8. 付録¶
8.1. Apache HTTP サーバーの設定ファイルの例¶
Apache HTTP サーバーをリバースプロキシサーバーとし、Unicorn ID Manager と連携する設定のサンプルファイルです。
設定の詳細に関しては Apacheの公式ドキュメント を参考にしてください。
/etc/httpd/conf/httpd.conf¶
## Apache HTTPD 2.4 (RHEL): httpd.conf
##
## Generated by: KAWAI Shun (shun @ osstech.co.jp)
## Date: 2022-10-18 16:05:53
##
## Template by OSSTech Corp., Japan <https://www.OSSTech.co.jp/>
## Date: 2022-08-04, since 2022-08-04
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
User apache
Group apache
PidFile run/httpd.pid
Listen 80
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_prefork_module>
StartServers 64
MinSpareServers 64
MaxSpareServers 64
MaxRequestWorkers 64
</IfModule>
<IfModule mpm_worker_module>
StartServers 16
ThreadsPerChild 32
MinSpareThreads 512
MaxSpareThreads 512
MaxRequestWorkers 512
ServerLimit 64
ThreadLimit 32
</IfModule>
<IfModule mpm_event_module>
StartServers 16
ThreadsPerChild 32
MinSpareThreads 512
MaxSpareThreads 512
MaxRequestWorkers 512
ServerLimit 64
ThreadLimit 32
</IfModule>
MaxConnectionsPerChild 5000
EnableSendfile On
Include conf.d/*.conf
## Disable TRACE method to avoid warnings from noisy security scanners
## (See "AllowMethods ..." below for other methods)
TraceEnable Off
ServerName uidm.example.jp
ServerAdmin root@uidm.example.jp
ServerTokens ProductOnly
ServerSignature Off
HostnameLookups Off
UseCanonicalName Off
LogLevel warn
ErrorLog logs/error_log
LogFormat "%a %l %u %t \"%r\" %>s %b" common
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D %P:%{tid}P" osstech
<IfModule mod_ssl.c>
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D %P:%{tid}P %{SSL_PROTOCOL}x %{SSL_CIPHER}x" osstech_ssl
</IfModule>
LogFormat "host:%a\tident:%l\tuser:%u\ttime:%t\treq:%r\tstatus:%>s\tsize:%b\treferer:\%{Referer}i\tua:%{User-Agent}i" combined_ltsv
LogFormat "time:%t\tforwardedfor:%{X-Forwarded-For}i\thost:%a\treq:%r\tstatus:%>s\tsize:%B\treferer:%{Referer}i\tua:%{User-Agent}i\treqtime_microsec:%D\tcache:%{X-Cache}o\truntime:%{X-Runtime}o\tvhost:%{Host}i" ltsv
CustomLog logs/access_log osstech
DirectoryIndex index.html index.htm
TypesConfig /etc/mime.types
DefaultType None
AddDefaultCharset UTF-8
DocumentRoot "/var/www/html"
<Location />
## Disable OPTIONS and PATCH methods to avoid warnings from noisy
## security scanners (See "TraceEnable ..." above for TRACE method)
# AllowMethods GET POST PUT HEAD DELETE CONNECT
</Location>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
<VirtualHost 127.0.0.1:80>
<IfModule status_module>
<Location /server-status>
Require ip 127.0.0.1 ::1
SetHandler server-status
</Location>
</IfModule>
<IfModule info_module>
<Location /server-info>
Require ip 127.0.0.1 ::1
SetHandler server-info
</Location>
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName uidm.example.jp
ErrorLog logs/uidm.example.jp.443.error.log
CustomLog logs/uidm.example.jp.443.access.log osstech_ssl
SSLEngine On
SSLCertificateKeyFile /etc/httpd/private/localhost.key
SSLCertificateFile /etc/httpd/certs/localhost.crt
## NOTE: SSLCertificateChainFile became obsolete with Apache httpd 2.4.8,
## when SSLCertificateFile was extended to also load intermediate
## CA certificates from the server certificate file.
#SSLCertificateChainFile /etc/httpd/certs/cachain.crt
#RequestHeader set X-Forwarded-Proto "https"
Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"
#Header always set Strict-Transport-Security "max-age=63072000"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
#Header always set X-XSS-Protection "1; mode=block"
ProxyRequests off
ProxyPass /unicornidm/static !
