diff options
Diffstat (limited to 'sca-cpp/trunk/modules/http')
| -rwxr-xr-x | sca-cpp/trunk/modules/http/basic-auth-conf | 15 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/cert-auth-conf | 10 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/form-auth-conf | 14 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-ssl-conf | 26 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-tunnel-ssl-conf | 38 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/mod-openauth.cpp | 189 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/mod-security-conf | 28 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/open-auth-conf | 22 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/openauth.hpp | 10 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/passwd-auth-conf | 2 |
10 files changed, 236 insertions, 118 deletions
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf index 39dde90b50..8710d1fdf7 100755 --- a/sca-cpp/trunk/modules/http/basic-auth-conf +++ b/sca-cpp/trunk/modules/http/basic-auth-conf @@ -25,9 +25,16 @@ root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` -loc=$2 -if [ "$loc" = "" ]; then +if [ "$2" = "" ]; then + providers="file" +else + providers="$2 file" +fi + +if [ "$3" = "" ]; then loc="/" +else + loc="$3" fi sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` @@ -52,7 +59,9 @@ cat >>$root/conf/locauth$sslsuffix.conf <<EOF <Location $loc> AuthType Basic AuthName "$host" -AuthBasicProvider file +AuthBasicProvider socache $providers +AuthnCacheProvideFor $providers +AuthnCacheContext / Require valid-user </Location> diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf index 514e46324f..a30fdfff8c 100755 --- a/sca-cpp/trunk/modules/http/cert-auth-conf +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -32,6 +32,12 @@ else sslsuffix="-ssl" fi +if [ "$2" = "" ]; then + providers="file" +else + providers="$2 file" +fi + # Disallow public access to server resources cat >$root/conf/noauth$sslsuffix.conf <<EOF # Generated by: cert-auth-conf $* @@ -49,7 +55,9 @@ SSLVerifyDepth 1 <Location /> AuthType Basic AuthName "$host" -AuthBasicProvider file +AuthBasicProvider socache $providers +AuthnCacheProvideFor $providers +AuthnCacheContext / Require valid-user </Location> diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf index 08b97b9df8..fbe943f3d9 100755 --- a/sca-cpp/trunk/modules/http/form-auth-conf +++ b/sca-cpp/trunk/modules/http/form-auth-conf @@ -26,9 +26,15 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` if [ "$2" = "" ]; then + providers="file" +else + providers="$2 file" +fi + +if [ "$3" = "" ]; then pw=`cat $root/cert/ca.key | head -2 | tail -1` else - pw="$2" + pw="$3" fi sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` @@ -53,8 +59,10 @@ cat >>$root/conf/locauth$sslsuffix.conf <<EOF <Location /> AuthType Form AuthName "$host" -AuthFormProvider file -AuthFormLoginRequiredLocation /login +AuthFormProvider socache $providers +AuthnCacheProvideFor $providers +AuthnCacheContext / +AuthFormLoginRequiredLocation /login/ AuthFormLogoutLocation / Session On SessionCookieName TuscanyFormAuth domain=.$host; path=/ diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 3cb90d61e0..f99a10071c 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -43,6 +43,15 @@ htdocs=`echo $conf | awk '{ print $8 }'` mkdir -p $htdocs htdocs=`echo "import os; print os.path.realpath('$htdocs')" | python` +uname=`uname -s` +if [ $uname = "Darwin" ]; then + libsuffix=".dylib" +else + libsuffix=".so" +fi + +modules_prefix=`cat $here/httpd-modules.prefix` + # Extract organization name from our CA certificate org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'` @@ -69,7 +78,7 @@ ServerName https://$host$sslpportsuffix <Location /> RewriteEngine on -RewriteCond %{HTTP_HOST} !^$host [NC] +Include conf/hostcond.conf RewriteCond %{HTTP:X-Forwarded-Server} ^$ [NC] RewriteCond %{REQUEST_URI} !^/server-status [NC] RewriteCond %{REQUEST_URI} !^/balancer-manager [NC] @@ -176,7 +185,7 @@ Include conf/log-ssl.conf # Enable HTTPS reverse proxy ProxyRequests Off -ProxyPreserveHost Off +ProxyPreserveHost On ProxyStatus On SSLProxyEngine on SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL @@ -222,11 +231,6 @@ CustomLog $root/logs/ssl_access_log sslcombined EOF # Configure virtual hosts -proxycert="server" -if [ "$proxyconf" != "" ]; then - proxycert="proxy" -fi - cat >$root/conf/svhost-ssl.conf <<EOF # Generated by: httpd-ssl-conf $* # Static virtual host configuration @@ -238,10 +242,6 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/server.crt" SSLCertificateKeyFile "$root/cert/server.