# {{ ansible_managed }} Listen {{ keystone_service_port }} = 2.4> ErrorLogFormat "%{cu}t %M" LogLevel {{ keystone_apache_log_level }} # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released ErrorLog {{ keystone_apache_default_log_folder }}/keystone-apache-error.log CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }} Options +FollowSymLinks Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'self' https: wss:;" Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}" {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} SSLEngine on SSLCertificateFile {{ keystone_ssl_cert }} SSLCertificateKeyFile {{ keystone_ssl_key }} {% if keystone_user_ssl_ca_cert is defined -%} SSLCACertificateFile {{ keystone_ssl_ca_cert }} {% endif -%} SSLCompression Off SSLProtocol {{ keystone_ssl_protocol }} SSLHonorCipherOrder On SSLCipherSuite {{ keystone_ssl_cipher_suite }} SSLOptions +StdEnvVars +ExportCertData {% endif %} {% if keystone_sp != {} -%} ShibURLScheme {{ keystone_service_publicuri_proto }} SetHandler shib AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting exportAssertion 1 ShibRequireSession On ShibExportAssertion On Require valid-user ShibRequestSetting requireSession 1 AuthType shibboleth ShibExportAssertion Off Require valid-user WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 {% endif %} Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/ ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/