|
1 <%doc> |
|
2 # |
|
3 # This file is the template for the IPS system publisher Apache configuration |
|
4 # file. |
|
5 # |
|
6 </%doc> |
|
7 <% context.write(""" |
|
8 # |
|
9 # This is an automatically generated file for the IPS system publisher, and |
|
10 # should not be modified directly. Changes made to this file will be |
|
11 # overwritten the next time svc:/system/pkg/sysrepo:default is refreshed or |
|
12 # restarted. |
|
13 # |
|
14 """) |
|
15 %> |
|
16 |
|
17 # |
|
18 # ServerRoot: The top of the directory tree under which the server's |
|
19 # configuration, error, and log files are kept. |
|
20 # |
|
21 # Do not add a slash at the end of the directory path. If you point |
|
22 # ServerRoot at a non-local disk, be sure to point the LockFile directive |
|
23 # at a local disk. If you wish to share the same ServerRoot for multiple |
|
24 # httpd daemons, you will need to change at least LockFile and PidFile. |
|
25 # |
|
26 ServerRoot "/usr/apache2/2.2" |
|
27 PidFile "${sysrepo_runtime_dir}/../sysrepo_httpd.pid" |
|
28 # |
|
29 # Listen: Allows you to bind Apache to specific IP addresses and/or |
|
30 # ports, instead of the default. See also the <VirtualHost> |
|
31 # directive. |
|
32 # |
|
33 # Change this to Listen on specific IP addresses as shown below to |
|
34 # prevent Apache from glomming onto all bound IP addresses. |
|
35 # |
|
36 #Listen 12.34.56.78:80 |
|
37 Listen ${host}:${port} |
|
38 |
|
39 # |
|
40 # Dynamic Shared Object (DSO) Support |
|
41 # |
|
42 # To be able to use the functionality of a module which was built as a DSO you |
|
43 # have to include a `LoadModule' line so that the directives contained in it |
|
44 # are actually available _before_ they are used. |
|
45 # |
|
46 |
|
47 LoadModule authn_file_module libexec/64/mod_authn_file.so |
|
48 LoadModule authn_dbm_module libexec/64/mod_authn_dbm.so |
|
49 LoadModule authn_anon_module libexec/64/mod_authn_anon.so |
|
50 LoadModule authn_dbd_module libexec/64/mod_authn_dbd.so |
|
51 LoadModule authn_default_module libexec/64/mod_authn_default.so |
|
52 LoadModule authz_host_module libexec/64/mod_authz_host.so |
|
53 LoadModule authz_groupfile_module libexec/64/mod_authz_groupfile.so |
|
54 LoadModule authz_user_module libexec/64/mod_authz_user.so |
|
55 LoadModule authz_dbm_module libexec/64/mod_authz_dbm.so |
|
56 LoadModule authz_owner_module libexec/64/mod_authz_owner.so |
|
57 LoadModule authnz_ldap_module libexec/64/mod_authnz_ldap.so |
|
58 LoadModule authz_default_module libexec/64/mod_authz_default.so |
|
59 LoadModule auth_basic_module libexec/64/mod_auth_basic.so |
|
60 LoadModule auth_digest_module libexec/64/mod_auth_digest.so |
|
61 LoadModule file_cache_module libexec/64/mod_file_cache.so |
|
62 LoadModule cache_module libexec/64/mod_cache.so |
|
63 LoadModule disk_cache_module libexec/64/mod_disk_cache.so |
|
64 LoadModule mem_cache_module libexec/64/mod_mem_cache.so |
|
65 LoadModule dbd_module libexec/64/mod_dbd.so |
|
66 LoadModule dumpio_module libexec/64/mod_dumpio.so |
|
67 LoadModule reqtimeout_module libexec/64/mod_reqtimeout.so |
|
68 LoadModule ext_filter_module libexec/64/mod_ext_filter.so |
|
69 LoadModule include_module libexec/64/mod_include.so |
|
70 LoadModule filter_module libexec/64/mod_filter.so |
