-
Notifications
You must be signed in to change notification settings - Fork 0
/
20-https.cfg
33 lines (28 loc) · 1.42 KB
/
20-https.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#
# Configure HTTPS access and security
#
# http.cadir /etc/grid-security/certificates
# http.cert /etc/grid-security/xrd/hostcert.pem
# http.key /etc/grid-security/xrd/hostkey.pem
http.httpsmode auto
http.desthttps yes
if exec xrootd
http.listingdeny no
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
xrd.protocol http:$(httpsPort) /usr/lib64/libXrdHttp.so
xrd.protocol http:$(httpsPort) +port
http.selfhttps2http yes
# Enable third-party-copy
http.exthandler xrdtpc libXrdHttpTPC.so
# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz
fi
# just to note that there can be differences: https://github.com/xrootd/xrootd/issues/1369
# Full extraction gives something like:
# sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL"
# where the first and 4th entries are identical except for the role. The latter role seems to have fewer permissions.
# http.secxtractor /usr/lib64/libXrdVoms.so certfmt=raw|grpopt=usefirst|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
http.secxtractor /usr/lib64/libXrdVoms.so certfmt=raw|grpopt=useall|vos=atlas,cms,dteam,dune,gridpp,lz,mu3e.org,ops,wlcg|grps=/atlas,/cms,/dteam,/dune,/gridpp,/lz,/mu3e,/ops,/wlcg|dbg
http.selfhttps2http no
# 2022.05.18 13:37: on -> off
http.tlsreuse off