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF cat >$root/conf/dvhost-ssl.conf <<EOF @@ -255,9 +255,5 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/vhost.crt" SSLCertificateKeyFile "$root/cert/vhost.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF diff --git a/sca-cpp/trunk/modules/http/httpd-tunnel-ssl-conf b/sca-cpp/trunk/modules/http/httpd-tunnel-ssl-conf new file mode 100755 index 0000000000..0028576364 --- /dev/null +++ b/sca-cpp/trunk/modules/http/httpd-tunnel-ssl-conf @@ -0,0 +1,38 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD SSL Tunnel configuration +here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here` +mkdir -p $1 +root=`echo "import os; print os.path.realpath('$1')" | python` + +uname=`uname -s` +if [ $uname = "Darwin" ]; then + libsuffix=".dylib" +else + libsuffix=".so" +fi + +# Generate required modules list +cat >>$root/conf/modules.conf <<EOF +# Generated by: httpd-tunnel-ssl-conf $* +LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel$libsuffix + +EOF + diff --git a/sca-cpp/trunk/modules/http/mod-openauth.cpp b/sca-cpp/trunk/modules/http/mod-openauth.cpp index b1aabd73fe..2e308ecedb 100644 --- a/sca-cpp/trunk/modules/http/mod-openauth.cpp +++ b/sca-cpp/trunk/modules/http/mod-openauth.cpp @@ -44,6 +44,7 @@ #include "http.hpp" #include "openauth.hpp" + extern "C" { extern module AP_MODULE_DECLARE_DATA mod_tuscany_openauth; } @@ -64,6 +65,20 @@ public: }; /** + * Authentication provider configuration. + */ +class AuthnProviderConf { +public: + AuthnProviderConf() : name(), provider(NULL) { + } + AuthnProviderConf(const string name, const authn_provider* provider) : name(name), provider(provider) { + } + + string name; + const authn_provider* provider; +}; + +/** * Directory configuration. */ class DirConf { @@ -75,6 +90,7 @@ public: const char* dir; bool enabled; string login; + list<AuthnProviderConf> apcs; }; #ifdef WANT_MAINTAINER_LOG @@ -101,10 +117,39 @@ const bool debugSession(request_rec* r, session_rec* z) { #endif /** + * Run the authnz hooks to authenticate a request. + */ +const failable<int> checkAuthnzProviders(const string& user, const string& pw, request_rec* r, const list<AuthnProviderConf>& apcs) { + if (isNil(apcs)) + return mkfailure<int>("Authentication failure for: " + user); + const AuthnProviderConf apc = car<AuthnProviderConf>(apcs); + if (apc.provider == NULL || !apc.provider->check_password) + return checkAuthnzProviders(user, pw, r, cdr(apcs)); + + apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, c_str(apc.name)); + const authn_status auth_result = apc.provider->check_password(r, c_str(user), c_str(pw)); + apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE); + if (auth_result != AUTH_GRANTED) + return checkAuthnzProviders(user, pw, r, cdr(apcs)); + return OK; +} + +const failable<int> checkAuthnz(const string& user, const string& pw, request_rec* r, const DirConf& dc) { + if (substr(user, 0, 1) == "/" && pw == "password") + return mkfailure<int>(string("Encountered FakeBasicAuth spoof: ") + user, HTTP_UNAUTHORIZED); + + if (isNil(dc.apcs)) { + const authn_provider* provider = (const authn_provider*)ap_lookup_provider(AUTHN_PROVIDER_GROUP, AUTHN_DEFAULT_PROVIDER, AUTHN_PROVIDER_VERSION); + return checkAuthnzProviders(user, pw, r, mklist<AuthnProviderConf>(AuthnProviderConf(AUTHN_DEFAULT_PROVIDER, provider))); + } + return checkAuthnzProviders(user, pw, r, dc.apcs); +} + +/** * Return the user info from a form auth encrypted session cookie. */ static int (*ap_session_load_fn) (request_rec * r, session_rec ** z) = NULL; -static void (*ap_session_get_fn) (request_rec * r, session_rec * z, const char *key, const char **value) = NULL; +static int (*ap_session_get_fn) (request_rec * r, session_rec * z, const char *key, const char **value) = NULL; const failable<value> userInfoFromSession(const string& realm, request_rec* r) { debug("modopenauth::userInfoFromSession"); @@ -186,36 +231,23 @@ const failable<int> authenticated(const list<list<value> >& info, request_rec* r } /** - * Run the authnz hooks to try to authenticate a request. - */ -const failable<int> checkAuthnz(const string& user, const string& pw, request_rec* r) { - const authn_provider* provider = (const authn_provider*)ap_lookup_provider(AUTHN_PROVIDER_GROUP, AUTHN_DEFAULT_PROVIDER, AUTHN_PROVIDER_VERSION); - if (!provider || !provider->check_password) - return mkfailure<int>("No Authn provider configured"); - apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER); - const authn_status auth_result = provider->check_password(r, c_str(user), c_str(pw)); - apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE); - if (auth_result != AUTH_GRANTED) - return mkfailure<int>("Authentication