From 2c7e9986e2337959a25d449f9d18b60992dd31ea Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Tue, 7 Jul 2020 22:54:54 +0000
Subject: chore(apereo-cas): fix up configuration

- X-Forwarded-Proto support so it knows it's behind TLS
- Remove extraneous logs and just log to stdout so it's caught be systemd

Change-Id: I650777bbfd24a1922f26967ffff7da06d14b6639
Reviewed-on: https://cl.tvl.fyi/c/depot/+/952
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
---
 ops/nixos/www/login.tvl.fyi.nix                    |  1 +
 .../overlay/etc/cas/config/cas.properties          |  8 +++++
 .../apereo-cas/overlay/etc/cas/config/log4j2.xml   | 35 ----------------------
 3 files changed, 9 insertions(+), 35 deletions(-)

diff --git a/ops/nixos/www/login.tvl.fyi.nix b/ops/nixos/www/login.tvl.fyi.nix
index 8513c6e660..05b7cee253 100644
--- a/ops/nixos/www/login.tvl.fyi.nix
+++ b/ops/nixos/www/login.tvl.fyi.nix
@@ -15,6 +15,7 @@
         location / {
           proxy_pass http://localhost:8443;
           proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto https;
           proxy_set_header Host $host;
         }
       '';
diff --git a/third_party/apereo-cas/overlay/etc/cas/config/cas.properties b/third_party/apereo-cas/overlay/etc/cas/config/cas.properties
index 9ef983b174..e11d41fdd6 100644
--- a/third_party/apereo-cas/overlay/etc/cas/config/cas.properties
+++ b/third_party/apereo-cas/overlay/etc/cas/config/cas.properties
@@ -8,6 +8,14 @@ server.port=8443
 server.address=127.0.0.1
 server.ssl.enabled=false
 
+# Enable X-Forwarded-For using Tomcat.
+server.forward-headers-strategy=NATIVE
+server.tomcat.remoteip.remote-ip-header=x-forwarded-for
+server.tomcat.remoteip.protocol-header=x-forwarded-proto
+
+server.tomcat.basedir=/etc/cas/tomcat
+server.servlet.context-path=/
+
 cas.authn.saml-idp.entity-id=https://login.tvl.fyi
 
 cas.authn.accept.users=
diff --git a/third_party/apereo-cas/overlay/etc/cas/config/log4j2.xml b/third_party/apereo-cas/overlay/etc/cas/config/log4j2.xml
index 685dfab245..3130a09f40 100644
--- a/third_party/apereo-cas/overlay/etc/cas/config/log4j2.xml
+++ b/third_party/apereo-cas/overlay/etc/cas/config/log4j2.xml
@@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<!-- Specify the refresh internal in seconds. -->
 <Configuration monitorInterval="5" packages="org.apereo.cas.logging">
     <Properties>
         <Property name="baseDir">/var/log</Property>
@@ -20,31 +19,7 @@
         <Console name="console" target="SYSTEM_OUT">
             <PatternLayout pattern="%highlight{%d %p [%c] - &lt;%m&gt;}%n"/>
         </Console>
-        <RollingFile name="file" fileName="${baseDir}/cas.log" append="true"
-                     filePattern="${baseDir}/cas-%d{yyyy-MM-dd-HH}-%i.log">
-            <PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n"/>
-            <Policies>
-                <OnStartupTriggeringPolicy />
-                <SizeBasedTriggeringPolicy size="10 MB"/>
-                <TimeBasedTriggeringPolicy />
-            </Policies>
-        </RollingFile>
-        <RollingFile name="auditlogfile" fileName="${baseDir}/cas_audit.log" append="true"
-                     filePattern="${baseDir}/cas_audit-%d{yyyy-MM-dd-HH}-%i.log">
-            <PatternLayout pattern="%d %p [%c] - %m%n"/>
-            <Policies>
-                <OnStartupTriggeringPolicy />
-                <SizeBasedTriggeringPolicy size="10 MB"/>
-                <TimeBasedTriggeringPolicy />
-            </Policies>
-        </RollingFile>
 
-        <CasAppender name="casAudit">
-            <AppenderRef ref="auditlogfile" />
-        </CasAppender>
-        <CasAppender name="casFile">
-            <AppenderRef ref="file" />
-        </CasAppender>
         <CasAppender name="casConsole">
             <AppenderRef ref="console" />
         </CasAppender>
@@ -101,18 +76,8 @@
         <AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}" includeLocation="true"/>
         <AsyncLogger name="com.hazelcast" level="${sys:hazelcast.log.level}" includeLocation="true"/>
 
-        <!-- Log audit to all root appenders, and also to audit log (additivity is not false) -->
-        <AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" >
-            <AppenderRef ref="casAudit"/>
-        </AsyncLogger>
-
         <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
         <AsyncRoot level="warn">
-            <AppenderRef ref="casFile"/>
-            <!-- 
-                 For deployment to an application server running as service, 
-                 delete the casConsole appender below
-            -->
             <AppenderRef ref="casConsole"/>
         </AsyncRoot>
     </Loggers>
-- 
cgit 1.4.1