# Sample VirtualHost configuration file for EtherCalc under Apache
# Permissions are granted
#  * for all sheets: to users belonging to
#      cn=ethercalc,ou=groups,dc=example,dc=com group
#  * for single sheet: to users belonging to subgroup of
#      cn=ethercalc,ou=groups,dc=example,dc=com group. Name of this
#      subgroup determines the name of sheet user has access to.
#      e.g. member of cn=diner,cn=ethercalc,ou=groups,dc=example,dc=com
#      has access to https://ethercalc.example.com/diner sheet.
#
# Note: duplicated AuthLDAP directives should be removed using
#   AuthnProviderAlias. Unfortunately it does not seem to work as of
#   Apache 2.4.9

#<AuthnProviderAlias ldap ethercalc>
#    AuthBasicProvider ldap
#    AuthLDAPBindDN "cn=apache,dc=example,dc=com"
#    AuthLDAPBindPassword <password>
#    AuthLDAPURL ldap://localhost/ou=people,dc=example,dc=com?uid
#</AuthnProviderAlias>

<VirtualHost 1.2.3.4:443>
  ServerName ethercalc.example.com
  ErrorLog /var/log/apache2/ethercalc-ssl_error_log

  TransferLog /var/log/apache2/ethercalc-ssl_access_log
  CustomLog /var/log/apache2/ethercalc-ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  ProxyRequests Off
  ProxyPass / http://127.0.0.1:8000/

  <Location />
    Require all denied
  </Location>
  # Files referred to by Ethercalc sheet
  <LocationMatch '^/[^/]+/[^/]*$' >
    AuthType Basic
    AuthName "EtherCalc"
    AuthBasicProvider ldap
    AuthLDAPBindDN "cn=apache,dc=example,dc=com"
    AuthLDAPBindPassword <password>
    AuthLDAPURL ldap://localhost/ou=people,dc=example,dc=com?uid
    #AuthBasicProvider ethercalc
    SetEnvIf Referer "^https://[^/]+/([^/]+)$" CALC_REFERRAL=$1
    <RequireAny>
      Require ldap-group cn=ethercalc,ou=groups,dc=example,dc=com
      Require ldap-group cn=%{unescape:%{env:CALC_REFERRAL}},cn=ethercalc,ou=groups,dc=example,dc=com
    </RequireAny>
  </LocationMatch>
  # Ethercalc sheet
  <LocationMatch '^/(?<CALCNAME>[^/]+)$' >
    AuthType Basic
    AuthName "EtherCalc"
    AuthBasicProvider ldap
    AuthLDAPBindDN "cn=apache,dc=example,dc=com"
    AuthLDAPBindPassword <password>
    AuthLDAPURL ldap://localhost/ou=people,dc=example,dc=com?uid
    #AuthBasicProvider ethercalc
    <RequireAny>
      Require ldap-group cn=ethercalc,ou=groups,dc=example,dc=com
      Require ldap-group cn=%{unescape:%{env:MATCH_CALCNAME}},cn=ethercalc,ou=groups,dc=example,dc=com
    </RequireAny>
  </LocationMatch>
  #LogLevel authz_core:trace1

  SSLEngine on
  SSLCertificateFile /etc/ssl/apache2/server.crt
  SSLCertificateKeyFile /etc/ssl/apache2/server.key
</VirtualHost>

# vim: ts=4 filetype=apache