############################################################################## ## GridSite httpd-fileserver.conf - Andrew McNab ## ## Example configuration file for GridSite as an HTTP(S) fileserver. ## ## For GridSite documentation, see http://www.gridpp.ac.uk/gridsite/ ## ## This file should be renamed /etc/httpd/conf/httpd.conf and Apache ## restarted to use Apache2/GridSite as a simple HTTP(S) fileserver. ## ## You do not need to install the GridSite mod_ssl.so module if you ## do not wish to use Globus Proxies or VOMS attributes, but you must ## have the mod_gridsite.so in /usr/lib/httpd/modules ## ## We're assuming you have (a) the host's hostcert.pem and hostkey.pem ## in /etc/grid-security/ and (b) the Certification Authorities' you ## trust have their root certs in /etc/grid-security/certificates ## ## (You can get RPMs for many European and North American Grid CAs ## from https://datagrid.in2p3.fr/distribution/datagrid/security/ ) ## ## If you want to use DN Lists in ACLs, they should be placed/downloaded ## in /etc/grid-security/dn-lists/ ## ## To start serving files, make a directory /var/www/htdocs owned by ## nobody.nobody, including the file .gacl containing: ## ## ## ## ## ## ## ## ## To enable writing, add DN List, Person or VOMS entries to the GACL ## (see the GridSite GACL document for the syntax.) For example: ## ## ## ## ## ## ## ## ## /C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab ## ## ## ## ## ## and add the following directive to the HTTPS section: ## ## GridSiteMethods GET PUT DELETE ## ## If you wish to accept Globus GSI Proxies as well as full X.509 user ## certificates, set GridSiteGSIProxyLimit to the depth of proxy you ## wish to accept. ## ## (As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy ## owned by running Globus job; 3=Proxy delegated by a Globus job.) ## ## With this done and Apache restarted, you can upload a file with: ## ## curl -v --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem \ ## --capath /etc/grid-security/certificates --upload-file /tmp/tmp.txt \ ## https://INSERT.HOSTNAME.HERE/tmp.txt ## ## (or with --cert /tmp/x509up_u`id -u` --key /tmp/x509up_u`id -u` to use ## a Globus GSI Proxy created with grid-proxy-init.) ############################################################################## ServerRoot "/etc/httpd" PidFile logs/httpd.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 LoadModule log_config_module /usr/lib/httpd/modules/mod_log_config.so LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so LoadModule gridsite_module /usr/lib/httpd/modules/mod_gridsite.so LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so LoadModule dir_module /usr/lib/httpd/modules/mod_dir.so TypesConfig /etc/mime.types # User and group who will own files created by Apache User nobody Group nobody DocumentRoot "/var/www/htdocs" AllowOverride None LogLevel debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog logs/httpd-gridsite-access combined ErrorLog logs/httpd-gridsite-errors HostnameLookups On ###################################################################### # Plain unauthenticated HTTP on port 80 ###################################################################### Listen 80 GridSiteIndexes on GridSiteAuth on GridSiteDNlists /etc/grid-security/dn-lists/ ###################################################################### # Secured and possibly authenticated HTTPS on port 443 ###################################################################### Listen 443 SSLEngine on SSLCertificateFile /etc/grid-security/hostcert.pem SSLCertificateKeyFile /etc/grid-security/hostkey.pem SSLCACertificatePath /etc/grid-security/certificates #SSLCARevocationPath YOUR CRL DIRECTORY WOULD GO HERE SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +ExportCertData +StdEnvVars GridSiteIndexes on GridSiteAuth on GridSiteDNlists /etc/grid-security/dn-lists/ GridSiteGSIProxyLimit 0 # GridSiteMethods GET PUT DELETE