openstack-ansible-os_keystone/templates/keystone-httpd.conf.j2

# {{ ansible_managed }}

Listen {{ keystone_service_port }}
<VirtualHost *:{{ keystone_service_port }}>

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    LogLevel  {{  keystone_apache_log_level }}
    # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
    ErrorLog  {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
    CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
    Options +FollowSymLinks

    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Content-Security-Policy "default-src 'self' https: wss:;"
    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"

    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif %}

    {% if keystone_sp != {} -%}
    ShibURLScheme {{ keystone_service_publicuri_proto }}

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>

    <Location /v3/auth/OS-FEDERATION/websso/saml2>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion 1
        ShibRequireSession On
        ShibExportAssertion On
        Require valid-user
    </Location>

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
    </LocationMatch>

    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
    {% endif %}

    <Directory /var/www/cgi-bin/keystone>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/

</VirtualHost>

Listen {{ keystone_admin_port }}
<VirtualHost *:{{ keystone_admin_port }}>

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    LogLevel  {{  keystone_apache_log_level }}
    # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
    ErrorLog  {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
    CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
    Options +FollowSymLinks


    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif %}

    <Directory /var/www/cgi-bin/keystone>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']["socket"] }}/

</VirtualHost>

ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
ProxyPass /identity_admin uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}/