|
71 LoadModule substitute_module libexec/64/mod_substitute.so |
|
72 LoadModule deflate_module libexec/64/mod_deflate.so |
|
73 LoadModule ldap_module libexec/64/mod_ldap.so |
|
74 LoadModule log_config_module libexec/64/mod_log_config.so |
|
75 LoadModule log_forensic_module libexec/64/mod_log_forensic.so |
|
76 LoadModule logio_module libexec/64/mod_logio.so |
|
77 LoadModule env_module libexec/64/mod_env.so |
|
78 LoadModule mime_magic_module libexec/64/mod_mime_magic.so |
|
79 LoadModule cern_meta_module libexec/64/mod_cern_meta.so |
|
80 LoadModule expires_module libexec/64/mod_expires.so |
|
81 LoadModule headers_module libexec/64/mod_headers.so |
|
82 LoadModule ident_module libexec/64/mod_ident.so |
|
83 LoadModule usertrack_module libexec/64/mod_usertrack.so |
|
84 LoadModule unique_id_module libexec/64/mod_unique_id.so |
|
85 LoadModule setenvif_module libexec/64/mod_setenvif.so |
|
86 LoadModule version_module libexec/64/mod_version.so |
|
87 LoadModule proxy_module libexec/64/mod_proxy.so |
|
88 LoadModule proxy_connect_module libexec/64/mod_proxy_connect.so |
|
89 LoadModule proxy_ftp_module libexec/64/mod_proxy_ftp.so |
|
90 LoadModule proxy_http_module libexec/64/mod_proxy_http.so |
|
91 LoadModule proxy_scgi_module libexec/64/mod_proxy_scgi.so |
|
92 LoadModule proxy_ajp_module libexec/64/mod_proxy_ajp.so |
|
93 LoadModule proxy_balancer_module libexec/64/mod_proxy_balancer.so |
|
94 LoadModule ssl_module libexec/64/mod_ssl.so |
|
95 LoadModule mime_module libexec/64/mod_mime.so |
|
96 LoadModule dav_module libexec/64/mod_dav.so |
|
97 LoadModule status_module libexec/64/mod_status.so |
|
98 LoadModule autoindex_module libexec/64/mod_autoindex.so |
|
99 LoadModule asis_module libexec/64/mod_asis.so |
|
100 LoadModule info_module libexec/64/mod_info.so |
|
101 LoadModule suexec_module libexec/64/mod_suexec.so |
|
102 <IfModule prefork.c> |
|
103 LoadModule cgi_module libexec/64/mod_cgi.so |
|
104 </IfModule> |
|
105 <IfModule worker.c> |
|
106 LoadModule cgid_module libexec/64/mod_cgid.so |
|
107 </IfModule> |
|
108 LoadModule dav_fs_module libexec/64/mod_dav_fs.so |
|
109 LoadModule vhost_alias_module libexec/64/mod_vhost_alias.so |
|
110 LoadModule negotiation_module libexec/64/mod_negotiation.so |
|
111 LoadModule dir_module libexec/64/mod_dir.so |
|
112 LoadModule imagemap_module libexec/64/mod_imagemap.so |
|
113 LoadModule actions_module libexec/64/mod_actions.so |
|
114 LoadModule speling_module libexec/64/mod_speling.so |
|
115 LoadModule userdir_module libexec/64/mod_userdir.so |
|
116 LoadModule alias_module libexec/64/mod_alias.so |
|
117 LoadModule rewrite_module libexec/64/mod_rewrite.so |
|
118 |
|
119 # |
|
120 # If you wish httpd to run as a different user or group, you must run |
|
121 # httpd as root initially and it will switch. |
|
122 # |
|
123 # User/Group: The name (or #number) of the user/group to run httpd as. |
|
124 # It is usually good practice to create a dedicated user and group for |
|
125 # running httpd, as with most system services. |
|
126 # |
|
127 User pkg5srv |
|
128 Group pkg5srv |
|
129 |
|
130 # 'Main' server configuration |
|
131 # |
|
132 # The directives in this section set up the values used by the 'main' |
|
