Skip to content

Plone

Jump to bottom
David Beitey edited this page May 10, 2016 · 1 revision

Plone 5 is fifteen years of stability wrapped in a modern, powerful user-centric package. It continues to set the pace for content management systems by offering the most functionality and customization out of the box.

Hosting with FastCGI

Various resources online indicate that Plone can be served with FastCGI, but this is currently untested.

Hosting with HTTP reverse proxy

Plone configuration

Plone can operate as normal, running on any given port with its HTTP server. Install and configure either collective.shibboleth for an Embedded Discovery Service (EDS) and/or manually configure Products.AutoUserMakerPASPlugin to listen for incoming headers.

nginx.conf

# Only pass Shibboleth attributes through on accessing this login view
# You could configure the Shibboleth attributes to be passed to *all*
# parts of Plone by applying this config to `location /` and ensuring
# `shibboleth2.xml` is configured correctly.
location ~ .*/logged_in$ {
    shib_request on;
    shib_request_use_headers on;
    more_clear_input_headers
        Shib-Application-Id
        Shib-Authentication-Instant
        Shib-Authentication-Method
        Shib-Authncontext-Class
        Shib-Identity-Provider
        Shib-Session-Id
        Shib-Session-Index
        Remote-User
        persistent-id
        Transient-Name
        Auth-Type
        commonName
        email; # plus ALL other attributes you use/receive from Shibboleth
    rewrite ^(.*)$ /VirtualHostBase/$scheme/$server_name:$server_port/plone/VirtualHostRoot$1 break;
    proxy_pass http://localhost:8080;
}

location / {
    more_clear_input_headers
        Shib-Application-Id
        Shib-Authentication-Instant
        Shib-Authentication-Method
        Shib-Authncontext-Class
        Shib-Identity-Provider
        Shib-Session-Id
        Shib-Session-Index
        Remote-User
        persistent-id
        Transient-Name
        Auth-Type
        commonName
        email; # plus ALL other attributes you use/receive from Shibboleth
    rewrite ^(.*)$ /VirtualHostBase/$scheme/$server_name:$server_port/plone/VirtualHostRoot$1 break;
    proxy_pass http://localhost:8080;
}

### shibboleth2.xml

This is an example snippet from Shibboleth's configuration. This config doesn't force a session, allowing anonymous users to access the Plone site's public content, and only authenticating when the user is explicitly doing so (via the Shibboleth EDS [or a manual link to Shibboleth.sso]).  You could force a Shibboleth session by changing `requireSession` to `true`.

```xml
...
    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <Host name="domain.example.org" authType="shibboleth" redirectToSSL="443">
                <Path name="/" requireSession="false" />
            </Host>
        </RequestMap>
    </RequestMapper>
Clone this wiki locally