6960c141e5
The script sha256 needs to be present to allow the browser to run the script with the CSP. The sha is for the Javascript code of the sso_callback_template: https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html#L17-L19 Change-Id: I7dd383fcc20c8b46e8e713b28d23e9c9e45679c2
78 lines
2.6 KiB
Django/Jinja
78 lines
2.6 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
Listen {{ keystone_service_port }}
|
|
<VirtualHost *:{{ keystone_service_port }}>
|
|
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
|
|
LogLevel {{ keystone_apache_log_level }}
|
|
# NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
|
|
ErrorLog {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
|
|
CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
|
|
Options +FollowSymLinks
|
|
|
|
Header set X-Content-Type-Options "nosniff"
|
|
Header set X-XSS-Protection "1; mode=block"
|
|
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
|
{% if keystone_sp != {} -%}
|
|
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
|
|
{% endif %}
|
|
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
|
|
|
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
|
SSLEngine on
|
|
SSLCertificateFile {{ keystone_ssl_cert }}
|
|
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
|
{% if keystone_user_ssl_ca_cert is defined -%}
|
|
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
|
|
{% endif -%}
|
|
SSLCompression Off
|
|
SSLProtocol {{ keystone_ssl_protocol }}
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
|
SSLOptions +StdEnvVars +ExportCertData
|
|
{% endif %}
|
|
|
|
{% if keystone_sp != {} -%}
|
|
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
|
|
|
<Location /Shibboleth.sso>
|
|
SetHandler shib
|
|
</Location>
|
|
|
|
<Location /v3/auth/OS-FEDERATION/websso/saml2>
|
|
AuthType shibboleth
|
|
ShibRequestSetting requireSession 1
|
|
ShibRequestSetting exportAssertion 1
|
|
ShibRequireSession On
|
|
ShibExportAssertion On
|
|
Require valid-user
|
|
</Location>
|
|
|
|
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
|
ShibRequestSetting requireSession 1
|
|
AuthType shibboleth
|
|
ShibExportAssertion Off
|
|
Require valid-user
|
|
</LocationMatch>
|
|
|
|
{% endif %}
|
|
|
|
<Directory /var/www/cgi-bin/keystone>
|
|
Options Indexes FollowSymLinks MultiViews
|
|
AllowOverride All
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
{% if keystone_sp != {} -%}
|
|
ProxyPass /Shibboleth.sso !
|
|
{% endif %}
|
|
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
|
|
|
|
</VirtualHost>
|
|
|
|
ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
|