...
Dans la suite de cette documentation, on choisit l'option de l'installation manuelle car celle-ci a le mérite d'être indépendante du système utilisé ; l'installation par paquet peut toutefois être préférable pour profiter des mises à jour facilitées par votre distribution (apt sous debian) - c'est d'ailleurs cette option qui a été mise en place dans la VM ESUP-SGC de démonstration.
| Bloc de code |
|---|
|
cd /opt/
wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.48/bin/apache-tomcat-10.1.48.tar.gz
tar xzvf apache-tomcat-10.1.48.tar.gz
mv apache-tomcat-10.1.48 apache-tomcat-10.1.48-esup-nfc-tag
tar xzvf apache-tomcat-10.1.48.tar.gz
mv apache-tomcat-10.1.48 apache-tomcat-10.1.48-esup-sgc
ln -s apache-tomcat-10.1.48-esup-nfc-tag tomcat-esup-nfc-tag
ln -s apache-tomcat-10.1.48-esup-sgc tomcat-esup-sgc
rm -Rf /opt/tomcat-esup-sgc/webapps/*
mkdir /opt/tomcat-esup-sgc/webapps/ROOT/
rm -Rf /opt/tomcat-esup-nfc-tag/webapps/*
mkdir /opt/tomcat-esup-nfc-tag/webapps/ROOT/
chown -R esup:esup /opt/apache-tomcat-10.1.48-esup-sgc/
chown -R esup:esup /opt/apache-tomcat-10.1.48-esup-nfc-tag/
|
...
| Bloc de code |
|---|
|
a2enmod rewrite
a2enmod ssl
a2enmod proxy_ajp
a2enmod proxy_http
a2enmod shib
a2enmod headers
|
Créer un fichier de configuration pour le VirtualHost esup-sgc.univ-ville.fr /etc/apache2/sites-available/esup-sgc.univ-ville.fr.conf
...
| Bloc de code |
|---|
|
<VirtualHost *:80>
ServerName esup-sgc.univ-ville.fr
ServerAdmin webmaster@univ-ville.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
RewriteRule ^/(.*)$ https://esup-sgc.univ-ville.fr/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName esup-sgc.univ-ville.fr
ServerAdmin webmaster@univ-ville.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/esup-sgc.univ-ville.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/esup-sgc.univ-ville.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/esup-sgc.univ-ville.fr/chain.pem
ProxyPass /Shibboleth.sso !
ProxyPass /secure !
ScriptAlias /secure /var/www/printenv.pl
ShibCompatValidUser Off
# Security measure: remove <Location /Shibboleth.sso>
any client-supplied REMOTE_USER header early. SetHandler shib
AuthType None
Require all granted
</Location>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
ShibUseHeaders On
RequestHeader unset REMOTE_USER early
ShibRequestSetting applicationId default<Location /Shibboleth.sso>
</Location>
<LocationSetHandler />shib
AuthType shibbolethNone
ShibRequestSettingRequire requireSessionall 1granted
</Location>
require<Location shib/shibboleth-sessionsp>
ShibUseHeadersAuthType OnNone
ShibRequestSettingRequire applicationIdall defaultgranted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
<Location "/resources">secure>
RequireAuthType allshibboleth
granted
ShibRequestSetting ShibRequireSessionrequireSession Off1
</Location>
<Location "/wsrest">require shib-session
Require allShibUseHeaders grantedOn
ShibRequireSessionShibRequestSetting applicationId Offdefault
</Location>
<Location "/payboxcallback">
Require allAuthType grantedshibboleth
ShibRequireSession Off
ShibRequestSetting requireSession 1
</Location>
require shib-session
ProxyPass / ajp://localhost:8209/ ttl=10 timeout=3600 retry=1
AddOutputFilterByType DEFLATE text/plain text/html text/css text/javascript application/x-javascript application/javascript application/json image/svg+xml
</VirtualHost> |
...
