Listen {{ httpd_http_port }}
Listen {{ httpd_https_port }}

NameVirtualHost *:{{ httpd_http_port }}
NameVirtualHost *:{{ httpd_https_port }}

ServerAdmin none.of@your.business
ServerTokens prod
ServerSignature Off

SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:{{ httpd_home }}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:{{ httpd_home }}/logs/ssl_mutex"
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCertificateFile "{{ httpd_home }}/conf/server.crt"
SSLCertificateKeyFile "{{ httpd_home }}/conf/server.key"
SSLCertificateChainFile "{{ httpd_home }}/conf/server-ca.crt"

CustomLog "{{ httpd_home }}/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
CustomLog "/home/www/httpd/logs/access_full_log" "%t %v %h %u \"%r\" %>s %b (origin=%{HTTP_SM_ORIGIN}e)"

# The favicon is available on all Virtual Hosts
Alias /favicon.ico {{ httpd_home }}/htdocs/static/favicon.ico

# The default virtual hosts have to be declared first when using Named VirtualHosts
<VirtualHost *:{{ httpd_https_port }}>
  ServerName dummyhost.dummydomain
  DocumentRoot {{ httpd_home }}/htdocs/default/
  SSLEngine on
</VirtualHost>

<VirtualHost *:{{ httpd_http_port }}>
  ServerName dummyhost.dummydomain
  DocumentRoot {{ httpd_home }}/htdocs/default/
</VirtualHost>


# Reverse Proxy the WAM UI
<VirtualHost *:{{ httpd_https_port }}>
  ServerName {{ sm_wamui_hostname }}
  SSLEngine on

  # Proxy all requests under / to the WAMUI
  ProxyPreserveHost On
  ProxyRequests off
  SSLProxyEngine on
  SSLProxyVerify none
  ProxyPass / https://localhost:48443/
  ProxyPassReverse / https://localhost:48443/

  # Redirect the root url to the WAMUI Login Page
  RewriteEngine On
  RewriteRule ^/$ /iam/siteminder/adminui/ [R=301]
</VirtualHost>

# Reverse Proxy the Layer7 Web Pages
<VirtualHost *:{{ httpd_https_port }}>
  ServerName {{ ssg_hostname }}
  SSLEngine on

  # Proxy all requests under / to Layer7
  ProxyPreserveHost On
  ProxyRequests off
  SSLProxyEngine on
  SSLProxyVerify none
  ProxyPass / https://localhost:{{ ssg_service_port }}/
</VirtualHost>

# Reverse Proxy the SiteMinder Federation
<VirtualHost *:{{ httpd_https_port }}>
  ServerName {{ wa_public_hostname }}
  SSLEngine on

  # Proxy all requests under /affwebservices to Tomcat
  ProxyPreserveHost On
  ProxyRequests off
  ProxyPass /affwebservices http://localhost:{{ tomcat_port_prefix }}8080/affwebservices
  ProxyPassReverse /affwebservices http://localhost:{{ tomcat_port_prefix }}8080/affwebservices
</VirtualHost>

# Reverse Proxy OneAccess personalization engine
<VirtualHost *:{{ httpd_https_port }}>
  ServerName {{ oneaccess_public_hostname }}
  SSLEngine on

  # Proxy all requests under /oneaccess to Tomcat
  ProxyPreserveHost On
  ProxyRequests off
  ProxyPass /oneaccess/ http://localhost:{{ tomcat_port_prefix }}8080/oneaccess/
  ProxyPassReverse /oneaccess/ http://localhost:{{ tomcat_port_prefix }}8080/oneaccess/

  # Handle Redirections / Proxy
  SSLProxyEngine on
  SSLProxyVerify none
  RewriteEngine on

  # Proxy the /userinfo requests to Layer7
  RewriteRule ^/userinfo$ https://{{ ssg_hostname }}:{{ ssg_service_port }}/oneaccessweb/userinfo [P]

  # If the sm_origin header is not present, loopback the request so that we can have it
  RewriteCond %{HTTP:OneAccess-Origin} ^$
  RewriteRule ^/oneaccess/personalization/(env=.*)?$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/ [P]

  # Once we have the sm_origin header, proxy the request to the correct location
  RewriteCond %{HTTP:OneAccess-Origin} ^external$
  RewriteRule ^/oneaccess/personalization/$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/env=ex [P]
  RewriteCond %{HTTP:OneAccess-Origin} ^internal$
  RewriteRule ^/oneaccess/personalization/$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/env=in [P]

  # Redirect the root url to the Personalization WebApp
  RewriteRule ^/$ /oneaccess/personalization/ [R=301]
</VirtualHost>

# Static files
<VirtualHost *:{{ httpd_https_port }} *:{{ httpd_http_port }}>
  ServerName {{ oneaccess_static_hostname }}
  DocumentRoot {{ httpd_home }}/htdocs/static/

  # The static files can be accessed from any location
  Header set Access-Control-Allow-Origin "*"
</VirtualHost>

# Intranet
<VirtualHost *:{{ httpd_https_port }}>
  ServerName {{ oneaccess_intranet_hostname }}
  DocumentRoot {{ httpd_home }}/htdocs/intranet/

  # Redirect every url to the Hello World CGI
  RewriteEngine On
  RewriteRule ^/$ https://{{ oneaccess_intranet_hostname }}/cgi-bin/helloworld [R=301,L]
</VirtualHost>

# PKI stuff
<VirtualHost *:{{ httpd_https_port }} *:{{ httpd_http_port }}>
  ServerName {{ httpd_pki_hostname }}
  DocumentRoot {{ httpd_home }}/htdocs/pki/

  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  AddType application/x-apple-aspen-config .mobileconfig
</VirtualHost>