Manage: Config update

OpenConext · Aug 25, 2022 · ff44e55 · ff44e55
1 parent 014ca47
commit ff44e55
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 21 deletions.
diff --git a/roles/manage-gui/templates/manage.conf.j2 b/roles/manage-gui/templates/manage.conf.j2
@@ -23,47 +23,52 @@ Listen {{ apache_app_listen_address.manage }}:{{ loadbalancing.manage.port }}
     RewriteCond %{REQUEST_URI} !\.ttf$
     RewriteCond %{REQUEST_URI} !\.eot$
     RewriteCond %{REQUEST_URI} !^/manage
+    RewriteCond %{REQUEST_URI} !^/internal
     RewriteCond %{REQUEST_URI} !^/fonts
     RewriteRule (.*) /index.html [L]
 
     ProxyPass /Shibboleth.sso !
-    ProxyPass /manage/api/health http://localhost:{{ springapp_tcpport }}/actuator/health retry=0
-    ProxyPass /manage/api/info http://localhost:{{ springapp_tcpport }}/actuator/info retry=0
-    ProxyPass /manage/api http://localhost:{{ springapp_tcpport }}/ retry=0
-    ProxyPassReverse /manage/api http://localhost:{{ springapp_tcpport }}/
+    ProxyPass /manage/api/health http://localhost:{{ springapp_tcpport }}/internal/health retry=0
+    ProxyPass /manage/api/info http://localhost:{{ springapp_tcpport }}/internal/info retry=0
+
+    ProxyPass /internal/health http://localhost:{{ springapp_tcpport }}/internal/health retry=0
+    ProxyPass /internal/info http://localhost:{{ springapp_tcpport }}/internal/info retry=0
+
+    ProxyPass /manage/api http://localhost:{{ springapp_tcpport }} retry=0
+    ProxyPassReverse /manage/api http://localhost:{{ springapp_tcpport }}
+
+    <Location />
+      AuthType shibboleth
+      ShibUseHeaders On
+      ShibRequestSetting applicationId manage
+      ShibRequireSession On
+      ShibRequestSetting REMOTE_ADDR X-Forwarded-For
+      Require valid-user
+    </Location>
 
     DocumentRoot "{{ _springapp_dir }}/current"
 
     <Directory "{{ _springapp_dir }}/current">
-      Order       allow,deny
-      Allow       from all
+      Require all granted
       Options     -Indexes
     </Directory>
 
     # Enable shibboleth for all other URLs, but the health check and info endpoint
     <Location ~ "/manage/api/(health|info)">
-      allow from all
-      satisfy any
+      Require all granted
+    </Location>
+
+    <Location ~ "/internal/(health|info)">
+      Require all granted
     </Location>
 
     # The internal API is secured with basic auth
     <Location ~ "/manage/api/internal/">
-      allow from all
-      satisfy any
+      Require all granted
     </Location>
 
     <Location ~ "(.*)(eot|svg|ttf|woff2|woff|html|js|css|png|jpg|ico)$">
-      allow from all
-      satisfy any
-    </Location>
-
-    <Location />
-      AuthType shibboleth
-      ShibUseHeaders On
-      ShibRequestSetting applicationId manage
-      ShibRequireSession On
-      ShibRequestSetting REMOTE_ADDR X-Forwarded-For
-      require valid-user
+      Require all granted
     </Location>
 
     Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img }}"

diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2
@@ -78,6 +78,14 @@ management:
   health:
     mail:
       enabled: true
+  endpoints:
+    web:
+      exposure:
+        include: "health,info"
+      base-path: "/internal"
+  endpoint:
+    info:
+      enabled: true
   info:
     git:
       mode: full