1# Apache configuration example for WebAuth.  -*- apache -*-
2#
3# The following Apache configuration fragment is a sample minimal
4# configuration for a WebAuth server, similar to the one given in INSTALL but
5# with comments explaining each step of what's going on.
6#
7# Stanford users should use conf/stanford-webauth.conf instead.  Debian and
8# Ubuntu users should install the packages that come with the operating system
9# and follow /usr/share/doc/libapache2-webauth/README.Debian.gz.
10#
11# Copyright 2003, 2006, 2009, 2010
12#     The Board of Trustees of the Leland Stanford Junior University
13#
14# Copying and distribution of this file, with or without modification, are
15# permitted in any medium without royalty provided the copyright notice and
16# this notice are preserved.  This file is offered as-is, without any
17# warranty.
18
19# Each WebAuth server has to talk to a central authentication server called
20# the WebKDC, both to send users to the login server and to be able to
21# interpret the tokens that it returns.  Some of the directives below are
22# needed to facilitate that behind-the-scenes communication.
23
24# The WebAuth module is built as a dynamic module by default.  This loads it
25# into Apache.
26LoadModule webauth_module /usr/local/libexec/apache2/modules/mod_webauth.so
27
28# Location of the server's private AES keys, used for communication with the
29# WebKDC.  Generated and maintained automatically, so it must be writable by
30# the Apache server process.
31WebAuthKeyring conf/webauth/keyring
32
33# Location of the server's Kerberos keytab.  You need to generate this file
34# as part of the installation.
35WebAuthKeytab conf/webauth/keytab
36
37# Location of where the service tokens are kept.  These tokens are used to
38# authenticate internal communication with the WebKDC.  This file has to be
39# writable by the Apache server processes.
40WebAuthServiceTokenCache conf/webauth/service_token_cache
41
42# Where the user is redirected to enter a username and password.  This is part
43# of the site configuration and will be provided by the person who sets up the
44# WebKDC for your site.
45WebAuthLoginURL https://webkdc/login/
46
47# URL used for behind-the-scenes communication with the WebKDC.  As above,
48# this is part of the site configuration.
49WebAuthWebKdcURL https://webkdc/webkdc-service/
50
51# The service name to use when communicating with the WebKDC.  The below is
52# just our recommendation.  The principal name is part of the site
53# configuration.
54WebAuthWebKdcPrincipal service/webkdc
55
56# This file is only needed if your WebKDC is using a self-signed certificate.
57# For those who are, you should copy that certificate (the file mentioned in
58# the WebKDC's Apache SSLCertificateFile directive) to a local file, and point
59# to that file with this directive.
60#
61# WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert
62
63# Anyone who tries to access a WebAuth-protected page via HTTP rather than
64# HTTPS will be redirected to HTTPS (but otherwise using the same URL).
65WebAuthSSLRedirect on
66
67# If you are having trouble getting WebAuth to run, you should turn on debug
68# and also change your Apache LogLevel setting to debug.
69#
70# WebAuthDebug on
71
72# If you are really have trouble getting WebAuth to run, you should turn on
73# debug, and also enable the /webauth-status URL, then point your browser at
74# it to check on the status of mod_webauth.  You should turn off the
75# webauth-status URL when you are done.
76#
77#<Location /webauth-status>
78#   SetHandler webauth
79#   Order allow,deny
80#   Allow from all
81#</Location>
82
83# Example of restricting a location to authenticated users only.  If
84# uncommented, all URLs under /private/ would require WebAuth authentication
85# to access.
86#
87#<Location /private/ >
88#    AuthType WebAuth
89#    Require valid-user
90#</Location>
91
92# Example of a logout page for a particular application.  (Note that even if
93# the user goes to this page, they will still have their site-wide single
94# sign-on cookie, so they will not be completely logged out.  This will only
95# destroy their credentials for that particular application.)  There should
96# also be a web page that this URL corresponds to; WebAuth will not generate
97# one internally.
98#
99#<Location /logout/ >
100#    AllowOverride All
101#    WebAuthDoLogout on
102#</Location>
103