ShibUseHeaders On
ShibRequestSetting applicationId default
</Location>
<Location "/resources">
Require all granted
ShibRequireSession Off
</Location>
<Location "/wsrest">
Require all granted
ShibRequireSession Off
</Location>
<Location "/payboxcallback">
Require all granted
ShibRequireSession Off
</Location>
ProxyPass / ajp://localhost:8209/ ttl=10 timeout=3600 retry=1
AddOutputFilterByType DEFLATE text/plain text/html text/css text/javascript application/x-javascript application/javascript application/json image/svg+xml
</VirtualHost> |
Idem pour le VirtualHost esup-nfc-tag.univ-ville.fr dans /etc/apache2/sites-available/esup-nfc-tag.univ-ville.fr.conf
| Bloc de code |
|---|
|
<VirtualHost *:80>
ServerName esup-nfc-tag.univ-ville.fr
ServerAdmin webmaster@univ-ville.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error_esup-nfc-tag.log
CustomLog ${APACHE_LOG_DIR}/access_esup-nfc-tag.log combined
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
RewriteRule ^/(.*)$ https://esup-nfc-tag.univ-ville.fr/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName esup-nfc-tag.univ-ville.fr
ServerAdmin webmaster@univ-ville.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error_esup-nfc-tag.log
CustomLog ${APACHE_LOG_DIR}/access_esup-nfc-tag.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/esup-nfc-tag.univ-ville.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/esup-nfc-tag.univ-ville.fr |
...
/privkey.pem
SSLCertificateChainFile /etc/ |
...
...
live/esup-nfc-tag.univ-ville.fr |
...
| Bloc de code |
|---|
|
<VirtualHost *:80>/chain.pem
ServerName esup-nfc-tag.univ-ville.frProxyPass /Shibboleth.sso !
ServerAdmin webmaster@univ-ville.fr
ProxyPass /secure !
ScriptAlias DocumentRoot/secure /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error_esup-nfc-tag.log
printenv.pl
ShibCompatValidUser Off
# Security measure: remove any client-supplied REMOTE_USER header early. CustomLog ${APACHE_LOG_DIR}/access_esup-nfc-tag.log combined
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
RewriteRule ^/(.*)$ https://esup-nfc-tag.univ-ville.fr/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName esup-nfc-tag.univ-ville.fr
ServerAdmin webmaster@univ-ville.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error_esup-nfc-tag.log
CustomLog ${APACHE_LOG_DIR}/access_esup-nfc-tag.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/esup-nfc-tag.univ-ville.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/esup-nfc-tag.univ-ville.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/esup-nfc-tag.univ-ville.fr/chain.pem
ProxyPass /Shibboleth.sso !
ProxyPass /secure !
ScriptAlias /secure /var/www/printenv.pl
ShibCompatValidUser OffRequestHeader unset REMOTE_USER early
<Location /Shibboleth.sso>
SetHandler shib
AuthType None
Require all granted
</Location>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
ShibUseHeaders On
ShibRequestSetting applicationId esup-nfc-tag
</Location>
<Location /manager>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
ShibUseHeaders On
ShibRequestSetting applicationId esup-nfc-tag
</Location>
<Location /admin>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
ShibUseHeaders On
ShibRequestSetting applicationId esup-nfc-tag
</Location>
<Location /nfc>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
ShibUseHeaders On
ShibRequestSetting applicationId esup-nfc-tag
</Location>
ProxyPass / ajp://localhost:8309/ ttl=10 timeout=3600 retry=1
AddOutputFilterByType DEFLATE text/plain text/html text/css text/javascript application/x-javascript application/javascript application/json image/svg+xml
</VirtualHost> |
...
| Bloc de code |
|---|
|
<ApplicationDefaults entityID="https://esup-sgc.univ-ville.fr" ...>
<Sessions ...>
<!--
<SSO entityID="https://idp.univ-ville.fr/idp/shibboleth">
SAML2 SAML1
</SSO>
-->
<SSO location="/"
discoveryProtocol="SAMLDS" discoveryURL="https://discovery.renater.fr/renater"> discoveryProtocol="SAMLDS" discoveryURL="https://discovery.renater.fr/renater">
SAML2 SAML1
SAML2 SAML1
</SSO> |
Concernant la gestion des sessions, obligez l'usage de https pour les cookies mais permettez un changement d'IP de l'utilisateur (certains fournisseurs d'accès internet bas coût ne fixe pas les IPs de leurs clients en mobile) : checkAddress et consistentAddress doivent être à false.
Exemple :
| Bloc de code |
|---|
|
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" consistentAddress="false" handlerSSL="true" cookieProps="https"
</SSO> redirectLimit="exact"> |
Penser à modifier le contact du support:
...