133 # server, which responds to any requests that aren't handled by a |
|
134 # <VirtualHost> definition. These values also provide defaults for |
|
135 # any <VirtualHost> containers you may define later in the file. |
|
136 # |
|
137 # All of these directives may appear inside <VirtualHost> containers, |
|
138 # in which case these default settings will be overridden for the |
|
139 # virtual host being defined. |
|
140 # |
|
141 |
|
142 # |
|
143 # ServerAdmin: Your address, where problems with the server should be |
|
144 # e-mailed. This address appears on some server-generated pages, such |
|
145 # as error documents. e.g. [email protected] |
|
146 # |
|
147 ServerAdmin [email protected] |
|
148 |
|
149 # |
|
150 # ServerName gives the name and port that the server uses to identify itself. |
|
151 # This can often be determined automatically, but we recommend you specify |
|
152 # it explicitly to prevent problems during startup. |
|
153 # |
|
154 # If your host doesn't have a registered DNS name, enter its IP address here. |
|
155 # |
|
156 ServerName ${host} |
|
157 |
|
158 # |
|
159 # DocumentRoot: The directory out of which you will serve your |
|
160 # documents. By default, all requests are taken from this directory, but |
|
161 # symbolic links and aliases may be used to point to other locations. |
|
162 # |
|
163 DocumentRoot "${sysrepo_runtime_dir}/htdocs" |
|
164 |
|
165 # |
|
166 # Each directory to which Apache has access can be configured with respect |
|
167 # to which services and features are allowed and/or disabled in that |
|
168 # directory (and its subdirectories). |
|
169 # |
|
170 # First, we configure the "default" to be a very restrictive set of |
|
171 # features. |
|
172 # |
|
173 <Directory /> |
|
174 Options FollowSymLinks |
|
175 AllowOverride None |
|
176 Order deny,allow |
|
177 Deny from all |
|
178 </Directory> |
|
179 |
|
180 # |
|
181 # Note that from this point forward you must specifically allow |
|
182 # particular features to be enabled - so if something's not working as |
|
183 # you might expect, make sure that you have specifically enabled it |
|
184 # below. |
|
185 # |
|
186 |
|
187 # |
|
188 # This should be changed to whatever you set DocumentRoot to. |
|
189 # |
|
190 <Directory "${sysrepo_runtime_dir}/htdocs"> |
|
191 # |
|
192 # Possible values for the Options directive are "None", "All", |
|
193 # or any combination of: |
|
194 # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews |
|
195 # |
|
196 # Note that "MultiViews" must be named *explicitly* --- "Options All" |
|
197 # doesn't give it to you. |
|
198 # |
|
199 # The Options directive is both complicated and important. Please see |
|
200 # http://httpd.apache.org/docs/2.2/mod/core.html#options |
|
201 # for more information. |
|
202 # |
|
203 Options FollowSymLinks |
|
204 |
|
205 # |
|
206 # AllowOverride controls what directives may be placed in .htaccess files. |
|
207 # It can be "All", "None", or any combination of the keywords: |
|
208 # Options FileInfo AuthConfig Limit |
|
209 # |
|
210 AllowOverride None |
|
211 |
|
212 # |
|
213 # Controls who can get stuff from this server. |
|
214 # |
|
215 Order allow,deny |
|
216 Allow from 127.0.0.1 |
|
217 |
|
218 </Directory> |
|
219 |
