summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2013-01-03 07:42:01 +0000
committerjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2013-01-03 07:42:01 +0000
commit4edb611792cbf0a3335631a181c15095e81e8afa (patch)
tree111cbec79d7b2861396fe886004f3be58635e99d
parentd7069b5a2e7859ab14c5a909d5e5fc6bc84b80cb (diff)
Minor changes to server config scripts to get auth and session management to behave the same with or without a proxy.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1428194 13f79535-47bb-0310-9956-ffa450edef68
-rwxr-xr-xsca-cpp/trunk/modules/http/basic-auth-conf2
-rwxr-xr-xsca-cpp/trunk/modules/http/cert-auth-conf2
-rwxr-xr-xsca-cpp/trunk/modules/http/form-auth-conf28
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf23
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf11
-rwxr-xr-xsca-cpp/trunk/modules/http/open-auth-conf30
-rwxr-xr-xsca-cpp/trunk/modules/http/ssl-ca-conf5
-rwxr-xr-xsca-cpp/trunk/modules/js/js-conf4
-rwxr-xr-xsca-cpp/trunk/modules/oauth/oauth-conf2
-rwxr-xr-xsca-cpp/trunk/modules/oauth/oauth12-conf2
-rwxr-xr-xsca-cpp/trunk/modules/openid/openid-conf3
-rwxr-xr-xsca-cpp/trunk/modules/openid/openid-step2-conf1
-rwxr-xr-xsca-cpp/trunk/modules/server/server-conf2
13 files changed, 89 insertions, 26 deletions
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index 8710d1fdf7..3fe41e25d7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'`
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
if [ "$3" = "" ]; then
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index a30fdfff8c..56ff9e6dfd 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -35,7 +35,7 @@ fi
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
# Disallow public access to server resources
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index fbe943f3d9..ba2f99dbf1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'`
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
if [ "$3" = "" ]; then
@@ -63,19 +63,41 @@ AuthFormProvider socache $providers
AuthnCacheProvideFor $providers
AuthnCacheContext /
AuthFormLoginRequiredLocation /login/
-AuthFormLogoutLocation /
Session On
-SessionCookieName TuscanyFormAuth domain=.$host; path=/
+SessionCookieName TuscanyFormAuth domain=.$host; path=/; secure; httponly
SessionCryptoPassphrase $pw
Require valid-user
</Location>
<Location /login/dologin>
SetHandler form-login-handler
+AuthType Form
+AuthName "$host"
+AuthFormProvider socache $providers
+AuthFormLoginRequiredLocation /login/?openauth_attempt=1
+Session On
+Require valid-user
</Location>
<Location /logout/dologout>
SetHandler form-logout-handler
+AuthType Form
+AuthName "$host"
+AuthFormLogoutLocation /
+Session On
+Require valid-user
+</Location>
+
+EOF
+
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
+# Generated by: open-auth-conf $*
+# Enable Tuscany open authentication
+<Location /login/dologin>
+Session On
+</Location>
+<Location /logout/dologout>
+Session On
</Location>
EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 730775fa89..3f96304ae8 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -174,15 +174,6 @@ LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so
EOF
-if [ $uname = "Darwin" ]; then
- cat >>$root/conf/mpm.conf <<EOF
-# Generated by: httpd-conf $*
-# Set thread stack size
-ThreadStackSize 2097152
-
-EOF
-fi
-
# Generate modules list
cat >$root/conf/modules.conf <<EOF
# Generated by: httpd-conf $*
@@ -269,28 +260,40 @@ cat >$root/conf/pubauth.conf <<EOF
# Allow everyone to access public locations
<Location /login>
AuthType None
+Session Off
Require all granted
# Mark login page with a header
Header set X-Login open-auth
</Location>
+<Location /login/dologin>
+Session Off
+</Location>
<Location /logout>
AuthType None
+Session Off
Require all granted
</Location>
+<Location /logout/dologout>
+Session Off
+</Location>
<Location /public>
AuthType None
+Session Off
Require all granted
</Location>
<Location /proxy/public>
AuthType None
+Session Off
Require all granted
</Location>
<Location /favicon.ico>
AuthType None
+Session Off
Require all granted
</Location>
<Location /robots.txt>
AuthType None
+Session Off
Require all granted
</Location>
@@ -322,12 +325,14 @@ cat >$root/conf/noauth.conf <<EOF
# Allow access to document root
<Directory "$htdocs">
AuthType None
+Session Off
Require all granted
</Directory>
# Allow everyone to access root location
<Location />
AuthType None
+Session Off
Require all granted
</Location>
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index f99a10071c..3bd1dd63dc 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -68,6 +68,7 @@ SSLSessionCacheTimeout 300
Mutex "file:$root/logs" ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
+SSLCompression Off
# Listen on HTTPS port
Listen $sslport
@@ -165,7 +166,10 @@ UseCanonicalName Off
# Enable SSL
SSLEngine on
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLProtocol ALL -SSLv2
+SSLHonorCipherOrder On
+#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
+SSLCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
@@ -188,9 +192,12 @@ ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLProxyProtocol ALL -SSLv2
+#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
+SSLProxyCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
# Verify server certificates
+SSLProxyCACertificateFile "$root/cert/cacert.pem"
SSLProxyVerify require
SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN Off
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index f4715b3a1c..5a8db92972 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -42,7 +42,7 @@ fi
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
if [ "$3" = "" ]; then
@@ -76,24 +76,42 @@ AuthName "$host"
AuthOpenAuthProvider socache $providers
AuthnCacheProvideFor $providers
AuthnCacheContext /
+AuthOpenAuthLoginPage /login/
Session On
SessionCryptoPassphrase $pw
AuthOpenAuth On
-AuthOpenAuthLoginPage /login/
Require valid-user
</Location>
# Use HTTPD form-based authentication
<Location /login/dologin>
+SetHandler form-login-handler
AuthType Form
AuthName "$host"
AuthFormProvider socache $providers
-AuthnCacheProvideFor $providers
-AuthnCacheContext /
AuthFormLoginRequiredLocation /login/?openauth_attempt=1
-AuthFormLogoutLocation /
+Session On
Require valid-user
-SetHandler form-login-handler
+</Location>
+
+<Location /logout/dologout>
+SetHandler mod_tuscany_openauth_logout
+AuthType Open
+AuthName "$host"
+Session On
+Require valid-user
+</Location>
+
+EOF
+
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
+# Generated by: open-auth-conf $*
+# Enable Tuscany open authentication
+<Location /login/dologin>
+Session On
+</Location>
+<Location /logout/dologout>
+Session On
</Location>
EOF
diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf
index bceca8f300..beadc4d3a8 100755
--- a/sca-cpp/trunk/modules/http/ssl-ca-conf
+++ b/sca-cpp/trunk/modules/http/ssl-ca-conf
@@ -94,3 +94,8 @@ mkdir -p $root/cert/hash
cp $root/cert/ca.crt $root/cert/hash
perl /usr/bin/c_rehash $root/cert/hash
+# Build CA certificate bundle
+curl_prefix=`cat $here/../http/curl.prefix`
+cp $curl_prefix/lib/cacert.pem $root/cert/cacert.pem
+cat $root/cert/ca.crt >> $root/cert/cacert.pem
+
diff --git a/sca-cpp/trunk/modules/js/js-conf b/sca-cpp/trunk/modules/js/js-conf
index aa29920619..72b5a60120 100755
--- a/sca-cpp/trunk/modules/js/js-conf
+++ b/sca-cpp/trunk/modules/js/js-conf
@@ -36,18 +36,22 @@ cat >>$root/conf/pubauth.conf <<EOF
# Generated by: js-conf $*
<Location /ui-min.css>
AuthType None
+Session Off
Require all granted
</Location>
<Location /all-min.js>
AuthType None
+Session Off
Require all granted
</Location>
<Location /proxy/ui-min.css>
AuthType None
+Session Off
Require all granted
</Location>
<Location /proxy/all-min.js>
AuthType None
+Session Off
Require all granted
</Location>
diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf
index 26e654036b..8ec6582af7 100755
--- a/sca-cpp/trunk/modules/oauth/oauth-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth-conf
@@ -42,7 +42,7 @@ fi
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
# Configure HTTPD mod_tuscany_oauth module
diff --git a/sca-cpp/trunk/modules/oauth/oauth12-conf b/sca-cpp/trunk/modules/oauth/oauth12-conf
index 43c879faee..d6f6abe653 100755
--- a/sca-cpp/trunk/modules/oauth/oauth12-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth12-conf
@@ -42,7 +42,7 @@ fi
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2 file"
+ providers="file $2"
fi
# Configure HTTPD mod_tuscany_oauth module
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index 7f986fc8d7..6479a13b09 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -36,7 +36,7 @@ fi
if [ "$2" = "" ]; then
providers="file"
else
- providers="$2"
+ providers="file $2"
fi
# Configure HTTPD mod_auth_openid module
@@ -84,6 +84,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
# Allow public access to /openid location
<Location /openid>
AuthType None
+Session Off
Require all granted
</Location>
diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf
index f6ac968bfc..87f3e54925 100755
--- a/sca-cpp/trunk/modules/openid/openid-step2-conf
+++ b/sca-cpp/trunk/modules/openid/openid-step2-conf
@@ -54,6 +54,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
# Allow access to /.well-known/host-meta location
<Location /.well-known/host-meta>
AuthType None
+Session Off
Require all granted
</Location>
diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf
index 2674cd9ac5..01b6b21e72 100755
--- a/sca-cpp/trunk/modules/server/server-conf
+++ b/sca-cpp/trunk/modules/server/server-conf
@@ -42,7 +42,7 @@ ssl=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
if [ "$ssl" != "" ]; then
cat >>$root/conf/httpd.conf <<EOF
# Configure SSL certificates
-SCAWiringSSLCACertificateFile "$root/cert/ca.crt"
+SCAWiringSSLCACertificateFile "$root/cert/cacert.pem"
SCAWiringSSLCertificateFile "$root/cert/server.crt"
SCAWiringSSLCertificateKeyFile "$root/cert/server.key"