
Alias           /phpki        /opt/phpki/html/

# Main access allowed for valid user
<Directory /opt/phpki/html>
        AddType application/x-httpd-php .php
	Options FollowSymLinks
{
  my $key                 = "phpki";
  my $pool_name           = lc $key;
  my $version             = ${httpd-pki}{'PHPVersion'} || '73';
  $OUT .="
<FilesMatch .php\$>
	SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\"
</FilesMatch>\n";
}
#        php_flag register_globals off
#        php_flag register_long_arrays on
#        php_admin_value session.save_path /var/lib/php/pki-session
#        php_admin_value openbase_dir /opt/phpki:/var/lib/php/pki-session
        AddType application/x-x509-ca-cert .crt  .pem
        AddType application/pkix-crl    .crl
        AddType application/pkix-cert   .cer .der
        AllowOverride None
        order deny,allow
        deny from all
        allow from 127.0.0.1
</Directory>

# /ca is only allowed for admin and explicitely authorized users
<Location /phpki/ca>
	AuthName "PHPKI Admin"
        AuthType Basic
        TKTAuthLoginURL /server-common/cgi-bin/login
        require user admin {getUsersList("phpki");}
{
        my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m";
        $OUT = "    TKTAuthTimeout $ManagerTimeout\n";
        my $Cookie = ${'httpd-admin'}{Cookie} || "disabled";
        $OUT .= "    TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled";
        my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66";
        $OUT .= "    TKTAuthTimeoutRefresh $ManagerTimeoutReset\n";
}
        Satisfy all
</Location>

# Disable access to /admin, which is used to configure user/password 
# via an htaccess file
<Directory /opt/phpki/html/admin>
	order deny,allow
	deny from all
</Directory>

