{% set keystone_log_dir = '/var/log/kolla/keystone' %} {% set binary_path = '/usr/bin' if keystone_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} {% if keystone_enable_tls_backend | bool %} {% if kolla_base_distro in ['centos'] %} LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so {% else %} LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so {% endif %} {% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }} ServerSignature Off ServerTokens Prod TraceEnable off TimeOut {{ kolla_httpd_timeout }} KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ keystone_log_dir }}/apache-error.log" CustomLog "{{ keystone_log_dir }}/apache-access.log" common {% if keystone_logging_debug | bool %} LogLevel info {% endif %} AllowOverride None Options None Require all granted WSGIDaemonProcess keystone-public processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-public WSGIProcessGroup keystone-public WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log" LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat {% if keystone_enable_tls_backend | bool %} SSLEngine on SSLCertificateFile /etc/keystone/certs/keystone-cert.pem SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem {% endif %} {% if keystone_enable_federation_openid %} OIDCClaimPrefix "OIDC-" OIDCClaimDelimiter ";" OIDCResponseType "id_token" OIDCScope "{{ keystone_federation_oidc_scopes }}" OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }} {% if keystone_federation_openid_certificate_key_ids | length > 0 %} OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }} {% endif %} OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} OIDCRedirectURI {{ keystone_public_url }}/redirect_uri Require valid-user AuthType openid-connect {# WebSSO authentication endpoint -#} Require valid-user AuthType openid-connect {% for idp in keystone_identity_providers %} {% if idp.protocol == 'openid' %} Require valid-user AuthType openid-connect {% endif %} {% endfor %} {# CLI / API authentication endpoint -#} {% for idp in keystone_identity_providers %} {% if idp.protocol == 'openid' %} Require valid-user {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#} {# additionally handle verifying bearer tokens -#} AuthType auth-openidc {% endif %} {% endfor %} {% endif %} WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin WSGIProcessGroup keystone-admin WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log" LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat {% if keystone_enable_tls_backend | bool %} SSLEngine on SSLCertificateFile /etc/keystone/certs/keystone-cert.pem SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem {% endif %}