httpd.conf.patch

--- image-httpd.conf	2023-10-23 10:48:26
+++ httpd.conf	2023-10-24 08:20:37
@@ -1,21 +1,22 @@
 #
+#
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
-# In particular, see 
+# In particular, see
 # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
 # for a discussion of each configuration directive.
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
+# consult the online docs. You have been warned.
 #
 # Configuration and logfile names: If the filenames you specify for many
 # of the server's control files begin with "/" (or "drive:/" for Win32), the
 # server will use that explicit path.  If the filenames do *not* begin
 # with "/", the value of ServerRoot is prepended -- so "logs/access_log"
 # with ServerRoot set to "/usr/local/apache2" will be interpreted by the
-# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
 # will be interpreted as '/logs/access_log'.
 
 #
@@ -45,11 +46,11 @@
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
-# Change this to Listen on specific IP addresses as shown below to 
+# Change this to Listen on specific IP addresses as shown below to
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+Listen ${HTTP_PORT}
 
 #
 # Dynamic Shared Object (DSO) Support
@@ -89,12 +90,11 @@
 #LoadModule isapi_module modules/mod_isapi.so
 #LoadModule file_cache_module modules/mod_file_cache.so
 #LoadModule cache_module modules/mod_cache.so
-#LoadModule cache_disk_module modules/mod_cache_disk.so
+#LoadModule cache_disk_module modules/mod4_cache_disk.so
 #LoadModule cache_socache_module modules/mod_cache_socache.so
-#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 #LoadModule socache_dbm_module modules/mod_socache_dbm.so
 #LoadModule socache_memcache_module modules/mod_socache_memcache.so
-#LoadModule socache_redis_module modules/mod_socache_redis.so
 #LoadModule watchdog_module modules/mod_watchdog.so
 #LoadModule macro_module modules/mod_macro.so
 #LoadModule dbd_module modules/mod_dbd.so
@@ -120,7 +120,6 @@
 #LoadModule deflate_module modules/mod_deflate.so
 #LoadModule xml2enc_module modules/mod_xml2enc.so
 #LoadModule proxy_html_module modules/mod_proxy_html.so
-#LoadModule brotli_module modules/mod_brotli.so
 LoadModule mime_module modules/mod_mime.so
 #LoadModule ldap_module modules/mod_ldap.so
 LoadModule log_config_module modules/mod_log_config.so
@@ -138,17 +137,17 @@
 #LoadModule unique_id_module modules/mod_unique_id.so
 LoadModule setenvif_module modules/mod_setenvif.so
 LoadModule version_module modules/mod_version.so
-#LoadModule remoteip_module modules/mod_remoteip.so
-#LoadModule proxy_module modules/mod_proxy.so
+LoadModule remoteip_module modules/mod_remoteip.so
+LoadModule proxy_module modules/mod_proxy.so
 #LoadModule proxy_connect_module modules/mod_proxy_connect.so
 #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
-#LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
 #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
 #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
 #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
 #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
-#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
 #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
 #LoadModule proxy_express_module modules/mod_proxy_express.so
 #LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
@@ -158,7 +157,7 @@
 #LoadModule session_dbd_module modules/mod_session_dbd.so
 #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
 #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
-#LoadModule ssl_module modules/mod_ssl.so
+LoadModule ssl_module modules/mod_ssl.so
 #LoadModule optional_hook_export_module modules/mod_optional_hook_export.so
 #LoadModule optional_hook_import_module modules/mod_optional_hook_import.so
 #LoadModule optional_fn_import_module modules/mod_optional_fn_import.so
@@ -166,7 +165,6 @@
 #LoadModule dialup_module modules/mod_dialup.so
 #LoadModule http2_module modules/mod_http2.so
 #LoadModule proxy_http2_module modules/mod_proxy_http2.so
-#LoadModule md_module modules/mod_md.so
 #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
 #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
 #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
@@ -196,19 +194,19 @@
 #LoadModule speling_module modules/mod_speling.so
 #LoadModule userdir_module modules/mod_userdir.so
 LoadModule alias_module modules/mod_alias.so
-#LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule rewrite_module modules/mod_rewrite.so
 
