Apache-AppSamurai
view release on metacpan or search on metacpan
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# Set the silly Microsoft http-only cookie flag
PerlSetVar OwaHttpOnly 1
# Custom mapping of xxxxxx;yyyyyy Basic authentication password input
# to specific and separate individual credentials.
# Example: If the user logs into the basic auth popup with the password:
# myRockinPassword;1234123456
# The map below will set credential_1 as "1234123456" and credential_2
# as "myRockinPassword", then proceed as if the same were entered into
# a form login. (Default: undef)
#PerlSetVar OwaBasicAuthMap "2,1=(.+);([^;]+)"
# List the authentication methods (modules) you will be using, in order of
# credential number on the login form. (credential_1, credential_2, etc)
PerlSetVar OwaAuthMethods "AuthBasic"
# AuthUnique forces each login to use at least one unique credential.
# You should enable this if a OTP or token (SecurID, etc.) is part of
# the authentication mix.
# (Note - Uses the Tracker system) (Default: 0)
#PerlSetVar OwaAuthUnique 1
## AppSamurai::AuthBasic options
#
# The URL to send basic authentication checks to
PerlSetVar OwaAuthBasicLoginUrl "https://__OWA_SERVER_FQDN__/exchange/"
# Use the special "HEADER:<field>" to pass the named header field from
# the client to the backend authenticator directly. (Default: undef)
PerlSetVar OwaAuthBasicUserAgent "header:User-Agent"
# Abort the check unless the "realm" returned by the server matches
# this string. (Note - most OWA servers use the Active Directory
# domain as the realm. Try a direct login to the backend server to check.)
# (Default: undef)
PerlSetVar OwaAuthBasicRequireRealm "__OWA_SERVER_LOGIN_REALM__"
# Continue to send the same Authorization: header to the backend server
# after login. (Only use this when the AuthBasic check is run against
# the backend server you are protecting) (Default: 1)
PerlSetVar OwaAuthBasicKeepAuth 1
# Collect cookes from AuthBasic check and send back to the user's browser
# on login (Default: 1)
PerlSetVar OwaAuthBasicPassBackCookies 1
## AppSamurai::AuthRadius options
#
# Set the IP and port to send Radius requests to
PerlSetVar OwaAuthRadiusConnect "__RADIUS_SERVER_IP__:__RADIUS_PORT__"
# Set the RADIUS key to use
PerlSetVar OwaAuthRadiusSecret "__RADIUS_PASSWORD__"
## Session storage options
#
# Inactivity timeout (in seconds) for normal (form based) OWA sessions
# (Default: 3600)
PerlSetVar OwaSessionTimeout 3600
# This is the AppSamurai instance's password. Set it to something long.
# All AppSamurai servers in a cluster (sharing the same auth name), and
# using a common storage area (central session database server), must
# use the same ServerPass.
# (Note - ServerKey is only used with HMAC session generators and
# encrypting session serializers: Both are on by default)
PerlSetVar OwaSessionServerPass "__APPSAMURAI_SERVER_PASSWORD__"
# If using th default File session store, you must point to a filesystem
# directory to store sessions in. (Should be readable/writable only to
# the user httpd is running under)
PerlSetVar OwaSessionDirectory "__SESSION_PATH__/sessions"
# Ditto for the file lock type
PerlSetVar OwaSessionLockDirectory "__SESSION_PATH__/slock"
## Tracker System
#
# Cleanup items older than this many seconds (Default: undef)
PerlSetVar OwaTrackerCleanup 86400
## Misc Features
#
# IPFailures takes an argument in the format "X:Y", where X is the number of
# failures and Y is the window (in seconds) between the failures.
# Note - If TrackerCleanup is LESS than the failure window, you may miss
# slow attacks. (Default: undef)
PerlSetVar OwaIPFailures "20:60"
## Directory and Location Configuration
#
# AppSamurai login/logout pages
<Directory "__DOCUMENT_ROOT__/AppSamurai">
AllowOverride None
deny from all
<FilesMatch "\.pl$">
# The login and logout pages are Perl scripts, so we enable normal
# mod_perl CGI handling for them
SetHandler perl-script
Options +ExecCGI
AuthType Apache::AppSamurai
<IfDefine !MODPERL2>
PerlHandler Apache::Registry
</IfDefine>
<IfDefine MODPERL2>
PerlResponseHandler ModPerl::Registry
</IfDefine>
# IMPORTANT - The auth name MUST match a configured AppSamurai auth name
AuthName "Owa"
allow from all
</FilesMatch>
<Files LOGIN>
# This is a fake file that is mapped to the login() method in
# Apache::AppSamurai (Your login page should post to this)
SetHandler perl-script
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# Turn off client proxy requests (All requests mapped by Rewrite)