|
220 # |
|
221 # DirectoryIndex: sets the file that Apache will serve if a directory |
|
222 # is requested. |
|
223 # |
|
224 <IfModule dir_module> |
|
225 DirectoryIndex index.html |
|
226 </IfModule> |
|
227 |
|
228 # |
|
229 # The following lines prevent .htaccess and .htpasswd files from being |
|
230 # viewed by Web clients. |
|
231 # |
|
232 <FilesMatch "^\.ht"> |
|
233 Order allow,deny |
|
234 Deny from all |
|
235 Satisfy All |
|
236 </FilesMatch> |
|
237 |
|
238 # |
|
239 # ErrorLog: The location of the error log file. |
|
240 # If you do not specify an ErrorLog directive within a <VirtualHost> |
|
241 # container, error messages relating to that virtual host will be |
|
242 # logged here. If you *do* define an error logfile for a <VirtualHost> |
|
243 # container, that host's errors will be logged there and not here. |
|
244 # |
|
245 ErrorLog "${sysrepo_log_dir}/error_log" |
|
246 |
|
247 # |
|
248 # LogLevel: Control the number of messages logged to the error_log. |
|
249 # Possible values include: debug, info, notice, warn, error, crit, |
|
250 # alert, emerg. |
|
251 # |
|
252 LogLevel warn |
|
253 |
|
254 <IfModule log_config_module> |
|
255 # |
|
256 # The following directives define some format nicknames for use with |
|
257 # a CustomLog directive (see below). |
|
258 # |
|
259 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
|
260 LogFormat "%h %l %u %t \"%r\" %>s %b" common |
|
261 |
|
262 <IfModule logio_module> |
|
263 # You need to enable mod_logio.c to use %I and %O |
|
264 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio |
|
265 </IfModule> |
|
266 |
|
267 # |
|
268 # The location and format of the access logfile (Common Logfile Format). |
|
269 # If you do not define any access logfiles within a <VirtualHost> |
|
270 # container, they will be logged here. Contrariwise, if you *do* |
|
271 # define per-<VirtualHost> access logfiles, transactions will be |
|
272 # logged therein and *not* in this file. |
|
273 # |
|
274 CustomLog "${sysrepo_log_dir}/access_log" common |
|
275 |
|
276 # |
|
277 # If you prefer a logfile with access, agent, and referer information |
|
278 # (Combined Logfile Format) you can use the following directive. |
|
279 # |
|
280 #CustomLog "/var/apache2/2.2/logs/access_log" combined |
|
281 </IfModule> |
|
282 |
|
283 # |
|
284 # DefaultType: the default MIME type the server will use for a document |
|
285 # if it cannot otherwise determine one, such as from filename extensions. |
|
286 # If your server contains mostly text or HTML documents, "text/plain" is |
|
287 # a good value. If most of your content is binary, such as applications |
|
288 # or images, you may want to use "application/octet-stream" instead to |
|
289 # keep browsers from trying to display binary files as though they are |
|
290 # text. |
|
291 # |
|
292 DefaultType text/plain |
|
293 |
|
294 # |
|
295 # Note: The following must must be present to support |
|
296 # starting without SSL on platforms with no /dev/random equivalent |
|
297 # but a statically compiled-in mod_ssl. |
|
298 # |
|
299 <IfModule ssl_module> |
|
300 SSLRandomSeed startup builtin |
|
301 SSLRandomSeed connect builtin |
|
302 </IfModule> |
|
303 |
|
304 LogLevel Info |
|
305 RewriteEngine on |
|
