LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule version_module modules/mod_version.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule auth_mellon_module modules/mod_auth_mellon.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

<IfModule proxy_html_module>
    Include conf/extra/proxy-html.conf
</IfModule>

<IfModule unixd_module>
    #
    # If you wish httpd to run as a different user or group, you must run
    # httpd as root initially and it will switch.
    #
    # User/Group: The name (or #number) of the user/group to run httpd as.
    # It is usually good practice to create a dedicated user and group for
    # running httpd, as with most system services.
    #
    User daemon
    Group daemon

</IfModule>

<Directory />
    AllowOverride none
    Require all denied
</Directory>

Listen 80
ServerRoot "/usr/local/apache2"
ServerName myapp.example.com
ServerAdmin you@example.com

ErrorLog /proc/self/fd/2

<VirtualHost *:80>
  ServerName myapp.example.com
  Redirect / https://myapp.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName https://myapp.example.com
  ProxyRequests Off
  ProxyPreserveHost On
  DocumentRoot /usr/local/apache2/htdocs

  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  CustomLog /proc/self/fd/1 common

  MellonCacheSize 100
  MellonLockFile "/var/run/mod_auth_mellon.lock"
  MellonPostTTL 900
  MellonPostSize 1048576
  MellonPostCount 100

  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

  # SSL Config - update SSL with your own cert files
  #SSLEngine On
  #SSLCertificateFile /usr/local/apache2/ssl/my_ssl.crt
  #SSLCertificateKeyFile /usr/local/apache2/ssl/my_ssl.key
  #SSLCertificateChainFile /usr/local/apache2/ssl/my_ssl.ca.crt

  ProxyPass /saml/ !
  ProxyPass / http://myapp:9000/
  ProxyPassReverse / http://myapp:9000/

  RequestHeader set REMOTE_USER %{MELLON_NAME_ID}e
  RequestHeader set X-Forwarded-Proto "https"

  <Location />
    AuthType Mellon
    MellonEnable "auth"
    Require valid-user
    MellonSPentityId "https://myapp.example.com"
    MellonVariable "mfa-cookie"
    MellonCookiePath /
    MellonSessionDump Off
    MellonSamlResponseDump Off
    MellonEndpointPath "/saml/"
    MellonDefaultLoginPath "/"
    MellonSessionLength 86400
    MellonUser "uid"

    # Update these with your own certificates
    MellonSPPrivateKeyFile /mellon/https_myapp.example.com.key
    MellonSPCertFile /mellon/https_myapp.example.com.cert

    # Make sure to provide the IDP Metadata (not included in example)
    MellonIdPMetadataFile /mellon/metadata.xml

    MellonMergeEnvVars On ":"
    MellonSignatureMethod rsa-sha256
  </Location>
</VirtualHost>