ProxyRequests Off
# Protect ALL proxied areas (by default) The actual proxy mapping is
# done with rewrite rules. (Be careful if you decide to make this
# a more specific path: You do not want to expose internal servers!)
# !!! MAKE SURE TO CONFIGURE THE IfDefine SECTION FOR YOUR VERSION !!!
# !!! OF MOD_PERL !!!
<IfDefine !MODPERL2>
<Directory proxy:*>
AuthType Apache::AppSamurai
# IMPORTANT - The auth name MUST match a configured AppSamurai auth name
AuthName "Owa"
# Map authentication checks to this method
PerlAuthenHandler Apache::AppSamurai->authenticate
# Map authorization checks to this method
PerlAuthzHandler Apache::AppSamurai->authorize
# Allow all IPs, but require a logged in user
Order deny,allow
Allow from all
Require valid-user
</Directory>
</IfDefine>
<IfDefine MODPERL2>
# (See !MODPERL2 section directly above for comments)
<Proxy *>
AuthType Apache::AppSamurai
AuthName "Owa"
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Order deny,allow
Allow from all
Require valid-user
</Proxy>
</IfDefine>
# Special ActiveSync configuration: Protects /Microsoft-Server-ActiveSync
# path with Basic Authentication login instead of form based. This is
# to support Windows Mobile devices. Other special parameters are used
# to support the non-cookie aware ActiveSync
# !!! MAKE SURE TO CONFIGURE THE IfDefine SECTION FOR YOUR VERSION !!!
# !!! OF MOD_PERL !!!
<IfDefine !MODPERL2>
<Directory proxy:https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync*>
# Set hard expiration (no matter what, the session is killed after this
# many seconds)
PerlSetVar OwaSessionExpire 86400
# Override the previously configured inactivity timer (only applies to this
# directory) 0 disables the timer
PerlSetVar OwaSessionTimeout 0
# ActiveSync does not maintain session cookies. This sets up a "custom
# keysource" to compute the session authentication key based on a set of
# headers and arguments. (Sort of a pseudo-cookie). This avoids losing
# sessions with ActiveSync. It is MUCH less secure, though! Only
# use this in conjuction with at least one token or OTP based authentication
# module. (SecurID, SafeWord, etc....) This custom keysource uses:
# 1) The "Authorization" header value
# 2) The "User-agent" header value
# 3) The "User" argument (ActiveSync devices add this to each request)
# 4) The "DeviceId" argument (ActiveSync adds this, and it should be unique
# per-device... not that it couldn't be spoofed)
PerlAddVar OwaKeysource header:Authorization
PerlAddVar OwaKeysource header:User-agent
PerlAddVar OwaKeysource arg:User
PerlAddVar OwaKeysource arg:DeviceId
# Note that "Basic" is used instead of "Apache::AppSamurai". This causes
# Apache to handle the basic authentication grunt work for us
AuthType Basic
# IMPORTANT - The auth name MUST match a configured AppSamurai auth name
AuthName "Owa"
# Map authentication checks to this method
PerlAuthenHandler Apache::AppSamurai->authenticate
# Map authorization checks to this method
PerlAuthzHandler Apache::AppSamurai->authorize
# Allow all IPs, but require a logged in user
Order deny,allow
Allow from all
require valid-user
</Directory>
</IfDefine>
<IfDefine MODPERL2>
# (See !MODPERL2 section directly above for comments)
<Proxy https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync*>
PerlSetVar OwaSessionExpire 86400
PerlSetVar OwaSessionTimeout 0
PerlAddVar OwaKeysource header:Authorization
PerlAddVar OwaKeysource header:User-agent
PerlAddVar OwaKeysource arg:User
PerlAddVar OwaKeysource arg:DeviceId
AuthType Basic
AuthName "Owa"
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Order deny,allow
Allow from all
require valid-user
</Proxy>
</IfDefine>
#### Rewrite/Proxy Rules ####
# !!! IMPORTANT NOTE !!!
# Rewrite options are not global by default! Make sure to read the
# extra section at the bottom of this file.
# Enable rewrites for default (non-virtual) hosts
RewriteEngine On
# Block access to common IIS hackable areas
RewriteRule ^(.*)?/iisadmin/? - [F,L]
RewriteRule ^(.*)?/samples/? - [F,L]
RewriteRule ^(.*)?/scripts/? - [F,L]
RewriteRule ^(.*).ida$ - [F,L]
RewriteRule ^(.*).htw$ - [F,L]
RewriteRule ^(.*)./_vti/_. - [F,L]
RewriteRule ^(.*).idq$ - [F,L]
RewriteRule ^(.*).exe$ - [F]
RewriteRule ^(.*)?/winnt/? - [F,L]
# Redirect our default into the main OWA app
RewriteRule ^/?$ /exchange/ [R,L]
# Remap logout URLs to our AppSamurai virtual logout page
RewriteRule ^/exchweb/bin/.*logoff\.asp$ /AppSamurai/LOGOUT [L]
# Reverse proxy (P) /public/
RewriteRule ^/public/(.*)$ https://__OWA_SERVER_FQDN__/public/$1 [P,L]
# Use local copies static /exchweb/ content
# ONLY USE THESE RULES IF YOU HAVE COPIED THE CONTENT TO THIS SERVER AND
# YOU HAVE READ AND CONFIGURED THE Directory SECTION FOR /exchweb ABOVE!
#RewriteRule ^/exchweb/controls/ - [L]
#RewriteRule ^/exchweb/img/ - [L]
#RewriteRule ^/exchweb/themes/ - [L]
#RewriteRule ^/exchweb/views/ - [L]
# Reverse proxy items in /exchweb/, /exchange/, and /iisadmpwd/
RewriteRule ^/exchweb/(.*)$ https://__OWA_SERVER_FQDN__/exchweb/$1 [P,L]
RewriteRule ^/exchange/(.*)$ https://__OWA_SERVER_FQDN__/exchange/$1 [P,L]
RewriteRule ^/iisadmpwd/(.*)$ https://__OWA_SERVER_FQDN__/iisadmpwd/$1 [P,L]
# ActiveSync - For Windows Mobile devices (requires special setup - See
# corresponding directory section for it above)
RewriteRule ^/Microsoft-Server-ActiveSync(.*)$ https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync$1 [P,L]
( run in 0.454 second using v1.01-cache-2.11-cpan-39bf76dae61 )