-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapache-httpd.conf.example
210 lines (176 loc) · 9.06 KB
/
apache-httpd.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#########################################################################################################
# Macro definitions
#
# These macros extract the common boiler-plate to set up ldap restrictions/permissions on a folder
# This requires mod_macro, which is built-in in apache 2.4 series (and can be manually compiled for 2.2)
#
# Deduplicating the boilerplate reduces the size of the config file, and makes mistakes (such as mismatched project<->AD-group)
# more obvious due to less clutter.
#########################################################################################################
# Project-protection, verbose paramaters.
# This version shows using a fully qualified LDAP distinguished name (DN) as a parameter
<Macro LdapProtectFullDN $path $ldap_fulldn >
<Directory "/YOUR-WEBROOT/$path">
# deny by default
Order deny,allow
Deny from all
# check if supplied credentials match an LDAP group
# "memberof:1.2.840.113556.1.4.1941:" is an AD-specific LDAP-filter command to _recursively_ resolve (nested) group membership
# ActiveDirectory can resolve this on the AD-server side.
# see https://serverfault.com/questions/269344/how-to-authenticate-users-in-nested-groups-in-apache-ldap
require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=$ldap_fulldn
Satisfy any
</Directory>
</Macro>
# Project-protection, shortened common LDAP-fragments.
# If most of your used access groups are in the same part of the LDAP hierarchy,
# you can extract the repeated parts into the macro, for shorter invocations below.
<Macro LdapProtectCommonDN $path $ldap_group >
<Directory "/YOUR-WEBROOT/$path">
# deny by default
Order deny,allow
Deny from all
# in this version of the macro, most of the DN (",OU=COMMON-DEPARTMENT,...") is pre-filled, because it is always the same
# this means invocations of the macro need to repeat less
require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=$ldap_group,OU=COMMON-DEPARTMENT,OU=COMMON-INSTITUTE,OU=USERS,dc=ad,dc=example,dc=com
Satisfy any
</Directory>
</Macro>
# Macro for project groups
# This opens a folder at cascade level 2, while re-blocking all it's contents at level 3.
# Effectively, it is a recursive case of the level-0/level-1 situation, without the webroot-specific parts.
<Macro OpenFolderButBlockChildren $path >
# "top" level is open
<Directory "/YOUR-WEBROOT/$path">
Allow from all
</Directory>
# sublevels restricted by default, selectively re-opened below the marker
<Directory "/YOUR-WEBROOT/$path/*">
Deny From all
ErrorDocument 403 "Access Forbidden: permissions for this folder were probably not yet configured by the server admin (but it could be other things too, how are your file permissions?)."
</Directory>
</Macro>
# End Macro definitions
#########################################################################################################
#########################################################################################################
