<VirtualHost *:80>
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser On
UseCanonicalName On
DocumentRoot "/var/www/html"
PassEnv APACHE_SERVERNAME
ServerName "${APACHE_SERVERNAME}"
PassEnv PROXY_USER_CATEGORY_ALLOW_RENDERER
PassEnv PROXY_USER_CATEGORY_ALLOW_CACHE
<Location "/Shibboleth.sso">
SetHandler shib
</Location>
# Internally redirected to here in case of Panda proxy access to renderer
<Location /proxy-renderer>
<If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_RENDERER}/">
Require all denied
</If>
<Else>
Require all granted
RewriteEngine On
RewriteRule ^.*$ - [R=200]
</Else>
</Location>
# Internally redirected to here in case of Panda proxy access to cache
<Location /proxy-cache>
<If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_CACHE}/">
Require all denied
</If>
<Else>
Require all granted
RewriteEngine On
RewriteRule ^.*$ - [R=200]
</Else>
</Location>
# Internally redirected to here. Rewrite for proper relaystate in shib
<Location /secure>
<If "-n req('Authorization')">
Require valid-user
AuthType Basic
AuthBasicProvider file
AuthName "/secure"
AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
RewriteEngine On
RewriteRule ^.*$ - [R=200]
</If>
<Else>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Uri} ^(.*)$ [NC]
RewriteRule ^.*$ %1 [PT]
</Else>
</Location>
# Match renderer services
<LocationMatch "^/(admin|ows|opensearch)">
RewriteEngine On
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-plugin /etc/shibboleth/pass-ac.xml
RewriteRule ^.*$ - [R=200]
</LocationMatch>
# Match everything not above like /cache or the client
<LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch|proxy-renderer|proxy-cache))">
RewriteEngine On
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-plugin /etc/shibboleth/pass-ac-cache.xml
RewriteRule ^.*$ - [R=200]
</LocationMatch>
</VirtualHost>