From 8aaaa64b176d21e525372a296d5d8d6085e5d26f Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Sun, 15 Mar 2015 10:32:57 -0500
Subject: [PATCH] Update sample httpd config file

The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.

Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.

Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
---
 doc/source/apache-httpd.rst | 16 ++++------------
 httpd/wsgi-keystone.conf    | 32 ++++++++++++++++++++++++++------
 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/doc/source/apache-httpd.rst b/doc/source/apache-httpd.rst
index 3171192267..c075512fb9 100644
--- a/doc/source/apache-httpd.rst
+++ b/doc/source/apache-httpd.rst
@@ -28,18 +28,6 @@ Running Keystone in HTTPD
     support ``Transfer-Encoding: chunked``.
 
 
-Firewall
---------
-
-Add the following rule to IPTables in order to ensure the SSL traffic can pass
-your firewall::
-
-    -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-
-it goes right before::
-
-    -A INPUT -j REJECT --reject-with icmp-host-prohibited
-
 Files
 -----
 
@@ -48,6 +36,10 @@ Apache server, most likely::
 
     /etc/httpd/conf.d/wsgi-keystone.conf
 
+Update this file to match your system configuration (for example, some
+distributions put httpd logs in the ``apache2`` directory and some in the
+``httpd`` directory; also, enable TLS).
+
 Create the directory ``/var/www/cgi-bin/keystone/``. You can either hardlink or
 softlink the files ``main`` and ``admin`` to the file ``keystone.py`` in this
 directory. For a distribution appropriate place, it should probably be copied
diff --git a/httpd/wsgi-keystone.conf b/httpd/wsgi-keystone.conf
index d542a878a1..f191818f61 100644
--- a/httpd/wsgi-keystone.conf
+++ b/httpd/wsgi-keystone.conf
@@ -1,8 +1,28 @@
-WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
-WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
+Listen 5000
+Listen 35357
 
-<Location "/keystone">
- NSSRequireSSL
- Authtype none
-</Location>
+<VirtualHost *:5000>
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+</VirtualHost>
 
+<VirtualHost *:35357>
+    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-admin
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+</VirtualHost>