader unset sec-roles
- RequestHeader unset sec-firstname
- RequestHeader unset sec-lastname
- RequestHeader unset sec-tel
- RequestHeader unset sec-orgid
- RequestHeader unset sec-orgname
- RequestHeader unset sec-org-lastupdated
- RequestHeader unset imp-roles
- RequestHeader unset imp-username
-
- {{ .Values.apache_auth_headers_type }} set sec-georchestra-preauthenticated true "expr=-n env('MELLON_NAME_ID')"
- {{ .Values.apache_auth_headers_type }} set sec-mellon-name-id "expr={base64}%{base64:%{env:MELLON_NAME_ID}}" "expr=-n env('MELLON_NAME_ID')"
- {{ .Values.apache_auth_headers_type }} set preauth-username "expr={base64}%{base64:%{env:MELLON_EPPN}}" "expr=-n env('MELLON_EPPN')"
- {{ .Values.apache_auth_headers_type }} set preauth-email "expr={base64}%{base64:%{env:MELLON_MAIL}}" "expr=-n env('MELLON_MAIL')"
- {{ .Values.apache_auth_headers_type }} set preauth-org "expr={base64}%{base64:%{env:MELLON_O}}" "expr=-n env('MELLON_O')"
- {{ .Values.apache_auth_headers_type }} set preauth-firstname "expr={base64}%{base64:%{env:MELLON_GIVEN_NAME}}" "expr=-n env('MELLON_GIVEN_NAME')"
- {{ .Values.apache_auth_headers_type }} set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
-
- {{- if .Values.georchestra_proxypass_endpoint -}}
- ProxyPass "{{ .Values.georchestra_proxypass_endpoint }}"
- ProxyPassReverse "{{ .Values.georchestra_proxypass_endpoint }}"
- ProxyPreserveHost On
- {{- end }}
-
- RewriteEngine on
- RewriteCond %{QUERY_STRING} ^$
- RewriteCond %{REQUEST_METHOD} =GET
- RewriteCond %{REQUEST_URI} ^/login$
- RewriteRule /login /login/mellon [R,L]
- RewriteCond %{ENV:MELLON_NAME_ID} !^$
- RewriteRule /logout /mellon/logout?ReturnTo={{ .Values.hostname }}
-
-
-
-
- AuthType Mellon
- MellonEnable auth
- Require valid-user
- RewriteEngine on
- RewriteRule (.*) / [R]
-
-
-
\ No newline at end of file
diff --git a/apache-mod-mellon/templates/apache-depl.yaml b/apache-mod-mellon/templates/apache-depl.yaml
index 25825d3..213da86 100644
--- a/apache-mod-mellon/templates/apache-depl.yaml
+++ b/apache-mod-mellon/templates/apache-depl.yaml
@@ -33,16 +33,16 @@ spec:
periodSeconds: 10
timeoutSeconds: 5
volumeMounts:
- - name: virtualhost-config
- mountPath: /usr/local/apache2/conf/extra/000-default.conf
- subPath: 000-default.conf
+ - name: httpd-config
+ mountPath: /usr/local/apache2/conf/httpd.conf
+ subPath: httpd.conf
- name: mod-mellon-config
mountPath: /etc/mod-mellon-config
volumes:
- name: mod-mellon-config
secret:
secretName: {{ include "apache-mod-mellon.fullname" . }}-mod-mellon
- - name: virtualhost-config
+ - name: httpd-config
configMap:
- name: {{ include "apache-mod-mellon.fullname" . }}-virtualhost
+ name: {{ include "apache-mod-mellon.fullname" . }}-httpd