
Alias           /phpki        /opt/phpki/html/

# Main access allowed for valid user
<Directory /opt/phpki/html>
        AddType application/x-httpd-php .php
        Options FollowSymLinks
{
  my $key                 = "phpki";
  my $pool_name           = lc $key;
  my $version             = ${httpd-pki}{'PHPVersion'} || '73';
  $OUT .="
<FilesMatch .php\$>
        SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\"
</FilesMatch>\n";
}
        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
        SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
        AddType application/x-x509-ca-cert .crt  .pem
        AddType application/pkix-crl    .crl
        AddType application/pkix-cert   .cer .der
        AllowOverride None
        Require ip 127.0.0.1
</Directory>

# /ca is only allowed for admin and explicitely authorized users
<Location /phpki/ca>
        AuthName "PHPKI Admin"
        AuthType Basic
        TKTAuthIgnoreIP on
        TKTAuthLoginURL /server-common/cgi-bin/login
        <RequireAll>
          Require user admin {getUsersList("phpki");}
          Require ip 127.0.0.1
        </RequireAll>
        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
        SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1
{
        my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m";
        $OUT =  "     TKTAuthTimeout $ManagerTimeout\n";
        my $Cookie = ${'httpd-admin'}{Cookie} || "disabled";
        $OUT .= "     TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled";
        my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66";
        $OUT .= "     TKTAuthTimeoutRefresh $ManagerTimeoutReset\n";
}
</Location>

# Disable access to /admin, which is used to configure user/password 
# via an htaccess file
<Directory /opt/phpki/html/admin>
        Require all denied 
</Directory>

