view release on metacpan or  search on metacpan

examples/conf/appsamurai-owa.conf  view on Meta::CPAN

#    for testing.)
#
# For your AppSamurai server:
# 1) You must have a SSL certificate signed by a trusted CA.
# 2) You must have an EXTERNAL DNS entry pointing the FQDN of your OWA
#    server to the external IP (or NAT IP) your AppSamurai proxy will be
#    available from.
# 3) You must configure (at least one) SSL enabled VirtualHost section
# 4) You must enable Rewrite and pull in global Rewrite rules inside your
#    VirtualHost section (See last section of this file for sample)
#
# On your firewall: 
# 1) Open up access to port 443 on your AppSamurai proxy
# 2) Open access from your AppSamurai server's real IP to port 443 of your
#    OWA server
# 3) Open access from your AppSamurai server's real IP to any authentication
#    services it will be using.
#
# Reference:
# * http://3cx.org/item/38 - Very helpful HowTo on setting up Apache to proxy
#    OWA.  (This is only for reference: All the directives you need should
#    already be in this configuration example.)
# * I would point to a good doc on setting up OWA and ActiveSync, but I can't
#   recommend any.  Search technet.microsoft.com and Google as needed.

# This is a Apache1/mod_perl1 - Apache2/mod_perl2 dual configuration.
# Thanks to some silly nesting rules in Apache2, some <Directory> and
# <Proxy> sections are duplicated.  Pay close attention to <IfDefine>
# sections for your version of mod_perl (!MODPERL2 for mod_perl 1 and
# MODPERL2 for mod_perl 2)

# The following modules are required for this setup:
#LoadModule rewrite_module	/usr/lib/apache/modules/mod_rewrite.so
#LoadModule proxy_module	/usr/lib/apache/modules/libproxy.so
#LoadModule perl_module        /usr/lib/apache/modules/mod_perl.so

# Load the main AppSamurai module and the mod_perl registry,
# and also enable taint and warnings
PerlModule Apache::AppSamurai
<IfDefine !MODPERL2>
 PerlModule Apache::Registry
 PerlWarn On
 PerlTaintCheck On
</IfDefine>
<IfDefine MODPERL2>
 PerlModule ModPerl::Registry
 PerlSwitches -wT
</IfDefine>

#### AppSamurai Setup ####
# We with use the auth_name "Owa" for this sample.  If you prefer
# "TheMagnificentRonnieWilson" instead, just replace "Owa" with
# that in each PerlSetVar line.
#
# Set to 1 for debugging (only for troubleshooting or non-production testing,
# as this produces a TON of noise, and leaks some semi-sensitive info,
# into the Apache error logs)  (Default: 0)
PerlSetVar OwaDebug 0

# Name of authentication cookie
PerlSetVar OwaCookieName ChocholateChipOfDoom

# Path to set on authentication cookie  (Default: /)
PerlSetVar OwaPath /

# Point to the form login page/script
PerlSetVar OwaLoginScript /AppSamurai/login.pl

# Must satisfy all authentication checks (Default: All)
PerlSetVar OwaSatisfy All

# Set the "secure" flag on the authentication cookie (Note - If you are not
# using SSL, well, USE SSL!!!)
PerlSetVar OwaSecure 1

# Set the silly Microsoft http-only cookie flag
PerlSetVar OwaHttpOnly 1

# Custom mapping of xxxxxx;yyyyyy Basic authentication password input
# to specific and separate individual credentials.
# Example: If the user logs into the basic auth popup with the password:
#		myRockinPassword;1234123456
# The map below will set credential_1 as "1234123456" and credential_2
# as "myRockinPassword", then proceed as if the same were entered into
# a form login.  (Default: undef)
#PerlSetVar OwaBasicAuthMap "2,1=(.+);([^;]+)"

# List the authentication methods (modules) you will be using, in order of
# credential number on the login form.  (credential_1, credential_2, etc)
PerlSetVar OwaAuthMethods "AuthBasic"

# AuthUnique forces each login to use at least one unique credential.
# You should enable this if a OTP or token (SecurID, etc.) is part of
# the authentication mix. 
# (Note - Uses the Tracker system) (Default: 0)
#PerlSetVar OwaAuthUnique 1

## AppSamurai::AuthBasic options
#
# The URL to send basic authentication checks to
PerlSetVar OwaAuthBasicLoginUrl "https://__OWA_SERVER_FQDN__/exchange/"

# Use the special "HEADER:<field>" to pass the named header field from
# the client to the backend authenticator directly.  (Default: undef)
PerlSetVar OwaAuthBasicUserAgent "header:User-Agent"

# Abort the check unless the "realm" returned by the server matches
# this string.  (Note - most OWA servers use the Active Directory
# domain as the realm.  Try a direct login to the backend server to check.)
# (Default: undef)
PerlSetVar OwaAuthBasicRequireRealm "__OWA_SERVER_LOGIN_REALM__"

# Continue to send the same Authorization: header to the backend server
# after login.  (Only use this when the AuthBasic check is run against
# the backend server you are protecting)  (Default: 1)
PerlSetVar OwaAuthBasicKeepAuth 1

# Collect cookes from AuthBasic check and send back to the user's browser
# on login  (Default: 1)
PerlSetVar OwaAuthBasicPassBackCookies 1

## AppSamurai::AuthRadius options
#
# Set the IP and port to send Radius requests to
PerlSetVar OwaAuthRadiusConnect "__RADIUS_SERVER_IP__:__RADIUS_PORT__"

# Set the RADIUS key to use
PerlSetVar OwaAuthRadiusSecret "__RADIUS_PASSWORD__"


## Session storage options
#
# Inactivity timeout (in seconds) for normal (form based) OWA sessions
# (Default: 3600)
PerlSetVar OwaSessionTimeout 3600

# This is the AppSamurai instance's password.  Set it to something long.
# All AppSamurai servers in a cluster (sharing the same auth name), and
# using a common storage area (central session database server), must
# use the same ServerPass. 
# (Note - ServerKey is only used with HMAC session generators and
#  encrypting session serializers: Both are on by default)
PerlSetVar OwaSessionServerPass "__APPSAMURAI_SERVER_PASSWORD__"

# If using th default File session store, you must point to a filesystem
# directory to store sessions in.  (Should be readable/writable only to
# the user httpd is running under)
PerlSetVar OwaSessionDirectory "__SESSION_PATH__/sessions"
# Ditto for the file lock type
PerlSetVar OwaSessionLockDirectory "__SESSION_PATH__/slock"

## Tracker System
#
# Cleanup items older than this many seconds (Default: undef)
PerlSetVar OwaTrackerCleanup 86400

## Misc Features
#
# IPFailures takes an argument in the format "X:Y", where X is the number of
# failures and Y is the window (in seconds) between the failures.
# Note - If TrackerCleanup is LESS than the failure window, you may miss
# slow attacks.  (Default: undef)
PerlSetVar OwaIPFailures "20:60"

## Directory and Location Configuration
#

# AppSamurai login/logout pages
<Directory "__DOCUMENT_ROOT__/AppSamurai">
 AllowOverride None
 deny from all

 <FilesMatch "\.pl$">
  # The login and logout pages are Perl scripts, so we enable normal
  # mod_perl CGI handling for them
  SetHandler perl-script
  Options +ExecCGI
  AuthType Apache::AppSamurai

  <IfDefine !MODPERL2>