#
# Open OnDemand Portal
#
# Generated using ood-portal-generator version 0.8.0
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!                                    !!
# !!     DO NOT EDIT THIS FILE          !!
# !!                                    !!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# This file is auto-generated by ood-portal-generator and will be over-written
# in future updates.
#
# 1. To modify this file, first update the global configuration file:
#
#      /etc/ood/config/ood_portal.yml
#
#    You can find more information about the ood-portal-generator configuration
#    at:
#
#      https://osc.github.io/ood-documentation/latest/reference/commands/ood-portal-generator.html
#
# 2. Then build/install the updated Apache config with:
#
#      sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
#
# 3. Finally, restart Apache to have the changes take effect:
#
#      # For CentOS 6
#      sudo service httpd24-httpd condrestart
#      sudo service httpd24-htcacheclean condrestart
#
#      # For CentOS 7
#      sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
#
#      # For CentOS 8
#      sudo systemctl try-restart httpd.service htcacheclean.service
#

# Listen should always be one of:
#     - <port>
#     - <ipv4>:<port>
#     - <ipv6>:<port>
#
Listen 443

# Redirect all http traffic to the https Open OnDemand portal URI
#     http://*:443
#     #=> https://sandstone.sharcnet.ca:443
#
<VirtualHost *:80>
  RewriteEngine On
  RewriteRule ^(.*) https://sandstone.sharcnet.ca:443$1 [R=301,NE,L]
</VirtualHost>

# The Open OnDemand portal VirtualHost
#
<VirtualHost *:443>
  ServerName sandstone.sharcnet.ca

  ErrorLog  "logs/sandstone.sharcnet.ca_error_ssl.log"
  CustomLog "logs/sandstone.sharcnet.ca_access_ssl.log" combined

  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^(sandstone.sharcnet.ca(:443)?)?$ [NC]
  RewriteRule ^(.*) https://sandstone.sharcnet.ca:443$1 [R=301,NE,L]

  # Support maintenance page during outages of OnDemand
  RewriteEngine On
  RewriteCond /var/www/ood/public/maintenance/index.html -f
  RewriteCond /etc/ood/maintenance.enable -f
  RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
  RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
  ErrorDocument 503 /public/maintenance/index.html
  Header Set Cache-Control "max-age=0, no-store"

  Header always set Content-Security-Policy "frame-ancestors https://sandstone.sharcnet.ca;"
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

  SSLEngine On
  SSLCertificateFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/fullchain.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/chain.pem"

  # OIDC configuration
  #
  OIDCProviderMetadataURL https://sandstone.sharcnet.ca:5554/.well-known/openid-configuration
  OIDCClientID sandstone.sharcnet.ca
  OIDCClientSecret 10443f25-c6d6-4ad4-ba50-63245b4bb5e2
  OIDCRedirectURI https://sandstone.sharcnet.ca/oidc
  OIDCRemoteUserClaim preferred_username
  OIDCScope "openid profile email"
  OIDCCryptoPassphrase 660cdcedac1e05eac8c9deccd8bd15f3761d1547
  OIDCSessionInactivityTimeout 28800
  OIDCSessionMaxDuration 28800
  OIDCStateMaxNumberOfCookies 10 true
  OIDCCookieSameSite On

  # Lua configuration
  #
  LuaRoot "/opt/ood/mod_ood_proxy/lib"
  LogLevel lua_module:info

  # Log authenticated user requests (requires min log level: info)
  LuaHookLog logger.lua logger

  # Authenticated-user to system-user mapping configuration
  #
  SetEnv OOD_USER_MAP_MATCH ".*"

  # Per-user Nginx (PUN) configuration
  # NB: Apache will need sudo privs to control the PUNs
  #
  SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"

  #
  # Below is used for sub-uri's this Open OnDemand portal supports
  #

  # Serve up publicly available assets from local file system:
  #
  #     https://sandstone.sharcnet.ca:443/public/favicon.ico
  #     #=> /var/www/ood/public/favicon.ico
  #
  Alias "/public" "/var/www/ood/public"
  <Directory "/var/www/ood/public">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>



  # Reverse proxy traffic to backend PUNs through Unix domain sockets:
  #
  #     https://sandstone.sharcnet.ca:443/pun/dev/app/simulations/1
  #     #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
  #
  SetEnv OOD_PUN_URI "/pun"
  <Location "/pun">
    AuthType openid-connect
    Require valid-user

    ProxyPassReverse "http://localhost/pun"

    # ProxyPassReverseCookieDomain implementation (strip domain)
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation (less restrictive)
    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"

    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
    SetEnv OOD_PUN_MAX_RETRIES "5"
    LuaHookFixups pun_proxy.lua pun_proxy_handler

  </Location>

  # Control backend PUN for authenticated user:
  # NB: See mod_ood_proxy for more details.
  #
  #    https://sandstone.sharcnet.ca:443/nginx/stop
  #    #=> stops the authenticated user's PUN
  #
  SetEnv OOD_NGINX_URI "/nginx"
  <Location "/nginx">
    AuthType openid-connect
    Require valid-user

    LuaHookFixups nginx.lua nginx_handler
  </Location>

  # Redirect root URI to specified URI
  #
  #     https://sandstone.sharcnet.ca:443/
  #     #=> https://sandstone.sharcnet.ca:443/pun/sys/dashboard
  #
  RedirectMatch ^/$ "/pun/sys/dashboard"

  # Redirect logout URI to specified redirect URI
  #
  #     https://sandstone.sharcnet.ca:443/logout
  #     #=> https://sandstone.sharcnet.ca:443/oidc?logout=https%3A%2F%2Fsandstone.sharcnet.ca
  #
  Redirect "/logout" "/oidc?logout=https%3A%2F%2Fsandstone.sharcnet.ca"

  # OpenID Connect redirect URI:
  #
  #     https://sandstone.sharcnet.ca:443/oidc
  #     #=> handled by mod_auth_openidc
  #
  <Location "/oidc">
    AuthType openid-connect
    Require valid-user
  </Location>


</VirtualHost>