Alias /unicornidm/static /opt/osstech/var/lib/unicornidm/statics
<Directory /opt/osstech/var/lib/unicornidm/statics>
Require all granted
</Directory>
ProxyPass /favicon.ico !
Alias /favicon.ico /opt/osstech/share/doc/osstech-unicornidm/documentation/favicon.ico
ProxyPass /unicornidm/doc !
Alias /unicornidm/doc /opt/osstech/share/doc/osstech-unicornidm/documentation
ProxyPass /unicornidm/documentation !
Alias /unicornidm/documentation /opt/osstech/share/doc/osstech-unicornidm/documentation
<Directory /opt/osstech/share/doc/osstech-unicornidm/documentation>
Require all granted
</Directory>
ProxyPass /unicornidm unix:/opt/osstech/var/run/unicornidm/uwsgi.sock|uwsgi://localhost/unicornidm retry=1
<Location "/unicornidm/admin">
Require all granted
# <RequireAny>
# Require local
# Require ip xxx.xxx.xxx.xxx
# </RequireAny>
</Location>
<Location "/unicornidm/user">
Require all granted
</Location>
<Proxy *>
RedirectMatch ^/unicornidm/?$ /unicornidm/admin/
</Proxy>
# RedirectMatch ^/$ /unicornidm/user/target1/password/
RedirectMatch ^/admin/?$ /unicornidm/admin/
</VirtualHost>
注釈
上記の設定ファイルではサーバーのホスト名は uidm.example.com として設定されています。実際に利用する際は、適切なホスト名に書き換えてください。
注釈
上記の設定ファイルではサーバー証明書に /etc/pki/tls/certs/localhost.crt と /etc/pki/tls/private/localhost.key が設定されています。実際に利用する際は、適切な証明書ファイルに書き換えてください。
/etc/httpd/conf.d/ssl.conf¶
## Apache HTTPD 2.4 (RHEL): ssl.conf
##
## Generated by: KAWAI Shun (shun @ osstech.co.jp)
## Date: 2022-10-18 16:05:53
##
## Template by OSSTech Corp., Japan <https://www.OSSTech.co.jp/>
## Date: 2022-08-04, since 2022-08-04
Listen 443 https
SSLProtocol All -TLSv1.1 -TLSv1
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLHonorCipherOrder On
SSLCompression Off
SSLPassPhraseDialog builtin
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
#SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLStaplingCache shmcb:/run/httpd/staplingcache(128000)
## vim: filetype=apache
8.2. uWSGIをHTTPサーバーとして動作させる場合の設定例¶
Apache HTTP サーバーを利用せず、uWSGI単独でUnicorn ID Managerを動作させる設定のサンプルファイルです。
設定の詳細に関しては uWSGI公式ドキュメント を参考にしてください。
/opt/osstech/etc/unicornidm/uwsgi.conf¶
# uWSGI configuration file
# ************************* Configuration for stand-alone *************************
[uwsgi]
# ********** Special variables (placeholders) **********
# the %(etc) placeholder is defined in /opt/osstech/lib/unicornidm/uwsgi.ini
secrets = %(etc)/secrets
certfile = %(secrets)/cert.pem
keyfile = %(secrets)/key.pem
# ******************** uWSGI Options ********************
workers = 1
threads = 400
# Disable TLSv1.0
ssl-enable-tlsv1=false
# Disable TLSv1.1
ssl-option = 268435456 # = 0x10000000 = SSL_OP_NO_TLSv1_1
# https configuration.
# c.f. http://uwsgi-docs.readthedocs.io/en/latest/HTTPS.html
shared-socket = :443
https = =0,%(certfile),%(keyfile),HIGH
# redirect http request to https
shared-socket = :80
http-to-https = =1
uid = unicornidm
gid = unicornidm
http-timeout = 600
注釈
上記の設定ファイルではサーバー証明書に /opt/osstech/etc/unicornidm/secrets/certs.pem と /opt/osstech/etc/unicornidm/secrets/key.pem が設定されています。実際に利用する際は、適切な証明書ファイルに書き換えてください。