 <IfModule unixd_module>
 #
 # If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.  
+# httpd as root initially and it will switch.
 #
 # User/Group: The name (or #number) of the user/group to run httpd as.
 # It is usually good practice to create a dedicated user and group for
 # running httpd, as with most system services.
 #
-User www-data
-Group www-data
+User daemon
+Group daemon
 
 </IfModule>
 
@@ -238,11 +236,11 @@
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName ${METACAT_UI_DOMAIN}:80
 
 #
 # Deny access to the entirety of your server's filesystem. You must
-# explicitly permit access to web content directories in other 
+# explicitly permit access to web content directories in other
 # <Directory> blocks below.
 #
 <Directory />
@@ -264,6 +262,14 @@
 #
 DocumentRoot "/usr/local/apache2/htdocs"
 <Directory "/usr/local/apache2/htdocs">
+
+    # The MetacatUI new routing changes work because when a client navigates
+    # to a MetacatUI view via a full pathname (/data) rather than a hash
+    # (/#data), Apache will serve the MetacatUI index.html page as a fallback
+    # resource instead of returning a 404 error. The fallback resource is
+    # specified via this Apache setting:
+    FallbackResource /index.html
+
     #
     # Possible values for the Options directive are "None", "All",
     # or any combination of:
@@ -276,7 +282,7 @@
     # http://httpd.apache.org/docs/2.4/mod/core.html#options
     # for more information.
     #
-    Options Indexes FollowSymLinks
+    Options FollowSymLinks
 
     #
     # AllowOverride controls what directives may be placed in .htaccess files.
@@ -300,8 +306,8 @@
 </IfModule>
 
 #
-# The following lines prevent .htaccess and .htpasswd files from being 
-# viewed by Web clients. 
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
 #
 <Files ".ht*">
     Require all denied
@@ -324,16 +330,28 @@
 LogLevel warn
 
 <IfModule log_config_module>
+
+    LogLevel info ssl:warn
+
     #
     # The following directives define some format nicknames for use with
     # a CustomLog directive (see below).
     #
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+    ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M"
+    ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T"
+    ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'"
+    ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'"
+    ErrorLogFormat connection "[%{uc}t] [C:%{c}L] local\ %a remote\ %A"
 
+    # The log format is determined by the most recently specified
+    # LogFormat directive which does not define a nickname.
+    LogFormat "%a %l %u %t [R:%L] \"%r\" %>s %b %X \"%{Referer}i\" \"%{User-Agent}i\""
+    LogFormat "%a %l %u %t [R:%L] \"%r\" %>s %b %X \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%a %l %u %t [R:%L] \"%r\" %>s %b %X" common
+
     <IfModule logio_module>
       # You need to enable mod_logio.c to use %I and %O
-      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+      LogFormat "%a %l %u %t [R:%L] \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
     </IfModule>
 
     #
@@ -342,20 +360,25 @@
     # container, they will be logged here.  Contrariwise, if you *do*
     # define per-<VirtualHost> access logfiles, transactions will be
     # logged therein and *not* in this file.
-    #
-    CustomLog /proc/self/fd/1 common
 
-    #
-    # If you prefer a logfile with access, agent, and referer information
-    # (Combined Logfile Format) you can use the following directive.
+    # Output to stdout, stderr
+    CustomLog /proc/self/fd/1 combined
+    ErrorLog  /proc/self/fd/2
+
+    <IfDefine EnableLogOutput>
     #
-    #CustomLog "logs/access_log" combined
+    # Rotate access and error logs to files
+    CustomLog "|/usr/local/apache2/bin/rotatelogs /var/log/apache2/${HOSTNAME}_accesslog.%Y.%m 86400" combined
+    ErrorLog  "|/usr/local/apache2/bin/rotatelogs /var/log/apache2/${HOSTNAME}_errorlog.%Y-%m-%d-%H_%M 100M"
+
+    </IfDefine>
+
 </IfModule>
 
 <IfModule alias_module>
     #
-    # Redirect: Allows you to tell clients about documents that used to 
-    # exist in your server's namespace, but do not anymore. The client 
+    # Redirect: Allows you to tell clients about documents that used to
+    # exist in your server's namespace, but do not anymore. The client
     # will make a new request for the document at its new location.
     # Example:
     # Redirect permanent /foo http://www.example.com/bar
@@ -372,7 +395,7 @@
     # the filesystem path.
 