# Access Cascade level 0
#
# General settings common to all IGV-linker pages (in this case: all in the webroot directory)
# - Allow apache to autogenerate a listing of everything
# - Common settings for LDAP connection
# - basic block/allow rules for the top-level
#
# This entire example assumes the following folder hierarchy:
# YOUR-WEBROOT/
# ├ header.html # doesn't need to be user-accessible, apache will read and parse it automatically.
# ├ favicon.ico # tiny logo for tabs/bookmarks, must be user-accessible.
# ├ project-folder-A/
# │ ├ links/ # created by crawler
# │ └ index.html # created by crawler
# ├ project-folder-B/
# │ ├ links/
# │ └ index.html
# ├ project-folder-C/
# │ ├ links/
# │ └ index.html
# ├ PROJECT-GROUP/
# │ └ <empty>
# └ MACROED-PROJECT-GROUP/
# └ project-folder-D/
# ├ links/
# └ index.html
<Directory "/YOUR-WEBROOT">
# Common options for entire folder hierarchy
# Indexes: Allow Apache to generate listing pages of all folder contents
# (unless there is an explicit "index.html" in the folder, as generated by the crawler)
# FollowSymLinks: needed because the crawler relies heavily on symlinks for data compartimentalisation.
Options Indexes FollowSymLinks
# hide some columns in the overview with little value to biologists.
IndexOptions +SuppressDescription +SuppressSize +FoldersFirst
# Header options: make the generated overview look slightly less intidimating
#
# header.html contains a partial HTML page, that will be rendered above the auto-generated index list
HeaderName header.html
# Activate this if your header.html also contains the DocType and HTML <head> section
# (The provided example header does include these.)
IndexOptions +SuppressHTMLPreamble
# webroot is publicly listable
Order allow,deny
Allow from all
# shared config for AD, so we don't have to repeat it for each subdir.
# it will be inherited by every directory under the webroot.
AuthName "shown to user in passwd dialog"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://ad.example.com:3268/dc=ad,dc=example,dc=com?sAMAccountName?sub
AuthLDAPBindDN cn=ldap,cn=Users,dc=ad,dc=example,dc=com
AuthLDAPBindPassword very-secret-ldap-server-password
AuthzLDAPAuthoritative on
# note-to-self: you can't mix require-statements here and in subfolders.
</Directory>
#########################################################################################################
# Access Cascade level 1: Safety-by-Default, block any and all subfolders/subfiles
#
# Most project folders have tight access restrictions, but the inherited setting
# from the parent dir is "everything wide open".
# This section restricts ALL access of ALL subfolders, which can then
# _selectively_ be overriden with project-specific permissions.
# This ensures that newly created folders have a safe default, rather than
# accidentally leaking (human?) genome data.
#
# CAREFUL: This overriding cascade is very sensitive to the order of items in this file!
# Last matching item wins, so only declare specific folders BELOW this section.
<Directory "/YOUR-WEBROOT/*">
Deny From all
# also inform the user what went wrong, if they ever stumble on it
# explicitly mention the server admin, so the user knows they are not at fault.
ErrorDocument 403 "Access Forbidden: permissions for this folder were probably not yet configured by the server admin (but it could be other things too, how are your file permissions?)."
</Directory>
############################################################
# Access Cascade level 2: re-allow certain top-level public folders:
############################################################
# favicon should be available to everyone who can see the index.
<Directory "/YOUR-WEBROOT/favicon.ico">
Allow from all
</Directory>
# Public data is public
<Directory "/YOUR-WEBROOT/public">
Allow from all
</Directory>
# Nested subgroups, the long way:
# Group some protected pages into an (unprotected, browseable) subdir, while reprotecting the child-items
# This is basically a nested repeat of the webroot case.
<Directory "/YOUR-WEBROOT/PROJECT-GROUP">
Allow from all
</Directory>
# subdirs sublevels restricted by default, selectively opened below the marker
<Directory "/YOUR-WEBROOT/PROJECT-GROUP/*">
Deny From all
ErrorDocument 403 "Access Forbidden: permissions for this folder were probably not yet configured by the server admin (but it could be other things too, how are your file permissions?)."
</Directory>
# Nested subgroups, the short macro way:
# Group some protected pages into an (unprotected) subdir, while reprotecting the child-items
Use OpenFolderButBlockChildren MACROED-PROJECT-GROUP
##############################################################
# Access Cascade level 3: individual projects:
# Project configurations go BELOW here
#
# CAREFUL: putting projects anywhere else than here, breaks
# the subtle cascade of allow/disallows and thus risks
# accidentaly leaking sensitive data.
##############################################################
# "Use" the macros we defined above
# - The first parameter is the filesystem folder to protect, relative to YOUR-WEBROOT/
# - The second parameter is the LDAP/AD group that should be granted access
# Note how full DNs are quite verbose...
Use LdapProtectFullDN project-folder-A LDAP-GROUP-A,OU=SOME-DEPARTMENT,OU=SOME-INSTITUTE,OU=USERS,dc=ad,dc=example,dc=com
# macro invocations for the groups in the common part of the hierarchy can be a lot shorter:
Use LdapProtectCommonDN project-folder-B LDAP-GROUP-B
Use LdapProtectCommonDN project-folder-C LDAP-GROUP-B
# Note the mismatch! ------------------^------------^
##############################################################
# Access Cascade level 4: subgrouped projects
#
# the '$path' variable must repeat the group-folder that the project is part of.
##############################################################
Use LdapProtectCommonDN MACROED-PROJECT-GROUP/project-folder-D LDAP-GROUP-D