oar-restful-api 2.5.6-2ubuntu1 / usr / share / oar / oar-api / apache2.conf

This file is indexed.

/usr/share/oar/oar-api/apache2.conf is in oar-restful-api 2.5.6-2ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Apache2 configuration for the OAR API

# WARNING: the OAR API requires Apache fastcgi and a way for the httpd user to
# become oar. This can be achieved using Apache suexec. But since the suexec
# mechanism is global to a virtual host, enabling it for the OAR API might
# break other CGI programs (e.g. monika). As a result, a solution is to setup
# several virtual hosts. The configuration proposed below sets a port based 
# virtual host listening on 6668.
# Furthermore the suexec user cannot have a system UID, which is the case of 
# the oar user by default. One may need to change that uid (e.g. on Centos).

#Virtual host to isolate the oar-restful-api (suexec) setup
Listen 6668
<VirtualHost *:6668>

# Aliases to the API.
ScriptAlias /oarapi /usr/lib/cgi-bin/oarapi/oarapi.cgi
ScriptAlias /oarapi-public /usr/lib/cgi-bin/oarapi/oarapi.cgi
#ScriptAlias /oarapi-debug /usr/lib/cgi-bin/oarapi-debug.cgi
#ScriptAlias /oarapi-cigri /usr/lib/cgi-bin/oarapi.cgi

# FastCGI server
<IfModule mod_fastcgi.c>
  FastCgiServer /usr/lib/cgi-bin/oarapi/oarapi.cgi -processes 3 -user oar -group oar
</IfModule>

# Suexec configuration
<IfModule mod_suexec.c>
         SuexecUserGroup oar oar
</IfModule>

# Default options for the oar api
<Directory /usr/lib/cgi-bin/oarapi>
  Options +ExecCGI -MultiViews +FollowSymLinks

  SetEnv OARCONFFILE /etc/oar/oar.conf

  # FastCGI handler
  <IfModule mod_fastcgi.c>
     AddHandler fcgid-script .cgi
  </IfModule>

  <IfVersion >= 2.3>
    Require local
  </IfVersion> 
  <IfVersion < 2.3>
    Order Deny,Allow
    Deny from all
    Allow from             localhost
    Allow from             localhost.localdomain
    </IfVersion>   
</Directory>

# Set the X_API_PATH_PREFIX variable to value of the header of the same name
<IfModule rewrite_module>
   RewriteEngine On
   RewriteCond %{HTTP:X_API_PATH_PREFIX}  (.*)
   RewriteRule .* - [E=X_API_PATH_PREFIX:%1]
</IfModule>

# By URI options
# This is where you should pay attention to security!
# The OAR API trusts the X_REMOTE_IDENT header variable to be the login name
# of the user that makes the query if there is no other authentication mechanism
# (ie basic auth).
# Such a header variable is set by the http client. So, you should at least
# unset this variable (to disable auth) or erase it with something generated or
# filtered by the current apache configuration. 
# Note that you can disable the X_REMOTE_IDENT trusting by setting API_TRUST_IDENT
# to 0 into the oar.conf file.

# In this first example, we set up a public API that will never satisfy requests
# that need authentication (for example /jobs/100 will do a 401)
<Location /oarapi-public>
  # IMPORTANT: if you have not the headers_module, you are vulnerable to 
  # identity stealing as the X_REMOTE_IDENT may be set by the client!
  # If you are in this case, please, set API_TRUST_IDENT=0 into oar.conf
  <IfModule headers_module>
    RequestHeader unset X_REMOTE_IDENT
  </IfModule>
</Location>

# In this second example, we set up a "pident" authentication if possible and an
# an ldap basic auth for the hosts that are not in the "Allow from" directives above.
# If the ident module is not setup, we unset the X_REMOTE_IDENT variable to
# protect from malicious users that could inject a login name.
<Location /oarapi>

  # THIS IS IMPORTANT!!
  # You need at least the headers_module or a properly ident setup.
  # In other words, if you have not the ident_module, nor headers_module,
  # you are vulnerable to identity stealing!
  # If you are in this case, please, set API_TRUST_IDENT=0 into oar.conf.
  <IfModule !ident_module>
    <IfModule headers_module>
      RequestHeader unset X_REMOTE_IDENT
    </IfModule>
  </IfModule>

  # Pidentd (or authd) is a daemon that should run on the client host to tell
  # to the server who is making the query. So, be aware that with this kind of 
  # authentication, you have to trust the client host!
  # In other words, if you accept connections from a user's laptop for example, 
  # you are vulnerable as long as the user can create a login name of its choice
  # on his laptop! So, be sure of your "Allow from" directives above!
  <IfModule ident_module>
     IdentityCheck On
     <IfModule headers_module>
        # Set the X_REMOTE_IDENT http header and variable to REMOTE_IDENT env value
        <IfModule rewrite_module>
           RewriteEngine On
           RewriteCond %{REMOTE_IDENT} (.*)
           RewriteRule .* - [E=X_REMOTE_IDENT:%1]
           RequestHeader add X_REMOTE_IDENT %{X_REMOTE_IDENT}e
        </IfModule>
     </IfModule>
  </IfModule>
 
  # Ldap auth for external users (not in the "Allow from" list)
  # In this example, we suppose that the users have an ldap account
  # common to the authentication used by the oar server.
  <IfModule authnz_ldap_module>
    AuthType               basic
    AuthBasicProvider      ldap
    AuthName               "Authorized Users Only"
    AuthzLDAPAuthoritative  off
    AuthLDAPURL            "ldaps://myldaphost.mydomain/dc=mydomain,dc=fr?uid?sub?(objectClass=posixAccount)"
    Require valid-user
    Satisfy any
  </IfModule> 
</Location>

# In this last example, we set up a trusted connection with a client that 
# has a specific SSL certificate. This client may do queries for whatever login
# name that it sends through the X_REMOTE_IDENT header variable.
# This is commonly the case for a grid middleware that has already authenticated 
# users and that may be trusted by OAR.
#<Location /oarapi-cigri>
#  <IfModule ssl>
#    # Require SSL on this location
#    SSLRequireSSL
#    # Check the validity of the client SSL certificate
#    SSLVerifyClient require
#    SSLVerifyDepth  1
#    # In this example, we check that the client is the cigri middleware of the 
#    # Ciment project: the organisational unit presented by the certificatethe 
#    # should be "CIMENT" and the DN should be "CIGRI"
#    SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "CIMENT" \
#                 and %{SSL_CLIENT_S_DN_CN} eq "CIGRI" )
#    # We can also do some filtering on the X_REMOTE_IDENT header
#    ## This example only allows users kameleon and oar to be authenticated to the API
#    # RewriteEngine On
#    # RewriteCond %{HTTP:X_REMOTE_IDENT}  (.*)
#    # RewriteRule .* - [E=X_REMOTE_IDENT:%1]
#    # RewriteCond %{HTTP:X_REMOTE_IDENT}  !=kameleon
#    # RewriteCond %{HTTP:X_REMOTE_IDENT}  !=oar
#    # RewriteRule .* - [E=X_REMOTE_IDENT:]
#    # RequestHeader set X_REMOTE_IDENT %{X_REMOTE_IDENT}e
#  </IfModule>
#</Location>

</virtualhost>

APT Browse - Built by Thomas Orozco.