306 |
|
307 <%doc> # |
|
308 # We only perform caching if cache_dir is set. It need to be set to |
|
309 # an absolute path to a directory writable by the apache process. |
|
310 # Alternatively, if set to 'memory', we enable mod_mem_cache. |
|
311 # |
|
312 </%doc> |
|
313 % if cache_dir != None: |
|
314 <IfModule mod_cache.c> |
|
315 % if cache_dir.startswith("/"): |
|
316 <IfModule mod_disk_cache.c> |
|
317 CacheRoot ${cache_dir} |
|
318 CacheEnable disk / |
|
319 CacheDirLevels 5 |
|
320 CacheDirLength 3 |
|
321 # A 44mb seems like a reasonable size for the largest |
|
322 # file we will choose to cache. |
|
323 CacheMaxFileSize 45690876 |
|
324 </IfModule> |
|
325 % elif cache_dir == "memory": |
|
326 CacheEnable mem / |
|
327 MCacheSize ${cache_size} |
|
328 # cache a suitably large number of files |
|
329 MCacheMaxObjectCount 200000 |
|
330 MCacheMinObjectSize 1 |
|
331 MCacheMaxObjectSize 45690876 |
|
332 % endif |
|
333 </IfModule> |
|
334 % endif |
|
335 |
|
336 RewriteLog "${sysrepo_log_dir}/rewrite.log" |
|
337 RewriteLogLevel 0 |
|
338 |
|
339 # We need to allow these as they're encoded in the package/manifest names |
|
340 # when looking up file:// repositories |
|
341 AllowEncodedSlashes On |
|
342 |
|
343 ProxyRequests On |
|
344 |
|
345 SSLProxyEngine on |
|
346 SSLProxyMachineCertificateFile ${sysrepo_runtime_dir}/crypto.txt |
|
347 SSLProxyProtocol all |
|
348 |
|
349 <Proxy *> |
|
350 Order deny,allow |
|
351 Deny from all |
|
352 Allow from 127.0.0.1 |
|
353 </Proxy> |
|
354 |
|
355 <%doc> |
|
356 # All of our rules specify the NE flag, 'noescape', that is |
|
357 # we don't want any rewritten URLs being decoded en-route through |
|
358 # the set of RewriteRule directives. |
|
359 # |
|
360 # We must be careful to iterate over the URIs in reverse order, since we're |
|
361 # applying regular expressions that would otherwise match any URIs that happen |
|
362 # to be substrings of another URI. |
|
363 # |
|
364 </%doc> |
|
365 |
|
366 % for uri in reversed(sorted(uri_pub_map.keys())): |
|
367 % for pub, cert_path, key_path, hash in uri_pub_map[uri]: |
|
368 <%doc> |
|
369 # for any https publishers, we want to allow proxy clients |
|
370 # access the repos using the key/cert from the sysrepo |
|
371 </%doc> |
|
372 % if uri.startswith("https:"): |
|
373 <% |
|
374 no_https = uri.replace("https:", "http:") |
|
375 context.write("RewriteRule ^proxy:%(no_https)s/(.*)$ " |
|
376 "%(uri)s/$1 [P,NE]" % locals()) |
|
377 %> |
|
378 % elif uri.startswith("file:"): |
|
379 <%doc> |
|
380 # Point to our local versions/0 response or |
|
381 # publisher-specific publisher/0, response, then stop. |
|
382 </%doc> |
|
383 <% |
|
384 context.write("RewriteRule ^/%(pub)s/%(hash)s/versions/0 " |
|
385 "/versions/0/index.html [L,NE]\n" % locals()) |
|
386 context.write("RewriteRule ^/%(pub)s/%(hash)s/publisher/0 " |
|
387 "/%(pub)s/%(hash)s/publisher/0/index.html [L,NE]" % locals()) |
|
388 %><%doc> |
|
389 |
|
390 # Modify the catalog and manifest URLs, then |
|
391 # 'passthrough' (PT), letting the Alias below rewrite |
|
392 # the URL instead. |
|
393 </%doc> |
|
394 <% context.write( |
|
395 "RewriteRule ^/%(pub)s/%(hash)s/catalog/1/(.*)$ " |
|
396 "/%(pub)s/%(hash)s/publisher/%(pub)s/catalog/$1 [NE,PT]" % |
