Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

The Apache HTTP server is the Apache Software Foundation's web server. See the project's website for more details.

Contents

Table of Contents


Note

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).


Numbered Headings

System Preparation

Add the Moonshot libraries and configure the server

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL.

Configure SELinux to allow httpd to create network connections

Existing SELinux policies will not allow HTTPD to connect to the RP proxy using RadSec, thus precluding Moonshot from work.

To persistently allow such connections, use the following command:

Code Block
languagebash
linenumberstrue
setsebool -P httpd_can_network_connect 1

Installation Instructions

  1. To use the Apache module, install it:

    Code Block
    languagebash
    linenumberstrue
    yum install mod_auth_gssapi


  2. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user.

    Code Block
    languagebash
    linenumberstrue
    su - --shell=/bin/bash apache
    cat path_to_ca.pem
    cat path_to_client.pem 
    cat path_to_client.key


  3. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/httpd/conf/httpd.conf:

    Code Block
    languagebash
    linenumberstrue
    KeepAlive On


  4. Restart Apache:

    Code Block
    languagebash
    linenumberstrue
    service httpd restart


Configuration Instructions

Warning
titleShibboleth2 Apache module incompatibility

Please read Section in Apache HTTPD on module incompatibilities.

Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of Negotiate (CentOS 6) or GSSAPI (CentOS 7).

Here's a sample configuration that can get you started to allow anyone with a valid Moonshot account to access /wherever:

Code Block
languagebash
titleCentOS 6
linenumberstrue
collapsetrue
<Location "/wherever">
    AuthType Negotiate
    AddHandler cgi-script .cgi
    Options +ExecCGI
    Require valid-user
    GssapiNameAttributes json
</Location>


Code Block
languagebash
titleCentOS 7
linenumberstrue
collapsetrue
<Location "/wherever">
    AuthType GSSAPI
    AddHandler cgi-script .cgi
    Options +ExecCGI
    Require valid-user
    GssapiNameAttributes json
    GssapiConnectionBound On
    GssapiAcceptorName HTTP@hostname
</Location>


Info
titleConfiguration Directives
For more information on the configuration directives supported by the GSSAPI module, see its homepage at https://github.com/modauthgssapi/mod_auth_gssapi. Additionally, in an effort to provide cross-compatibility, the Negotiate module broadly supports the GssapiNameAttributes configuration directive.