<VirtualHost *:80>
    ServerName id.opensuse.org
    RewriteEngine on
    RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]

    # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
    RewriteEngine on
    RewriteMap lowercase int:tolower
    RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.opensuse\.org$
    RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
    RewriteRule ^([a-z0-9-]+)\.id\.opensuse\.org/.* /openid/id/$1/ [PT]


    Alias /ui /usr/share/ipsilon/ui
    WSGIScriptAlias / /usr/libexec/ipsilon
    WSGIPassAuthorization On
    WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
    WSGIApplicationGroup %{GLOBAL}
    WSGISocketPrefix /httpdir/run/wsgi
    WSGIRestrictStdout Off
    WSGIRestrictSignal Off


    <Location />
        WSGIProcessGroup ipsilon
    </Location>

    <Location /login/gssapi/negotiate>
        AuthName "GSSAPI Single Sign On Login"
        GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
        AuthType GSSAPI
        # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
        GssapiSSLonly Off
        GssapiLocalName on
        Require valid-user
        ErrorDocument 401 /login/gssapi/unauthorized
        ErrorDocument 500 /login/gssapi/failed
    </Location>

    <Directory /usr/libexec>
        Require all granted
    </Directory>

    <Directory /usr/share/ipsilon>
        Require all granted
    </Directory>

    <Directory /etc/ipsilon/wellknown>
        Require all granted
    </Directory>
    <Location /.well-known/browserid>
        ForceType application/json
    </Location>
</VirtualHost>