made login.itlab main IdP; removed authz; weblogin is a redirector

9a25ab17 · Scotty Logan · 36547a37 · 36547a37 · 9a25ab17 · 9a25ab17
Commit 9a25ab17 authored 7 years ago by Scotty Logan
--- a/etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml
+++ b/etc/tomcat8/Catalina/authz.itlab.stanford.edu/ROOT.xml
-<Context
-    docBase="/opt/mitreid-connect/webapp"
-    privileged="true"
-    antiResourceLocking="false"
-    unpackWAR="false"
-    swallowOutput="true" />
-
--- a/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/clearidpcookie.xml
+++ b/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/clearidpcookie.xml
--- a/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/idp.xml
+++ b/etc/tomcat8/Catalina/weblogin.itlab.stanford.edu/idp.xml
--- a/etc/tomcat8/server.xml
+++ b/etc/tomcat8/server.xml
@@ -17,8 +17,8 @@
       SSLCACertificateFile="/opt/shibboleth-idp/credentials/cloudpath-itlab.full.pem"
       SSLVerifyClient="none"
       SSLProtocol="TLSv1.2"
-       SSLCipherSuite="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384"
       SSLHonorCipherOrder="on"
+       SSLCipherSuite="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384"
    />

    <Connector port="80" protocol="HTTP/1.1"
@@ -26,44 +26,42 @@
               URIEncoding="UTF-8"
               redirectPort="443" />

-    <Engine name="Catalina" defaultHost="weblogin.itlab.stanford.edu">
+    <Engine name="Catalina" defaultHost="login.itlab.stanford.edu">

      <Realm className="org.apache.catalina.realm.CombinedRealm">      
        <Realm className="net.unicon.tomcat7.realm.X509AuthenticationBypassingRealm"/>                              
      </Realm>

-      <Host name="weblogin.itlab.stanford.edu"
+      <Host name="login.itlab.stanford.edu"
            appBase="webapps"
            unpackWARs="false"
            autoDeploy="false"
            xmlValidation="false"
            xmlNamespaceAware="false">
        <Alias>localhost</Alias>
-        <Alias>login.itlab.stanford.edu</Alias>
        <Valve className="org.apache.catalina.valves.AccessLogValve"
-               prefix="weblogin_access" suffix=".log"
+               prefix="login_access" suffix=".log"
               pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
-<!--               pattern="common" /> -->
-<!--               pattern='%h %l %u %t "%r" %s %b "%{Accept}i" "%{host}i"' /> -->
        <Valve className="org.apache.catalina.valves.RemoteAddrValve"
               addConnectorPort="true"
               allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
      </Host>

-      <Host name="authz.itlab.stanford.edu"
+      <Host name="weblogin.itlab.stanford.edu"
            appBase="webapps"
            unpackWARs="false"
            autoDeploy="false"
            xmlValidation="false"
            xmlNamespaceAware="false">
-        <Valve className="org.apache.catalina.valves.AccessLogValve"
-               prefix="authz_access" suffix=".log"
-               pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
-<!--               pattern="common" /> -->
-<!--               pattern='%h %l %u %t "%r" %s %b "%{Accept}i" "%{host}i"' /> -->
-        <Valve className="org.apache.catalina.valves.RemoteAddrValve"
-               addConnectorPort="true"
-               allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
+        <Context path="" docBase="/opt/weblogin">
+          <Valve className="org.apache.catalina.valves.AccessLogValve"
+                 prefix="weblogin_access" suffix=".log"
+                 pattern='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"' />
+          <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+                 addConnectorPort="true"
+                 allow="127\.0\.0\.1;80|::1;80|.*;80|.*;443"/>
+          <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
+        </Context>
      </Host>

    </Engine>

--- a/var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config
+++ b/var/lib/tomcat8/webapps/ROOT/WEB-INF/rewrite.config
+# no more metadata.xml
+RewriteRule ^/metadata.xml$ /idp/shibboleth [L]
+
+# no more idp-metadata.xml
+RewriteRule ^/idp-metadata.xml$ /idp/shibboleth [L]
+
+# root redirects to the SAML service page (in production),
+# but a blog post in itlab
+RewriteCond %{HTTP_ACCEPT} ^.*text/html.*$
+RewriteRule ^/$ https://itarch.stanford.edu/it-lab-idp [R=301,L]
+#RewriteRule ^/$ https://uit.stanford.edu/service/saml [R=301,L]
+
+RewriteRule ^/$ /idp/shibboleth [L]
+
+
--- a/var/lib/tomcat8/webapps/ROOT/index.html
+++ b/var/lib/tomcat8/webapps/ROOT/index.html