1# Apache configuration example for WebAuth. -*- apache -*- 2# 3# The following Apache configuration fragment is a sample minimal 4# configuration for a WebAuth server, similar to the one given in INSTALL but 5# with comments explaining each step of what's going on. 6# 7# Stanford users should use conf/stanford-webauth.conf instead. Debian and 8# Ubuntu users should install the packages that come with the operating system 9# and follow /usr/share/doc/libapache2-webauth/README.Debian.gz. 10# 11# Copyright 2003, 2006, 2009, 2010 12# The Board of Trustees of the Leland Stanford Junior University 13# 14# Copying and distribution of this file, with or without modification, are 15# permitted in any medium without royalty provided the copyright notice and 16# this notice are preserved. This file is offered as-is, without any 17# warranty. 18 19# Each WebAuth server has to talk to a central authentication server called 20# the WebKDC, both to send users to the login server and to be able to 21# interpret the tokens that it returns. Some of the directives below are 22# needed to facilitate that behind-the-scenes communication. 23 24# The WebAuth module is built as a dynamic module by default. This loads it 25# into Apache. 26LoadModule webauth_module /usr/local/libexec/apache2/modules/mod_webauth.so 27 28# Location of the server's private AES keys, used for communication with the 29# WebKDC. Generated and maintained automatically, so it must be writable by 30# the Apache server process. 31WebAuthKeyring conf/webauth/keyring 32 33# Location of the server's Kerberos keytab. You need to generate this file 34# as part of the installation. 35WebAuthKeytab conf/webauth/keytab 36 37# Location of where the service tokens are kept. These tokens are used to 38# authenticate internal communication with the WebKDC. This file has to be 39# writable by the Apache server processes. 40WebAuthServiceTokenCache conf/webauth/service_token_cache 41 42# Where the user is redirected to enter a username and password. This is part 43# of the site configuration and will be provided by the person who sets up the 44# WebKDC for your site. 45WebAuthLoginURL https://webkdc/login/ 46 47# URL used for behind-the-scenes communication with the WebKDC. As above, 48# this is part of the site configuration. 49WebAuthWebKdcURL https://webkdc/webkdc-service/ 50 51# The service name to use when communicating with the WebKDC. The below is 52# just our recommendation. The principal name is part of the site 53# configuration. 54WebAuthWebKdcPrincipal service/webkdc 55 56# This file is only needed if your WebKDC is using a self-signed certificate. 57# For those who are, you should copy that certificate (the file mentioned in 58# the WebKDC's Apache SSLCertificateFile directive) to a local file, and point 59# to that file with this directive. 60# 61# WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert 62 63# Anyone who tries to access a WebAuth-protected page via HTTP rather than 64# HTTPS will be redirected to HTTPS (but otherwise using the same URL). 65WebAuthSSLRedirect on 66 67# If you are having trouble getting WebAuth to run, you should turn on debug 68# and also change your Apache LogLevel setting to debug. 69# 70# WebAuthDebug on 71 72# If you are really have trouble getting WebAuth to run, you should turn on 73# debug, and also enable the /webauth-status URL, then point your browser at 74# it to check on the status of mod_webauth. You should turn off the 75# webauth-status URL when you are done. 76# 77#<Location /webauth-status> 78# SetHandler webauth 79# Order allow,deny 80# Allow from all 81#</Location> 82 83# Example of restricting a location to authenticated users only. If 84# uncommented, all URLs under /private/ would require WebAuth authentication 85# to access. 86# 87#<Location /private/ > 88# AuthType WebAuth 89# Require valid-user 90#</Location> 91 92# Example of a logout page for a particular application. (Note that even if 93# the user goes to this page, they will still have their site-wide single 94# sign-on cookie, so they will not be completely logged out. This will only 95# destroy their credentials for that particular application.) There should 96# also be a web page that this URL corresponds to; WebAuth will not generate 97# one internally. 98# 99#<Location /logout/ > 100# AllowOverride All 101# WebAuthDoLogout on 102#</Location> 103