     #
-    # ScriptAlias: This controls which directories contain server scripts. 
+    # ScriptAlias: This controls which directories contain server scripts.
     # ScriptAliases are essentially the same as Aliases, except that
     # documents in the target directory are treated as applications and
     # run by the server when requested rather than as documents sent to the
@@ -484,10 +507,10 @@
 #MaxRanges unlimited
 
 #
-# EnableMMAP and EnableSendfile: On systems that support it, 
+# EnableMMAP and EnableSendfile: On systems that support it,
 # memory-mapping or the sendfile syscall may be used to deliver
 # files.  This usually improves server performance, but must
-# be turned off when serving from networked-mounted 
+# be turned off when serving from networked-mounted
 # filesystems or if support for these functions is otherwise
 # broken on your system.
 # Defaults: EnableMMAP On, EnableSendfile Off
@@ -497,9 +520,9 @@
 
 # Supplemental configuration
 #
-# The configuration files in the conf/extra/ directory can be 
-# included to add extra features or to modify the default configuration of 
-# the server, or you may simply copy their contents here and change as 
+# The configuration files in the conf/extra/ directory can be
+# included to add extra features or to modify the default configuration of
+# the server, or you may simply copy their contents here and change as
 # necessary.
 
 # Server-pool management (MPM specific)
@@ -537,8 +560,12 @@
 Include conf/extra/proxy-html.conf
 </IfModule>
 
+
+<IfDefine EnableSSL>
 # Secure (SSL/TLS) connections
-#Include conf/extra/httpd-ssl.conf
+Include conf/extra/httpd-ssl.conf
+</IfDefine>
+
 #
 # Note: The following must must be present to support
 #       starting without SSL on platforms with no /dev/random equivalent
@@ -549,3 +576,54 @@
 SSLRandomSeed connect builtin
 </IfModule>
 
+Options -Indexes
+
+# Enable CORS; this supports metacat being remote from the js code
+Header always append X-Frame-Options SAMEORIGIN
+SetEnvIf Origin "^(.*)$" ORIGIN_DOMAIN=$1
+Header set Access-Control-Allow-Origin "%{ORIGIN_DOMAIN}e" env=ORIGIN_DOMAIN
+Header set Access-Control-Allow-Headers "Authorization, Content-Type, Origin, Cache-Control"
+Header set Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS"
+Header set Access-Control-Allow-Credentials "true"
+
+<VirtualHost *:${HTTP_PORT}>
+
+    AllowEncodedSlashes On
+    AcceptPathInfo      On
+
+    RewriteEngine on
+    RewriteRule "^/datasets(.*)" "https://%{SERVER_NAME}/view$1" [R,L]
+    RewriteRule "^/(sitemap.+)" "https://%{SERVER_NAME}/${METACAT_APP_CONTEXT}/sitemaps$1" [R=303,L]
+    RequestHeader set X-Proxy-Key "${METACAT_SSL_PROXY_KEY}"
+
+    ProxyPass "/${METACAT_APP_CONTEXT}/" "ajp://${METACAT_MN_DOMAIN}:8009/${METACAT_APP_CONTEXT}/" nocanon retry=${METACAT_APP_RETRY} timeout=${METACAT_APP_TIMEOUT}
+    ProxyPassReverse "/${METACAT_APP_CONTEXT}/" "ajp:/${METACAT_MN_DOMAIN}:8009/${METACAT_APP_CONTEXT}/"
+
+    <IfDefine EnableReverseProxy>
+
+        RemoteIPProxyProtocol On
+
+        # Requests to this virtual host must have a PROXY protocol
+        # header provided. If it is missing, the connection will
+        # be aborted
+
+    </IfDefine>
+
+
+
+    # Enable robots.txt and the sitemap
+    Alias /robots.txt /usr/local/apache2/htdocs/robots.txt
+
+    <IfDefine EnableRealIp>
+       # Spin 2 Trusted Ip addreses to forward
+       RemoteIPHeader        X-Forwarded-For
+       RemoteIPInternalProxy 10.42.0.0/16
+       RemoteIPInternalProxy 128.55.137.128/25
+       RemoteIPInternalProxy 128.55.212.0/24
+       RemoteIPInternalProxy 128.55.206.0/24
+
+
+    </IfDefine>
+
+
+</VirtualHost>