############################################################################## ## GridSite httpd-webserver.conf - Andrew McNab ## ## For GridSite documentation, see http://www.gridsite.org/ ## ## Example configuration file for GridSite as a Web Server ## (that is, primarily for interactive use with a browser.) ## Listening is on ports 80/777 (HTTP) and 443/488 (HTTPS). ## ## (777/488 is to allow firewalls to distinguish between Grid and ## Web HTTP(S) traffic. See http://www.gridsite.org/wiki/IP_Ports ) ## ## This file should be renamed /etc/httpd/conf/httpd.conf and Apache ## restarted to use Apache2/GridSite as a webserver. ## ## You do not need to install the GridSite mod_ssl.so module if you ## do not wish to use Globus Proxies or VOMS attributes, but you must ## have the mod_gridsite.so in /usr/lib/httpd/modules ## ## We're assuming you have (a) the host's hostcert.pem and hostkey.pem ## in /etc/grid-security/ and (b) the Certification Authorities' you ## trust have their root certs in /etc/grid-security/certificates ## ## (You can get RPMs for many European and North American Grid CAs ## from https://datagrid.in2p3.fr/distribution/datagrid/security/ ) ## ## If you want to use DN Lists in ACLs, they should be placed/downloaded ## in /etc/grid-security/dn-lists/ or /var/www/htdocs/dn-lists/ ## (Lists in /etc/grid-security/dn-lists/ override lists elsewhere.) ## ## To start serving files, make a directory /var/www/htdocs owned by ## apache.apache, including the file .gacl containing: ## ## ## ## ## ## ## ## ## To enable writing, add DN List, Person or VOMS entries to the GACL ## (see the GridSite GACL document for the syntax.) For example: ## ## ## ## ## ## ## ## ## /C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab ## ## ## ## ## ## and add the following directive to the HTTPS section: ## ## GridSiteMethods GET PUT DELETE MOVE ## ## If you wish to accept Globus GSI Proxies as well as full X.509 user ## certificates, set GridSiteGSIProxyLimit to the depth of proxy you ## wish to accept. ## ## (As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy ## owned by running Globus job; 3=Proxy delegated by a Globus job.) ## ## With this done and Apache restarted, you can upload a file with: ## ## curl -v --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem \ ## --capath /etc/grid-security/certificates --upload-file /tmp/tmp.txt \ ## https://INSERT.HOSTNAME.HERE/tmp.txt ## ## (or with --cert /tmp/x509up_u`id -u` --key /tmp/x509up_u`id -u` to use ## a Globus GSI Proxy created with grid-proxy-init.) ############################################################################## ServerRoot "/etc/httpd" ## You MUST put your server's fully qualified domain name here ## This, the DOMAIN part of the https://DOMAIN/... URLs you want ServerName FULL.SERVER.NAME PidFile logs/httpd.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 LoadModule log_config_module /usr/lib/httpd/modules/mod_log_config.so LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so LoadModule gridsite_module /usr/lib/httpd/modules/mod_gridsite.so LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so LoadModule dir_module /usr/lib/httpd/modules/mod_dir.so LoadModule alias_module /usr/lib/httpd/modules/mod_alias.so LoadModule cgi_module /usr/lib/httpd/modules/mod_cgi.so TypesConfig /etc/mime.types # User and group who will own files created by Apache User apache Group apache DocumentRoot "/var/www/htdocs" AllowOverride None LogLevel debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog logs/httpd-gridsite-access combined ErrorLog logs/httpd-gridsite-errors HostnameLookups On ###################################################################### # Plain unauthenticated HTTP on ports 80 and 777 ###################################################################### Listen 80 Listen 777 ## This is used to serve the Manage Directory links in footers, ## and to allow you to edit files and ACLs via your browser. ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi ## This sets up GACL authorization for this server. GridSiteAuth on ## This exports various bits of info into the CGI environment ## variables (and is needed for gridsite-admin.cgi to work.) GridSiteEnvs on ## Nice GridSite directory listings (without truncating file names!) GridSiteIndexes on ## If this is on, GridSite will look for gridsitehead.txt and ## gridsitefoot.txt in the current directory or its parents, and ## use them to replace the and tags in .html files. GridSiteHtmlFormat on ## These directives (and the ScriptAlias above) allow authorized ## people to manage files, ACLs and DN Lists through their web ## browsers. Via HTTP, this just means extended directory listings ## and History pages. GridSiteAdminURI /real-gridsite-admin.cgi GridSiteAdminFile gridsite-admin.cgi ###################################################################### # Secured and possibly authenticated HTTPS on ports 443 and 488 ###################################################################### Listen 443 Listen 488 SSLSessionCacheTimeout 300 SSLSessionCache shm:/var/cache/mod_ssl/shm_cache SSLEngine on SSLCertificateFile /etc/grid-security/hostcert.pem SSLCertificateKeyFile /etc/grid-security/hostkey.pem SSLCACertificatePath /etc/grid-security/certificates #SSLCARevocationPath YOUR CRL DIRECTORY WOULD GO HERE SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +ExportCertData +StdEnvVars ## This is used to serve the Manage Directory links in footers, ## and to allow you to edit files and ACLs via your browser. ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi ## This sets up GACL authorization for this server. GridSiteAuth on ## This exports various bits of info into the CGI environment ## variables (and is needed for gridsite-admin.cgi to work.) GridSiteEnvs on ## Nice GridSite directory listings (without truncating file names!) GridSiteIndexes on ## If this is on, GridSite will look for gridsitehead.txt and ## gridsitefoot.txt in the current directory or its parents, and ## use them to replace the and tags in .html files. GridSiteHtmlFormat on ## This is the path of directories (and all their subdirectories) for ## GACL to search when it encounters a dn-list credential. The DN List ## files are plain text, one DN per line, and must have the full url ## as the file name, but URL Encoded - eg with urlencode(1) GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/htdocs/dn-lists/ ## This is used to form the URL at which DN Lists "owned" by this ## server are exported. https://FULL.SERVER.NAME/dn-lists/file ## ALL FILES WITH URLs ON THIS SERVER WILL BE EXPORTED IRRESPECTIVE ## OF WHERE THEY ARE FOUND ON THE DN-LISTS PATH!! GridSiteDNlistsURI /dn-lists/ ## If this is greater than zero, we will accept GSI Proxies for clients ## (full client certificates - eg inside web browsers - are always ok) GridSiteGSIProxyLimit 0 ## This directive allows authorized people to write/delete files ## from non-browser clients - eg with htcp(1) GridSiteMethods GET PUT DELETE MOVE ## These directives (and the ScriptAlias above) allow authorized ## people to manage files, ACLs and DN Lists through their web ## browsers via HTTPS. The value of GridSiteAdminFile appears to ## exist in every directory, but is internally redirected by ## mod_gridsite to the value of GridSiteAdminURI (the ScriptAlias ## then maps that onto the real-gridsite-admin.cgi executable.) GridSiteAdminURI /real-gridsite-admin.cgi GridSiteAdminFile gridsite-admin.cgi