|
397 locals()) |
|
398 %><%doc> |
|
399 # file responses are a little tricky - we need to index |
|
400 # the first two characters of the filename and use that |
|
401 # as an index into the directory of filenames. |
|
402 # |
|
403 # eg. the request |
|
404 # http://localhost:15000/pkg5-nightly/abcdef/file/1/87ad645695abb22b2959f73d22022c5cffeccb13 |
|
405 # gets rewritten as: |
|
406 # http://localhost:15000/pkg5-nightly/abcdef/publisher/pkg5-nightly/file/87/87ad645695abb22b2959f73d22022c5cffeccb13 |
|
407 </%doc> |
|
408 <% context.write("RewriteRule ^/%(pub)s/%(hash)s/file/1/(..)(.*)$ " |
|
409 "/%(pub)s/%(hash)s/publisher/%(pub)s/file/$1/$1$2 [NE,PT]\n" |
|
410 % locals()) |
|
411 %><%doc> |
|
412 # We need to use %THE_REQUEST here to get the undecoded |
|
413 # URI from mod_rewrite. Hang on to your lunch. |
|
414 # We chain the rule that produces THE_REQUEST to the |
|
415 # following rule which picks apart the original http |
|
416 # request to separate the package name from the package |
|
417 # version. |
|
418 # |
|
419 # That is, mod_rewrite sees the pkg client asking for |
|
420 # the initial decoded URI: |
|
421 # '/pkg5-nightly/abcdef/manifest/0/package/[email protected],5.11-0.159:20110308T011843Z' |
|
422 # |
|
423 # which comes from the HTTP request: |
|
424 # 'GET /pkg5-nightly/abcdef/manifest/0/package%[email protected]%2C5.11-0.159%3A20110308T011843Z HTTP/1.1' |
|
425 # |
|
426 # which we eventually rewrite as: |
|
427 # -> '/pkg5-nightly/abcdef/publisher/pkg5-nightly/pkg/package%2Fsysrepo/0.5.11%2C5.11-0.159%3A20110308T011843Z' |
|
428 </%doc><% |
|
429 context.write("RewriteRule ^/%(pub)s/%(hash)s/manifest/0/.*$ " |
|
430 "%%{THE_REQUEST} [NE,C]\n" % locals()) |
|
431 |
|
432 context.write("RewriteRule ^GET\ " |
|
433 "/%(pub)s/%(hash)s/manifest/0/([^@]+)@([^\ ]+)(\ HTTP/1.1)$ " |
|
434 "/%(pub)s/%(hash)s/publisher/%(pub)s/pkg/$1/$2 [NE,PT,C]\n" |
|
435 % locals()) |
|
436 context.write("RewriteRule ^/%(pub)s/%(hash)s/(.*)$ - [NE,L]" |
|
437 % locals()) |
|
438 %> |
|
439 % else: |
|
440 <% context.write("RewriteRule ^proxy:%(uri)s/(.*)$ " |
|
441 "%(uri)s/$1 [NE,P]" % locals()) |
|
442 %> |
|
443 % endif |
|
444 % endfor uri |
|
445 % endfor pub |
|
446 |
|
447 # any non-file-based repositories get our local versions and syspub responses |
|
448 RewriteRule ^.*/versions/0/?$ - [L] |
|
449 RewriteRule ^.*/syspub/0/?$ - [L] |
|
450 # catch all, denying everything |
|
451 RewriteRule ^.*$ - [R=404] |
|
452 |
|
453 |
|
454 # |
|
455 # The following Aliases allow file-based repositories to function |
|
456 # correctly, in conjunction with the rewrites above |
|
457 # |
|
458 % for uri in reversed(sorted(uri_pub_map.keys())): |
|
459 % for pub, cert_path, key_path, hash in uri_pub_map[uri]: |
|
460 <%doc> |
|
461 # we create an alias for the file repository under ${pub} |
|
462 </%doc> |
|
463 % if uri.startswith("file://"): |
|
464 <% repo_path = uri.replace("file://", "") %> |
|
465 # a file repo alias to serve ${uri} content. |
|
466 <Directory "${repo_path}"> |
|
467 AllowOverride None |
|
468 Order allow,deny |
|
469 Allow from 127.0.0.1 |
|
470 </Directory> |
|
471 Alias /${pub}/${hash} ${repo_path} |
|
472 % endif |
|
473 % endfor uri |
|
474 % endfor pub |