# {{ ansible_managed }}

<VirtualHost *:{{ keystone_service_port }}>
    WSGIDaemonProcess     keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
    WSGIProcessGroup      keystone-service
    WSGIScriptAlias       / /var/www/cgi-bin/keystone/main
    WSGIApplicationGroup  %{GLOBAL}
    WSGIPassAuthorization On

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    LogLevel  {{  keystone_apache_log_level }}
    ErrorLog  /var/log/keystone/keystone-apache-error.log
    CustomLog /var/log/keystone/ssl_access.log combined
    Options +FollowSymLinks

    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif %}

    {% if keystone_sp is defined -%}
    ShibURLScheme {{ keystone_service_publicuri_proto }}

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>

    <Location /v3/auth/OS-FEDERATION/websso/saml2>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion 1
        ShibRequireSession On
        ShibExportAssertion On
        Require valid-user
    </Location>

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
    </LocationMatch>

    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
    {% endif %}
</VirtualHost>

<VirtualHost *:{{ keystone_admin_port }}>
    WSGIDaemonProcess     keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP}
    WSGIProcessGroup      keystone-admin
    WSGIScriptAlias       / /var/www/cgi-bin/keystone/admin
    WSGIApplicationGroup  %{GLOBAL}
    WSGIPassAuthorization On

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    LogLevel  {{  keystone_apache_log_level }}
    ErrorLog  /var/log/keystone/keystone-apache-error.log
    CustomLog /var/log/keystone/ssl_access.log combined
    Options +FollowSymLinks

    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif %}
</VirtualHost>