From 9a25ab17784c1e17ffe82a362dbeac18f3f5a75c Mon Sep 17 00:00:00 2001
From: Scotty Logan <swl@stanford.edu>
Date: Tue, 13 Mar 2018 20:57:08 -0700
Subject: [PATCH] made login.itlab main IdP; removed authz; weblogin is a
redirector
---
.../authz.itlab.stanford.edu/ROOT.xml | 7 -----
.../clearidpcookie.xml | 0
.../idp.xml | 0
etc/tomcat8/server.xml | 30 +++++++++----------
.../webapps/ROOT/WEB-INF/rewrite.config | 15 ++++++++++
.../ROOT/{index.html => index.html.old} | 0
6 files changed, 29 insertions(+), 23 deletions(-)
delete mode 100644 etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml
rename etc/tomcat8/Catalina/{weblogin.itlab.stanford.edu => login.itlab.stanford.edu}/clearidpcookie.xml (100%)
rename etc/tomcat8/Catalina/{weblogin.itlab.stanford.edu => login.itlab.stanford.edu}/idp.xml (100%)
create mode 100644 var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config
rename var/lib/tomcat8/webapps/ROOT/{index.html => index.html.old} (100%)
diff --git a/etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml b/etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml
deleted file mode 100644
index 8e8ced6..0000000
--- a/etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<Context
- docBase="/opt/mitreid-connect/webapp"
- privileged="true"
- antiResourceLocking="false"
- unpackWAR="false"
- swallowOutput="true" />
-
diff --git a/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/clearidpcookie.xml b/etc/tomcat8/Catalina/login.itlab.stanford.edu/clearidpcookie.xml
similarity index 100%
rename from etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/clearidpcookie.xml
rename to etc/tomcat8/Catalina/login.itlab.stanford.edu/clearidpcookie.xml
diff --git a/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/idp.xml b/etc/tomcat8/Catalina/login.itlab.stanford.edu/idp.xml
similarity index 100%
rename from etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/idp.xml
rename to etc/tomcat8/Catalina/login.itlab.stanford.edu/idp.xml
diff --git a/etc/tomcat8/server.xml b/etc/tomcat8/server.xml
index ba26232..bb0e7d1 100644
--- a/etc/tomcat8/server.xml
+++ b/etc/tomcat8/server.xml
@@ -17,8 +17,8 @@
SSLCACertificateFile="/opt/shibboleth-idp/credentials/cloudpath-itlab.full.pem"
SSLVerifyClient="none"
SSLProtocol="TLSv1.2"
- SSLCipherSuite="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384"
SSLHonorCipherOrder="on"
+ SSLCipherSuite="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384"
/>
<Connector port="80" protocol="HTTP/1.1"
@@ -26,44 +26,42 @@
URIEncoding="UTF-8"
redirectPort="443" />
- <Engine name="Catalina" defaultHost="weblogin.itlab.stanford.edu">
+ <Engine name="Catalina" defaultHost="login.itlab.stanford.edu">
<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="net.unicon.tomcat7.realm.X509AuthenticationBypassingRealm"/>
</Realm>
- <Host name="weblogin.itlab.stanford.edu"
+ <Host name="login.itlab.stanford.edu"
appBase="webapps"
unpackWARs="false"
autoDeploy="false"
xmlValidation="false"
xmlNamespaceAware="false">
<Alias>localhost</Alias>
- <Alias>login.itlab.stanford.edu</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
- prefix="weblogin_access" suffix=".log"
+ prefix="login_access" suffix=".log"
pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
-<!-- pattern="common" /> -->
-<!-- pattern='%h %l %u %t "%r" %s %b "%{Accept}i" "%{host}i"' /> -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
addConnectorPort="true"
allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
</Host>
- <Host name="authz.itlab.stanford.edu"
+ <Host name="weblogin.itlab.stanford.edu"
appBase="webapps"
unpackWARs="false"
autoDeploy="false"
xmlValidation="false"
xmlNamespaceAware="false">
- <Valve className="org.apache.catalina.valves.AccessLogValve"
- prefix="authz_access" suffix=".log"
- pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
-<!-- pattern="common" /> -->
-<!-- pattern='%h %l %u %t "%r" %s %b "%{Accept}i" "%{host}i"' /> -->
- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
- addConnectorPort="true"
- allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
+ <Context path="" docBase="/opt/weblogin">
+ <Valve className="org.apache.catalina.valves.AccessLogValve"
+ prefix="weblogin_access" suffix=".log"
+ pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
+ <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+ addConnectorPort="true"
+ allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
+ <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
+ </Context>
</Host>
</Engine>
diff --git a/var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config b/var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config
new file mode 100644
index 0000000..6e14102
--- /dev/null
+++ b/var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config
@@ -0,0 +1,15 @@
+# no more metadata.xml
+RewriteRule ^/metadata.xml$ /idp/shibboleth [L]
+
+# no more idp-metadata.xml
+RewriteRule ^/idp-metadata.xml$ /idp/shibboleth [L]
+
+# root redirects to the SAML service page (in production),
+# but a blog post in itlab
+RewriteCond %{HTTP_ACCEPT} ^.*text/html.*$
+RewriteRule ^/$ https://itarch.stanford.edu/it-lab-idp [R=301,L]
+#RewriteRule ^/$ https://uit.stanford.edu/service/saml [R=301,L]
+
+RewriteRule ^/$ /idp/shibboleth [L]
+
+
diff --git a/var/lib/tomcat8/webapps/ROOT/index.html b/var/lib/tomcat8/webapps/ROOT/index.html.old
similarity index 100%
rename from var/lib/tomcat8/webapps/ROOT/index.html
rename to var/lib/tomcat8/webapps/ROOT/index.html.old
--
GitLab