replace softlinks with hardlinks

dlareau · Jan 11, 2016 · f25f873 · f25f873
1 parent 8deb837
commit f25f873
Show file tree

Hide file tree

Showing 2 changed files with 229 additions and 2 deletions.
diff --git a/config/puzzlehunt.conf b/config/puzzlehunt.conf
diff --git a/config/puzzlehunt.conf b/config/puzzlehunt.conf
@@ -0,0 +1,57 @@
+NameVirtualHost *:80
+<VirtualHost *:80>
+             ServerName www.puzzlehunt.club
+
+             ServerAdmin webmaster@localhost
+             DocumentRoot /var/www/mazeoftwistypassages/current
+</VirtualHost>
+
+<VirtualHost *:80>
+	ServerName puzzlehunt.club.cc.cmu.edu
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+	Redirect permanent / https://puzzlehunt.club.cc.cmu.edu/
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+	ServerName puzzlehunt.club.cc.cmu.edu
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	Alias /static /home/hunt/puzzlehunt_server/static
+	<Directory /home/hunt/puzzlehunt_server/static>
+	    Require all granted
+	</Directory>
+
+	<Location /shib/>
+		  AuthType Shibboleth
+		  ShibRequireSession On
+		  ShibApplicationId default
+		  ShibExportAssertion On
+		  require shib-user ~ ^.+@andrew.cmu.edu$
+	</Location>
+
+	ProxyPass	 /static/ !
+	ProxyPass	 /Shibboleth.sso/ !
+	ProxyPass 	 /ws/   ws://127.0.0.1:3032/ws/
+	ProxyPass 	 / uwsgi://127.0.0.1:9090/
+	ProxyPassReverse / uwsgi://127.0.0.1:9090/
+
+	<Location /secret>
+		  AuthType Shibboleth
+		  ShibRequireSession On
+		  ShibApplicationId default
+		  ShibExportAssertion On
+		  Require shibboleth
+	</Location>
+
+	SSLCertificateFile /etc/letsencrypt/live/puzzlehunt.club.cc.cmu.edu/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/puzzlehunt.club.cc.cmu.edu/privkey.pem
+	Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+</IfModule>
diff --git a/config/shibboleth2.xml b/config/shibboleth2.xml
diff --git a/config/shibboleth2.xml b/config/shibboleth2.xml
@@ -0,0 +1,172 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://puzzlehunt.club.cc.cmu.edu/shibboleth"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+	    <!--
+            <SSO entityID="https://idp.example.org/idp/shibboleth"
+                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+              SAML2 SAML1
+            </SSO>
+	    -->
+
+	    <!-- Use login.cmu.edu identity provider --> 
+
+	    <SSO entityID="https://login.cmu.edu/idp/shibboleth">
+              SAML2 SAML1
+            </SSO>
+	    <!--
+	    <SSO entityID="https://idp.pitt.edu/idp/shibboleth">
+	      SAML2 SAML1
+	    </SSO>
+	    -->
+	    <!-- Use identity.andrew.cmu.edu identity provider --> 
+            <!-- uncomment to use	  
+	    <SSO entityID="https://identity.andrew.cmu.edu/idp/shibboleth">
+              SAML2 SAML1
+            </SSO>
+	    -->  
+
+	    <!-- Use InCommon Federation Discovery Service -->
+            <!-- uncomment to use 	    	    
+	    <SSO discoveryProtocol="SAMLDS" discoveryURL="http://wayf.incommonfederation.org/DS/WAYF">
+              SAML2 SAML1
+            </SSO>
+	    -->
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+	    <SessionInitiator type="Chaining" id="idpchooser" Location="/Login" isDefault="true">
+	      <SessionInitiator type="SAML2"
+				template="/etc/shibboleth/bindingTemplate.html"/>
+	      <SessionInitiator type="Form"
+				template="/etc/shibboleth/discoveryTemplate.html"/>
+	    </SessionInitiator>
+
+	</Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="dlareau@cmu.edu"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+        </MetadataProvider>
+        -->
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+	<!-- Fetch InCommon Metadata -->
+
+        <MetadataProvider type="XML" uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+	backingFilePath="incommon-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="incommon.pem"/>
+        </MetadataProvider>
+
+
+	<!-- Fetch InCommon Metadata from within Computing Services SII environment using proxy -->
+	<!-- uncomment to use
+        <MetadataProvider type="XML" uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+	backingFilePath="incommon-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="incommon.pem"/>
+            <TransportOption provider="CURL" option="10004">sii-proxy.iso.cmu.edu:3128</TransportOption>
+        </MetadataProvider>
+	-->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>