failure for: " + user); - return OK; -} - -/** * Check user authentication. */ static int checkAuthn(request_rec *r) { + gc_scoped_pool pool(r->pool); + // Decline if we're not enabled or AuthType is not set to Open const DirConf& dc = httpd::dirConf<DirConf>(r, &mod_tuscany_openauth); if (!dc.enabled) return DECLINED; const char* atype = ap_auth_type(r); - debug(atype, "modopenauth::checkAuthn::auth_type"); if (atype == NULL || strcasecmp(atype, "Open")) return DECLINED; - - // Create a scoped memory pool - gc_scoped_pool pool(r->pool); debug_httpdRequest(r, "modopenauth::checkAuthn::input"); + debug(atype, "modopenauth::checkAuthn::auth_type"); + + // Get the request args + const list<list<value> > args = httpd::queryArgs(r); // Get session id from the request const maybe<string> sid = sessionID(r, "TuscanyOpenAuth"); @@ -231,17 +263,17 @@ static int checkAuthn(request_rec *r) { return httpd::reportStatus(mkfailure<int>("Missing AuthName")); // Extract user info from the session id - const failable<value> info = userInfoFromCookie(content(sid), aname, r); - if (hasContent(info)) { + const failable<value> userinfo = userInfoFromCookie(content(sid), aname, r); + if (hasContent(userinfo)) { // Try to authenticate the request - const value uinfo = content(info); - const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", uinfo)), cadr(assoc<value>("password", uinfo)), r); + const value uinfo = content(userinfo); + const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", uinfo)), cadr(assoc<value>("password", uinfo)), r, dc); if (!hasContent(authz)) { // Authentication failed, redirect to login page r->ap_auth_type = const_cast<char*>(atype); - return httpd::reportStatus(login(dc.login, r)); + return httpd::reportStatus(login(dc.login, value(), 1, r)); } // Successfully authenticated, store the user info in the request @@ -265,12 +297,12 @@ static int checkAuthn(request_rec *r) { // Try to authenticate the request const value uinfo = content(info); - const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", uinfo)), cadr(assoc<value>("password", uinfo)), r); + const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", uinfo)), cadr(assoc<value>("password", uinfo)), r, dc); if (!hasContent(authz)) { // Authentication failed, redirect to login page r->ap_auth_type = const_cast<char*>(atype); - return httpd::reportStatus(login(dc.login, r)); + return httpd::reportStatus(login(dc.login, value(), 1, r)); } // Successfully authenticated, store the user info in the request @@ -279,9 +311,6 @@ static int checkAuthn(request_rec *r) { } } - // Get the request args - const list<list<value> > args = httpd::queryArgs(r); - // Decline if the request is for another authentication provider if (!isNil(assoc<value>("openid_identifier", args))) return DECLINED; @@ -291,57 +320,59 @@ static int checkAuthn(request_rec *r) { hasContent(sessionID(r, "TuscanyOAuth1")) || hasContent(sessionID(r, "TuscanyOAuth2"))) return DECLINED; + r->ap_auth_type = const_cast<char*>(atype); - return httpd::reportStatus(login(dc.login, r)); + return httpd::reportStatus(login(dc.login, value(), value(), r)); } /** - * Fixup cache control. + * Save the auth session cookie in the response. */ -bool filterCacheControl(const string& tok) { - return tok != "no-cache"; +static int sessionCookieSave(request_rec* r, session_rec* z) { + gc_scoped_pool pool(r->pool); + + const DirConf& dc = httpd::dirConf<DirConf>(r, &mod_tuscany_openauth); + if (!dc.enabled) + return DECLINED; + + debug(c_str(cookie("TuscanyOpenAuth", z->encoded, httpd::hostName(r))), "modopenauth::setcookie"); + apr_table_set(r->err_headers_out, "Set-Cookie", c_str(cookie("TuscanyOpenAuth", z->encoded, httpd::hostName(r)))); + return OK; } -static apr_status_t outputFilter(ap_filter_t * f, apr_bucket_brigade * in) { - request_rec *r = f->r->main; - if (!r) - r = f->r; - for (; r != NULL; r = r->next) { - if (r->status != HTTP_OK && r->status != HTTP_NOT_MODIFIED) { - - // Don't cache errors and redirects - debug("no-cache", "modopenauth::outputFilter::nokCacheControl"); - apr_table_set(r->headers_out, "Cache-Control", "no-cache"); - continue; - } +/** + * Load the auth session cookie from the request. Similar + */ +static int sessionCookieLoad(request_rec* r, session_rec** z) { + gc_scoped_pool pool(r->pool); - // Cache OK content - const char* cc = apr_table_get(r->headers_out, "Cache-Control"); - if (cc == NULL) { - debug("modopenauth::outputFilter::noCacheControl"); - continue; - } - debug(cc, "modopenauth::outputFilter::cacheControl"); - const string ncc = join(", ", filter<string>(filterCacheControl, tokenize(", ", cc))); - if (length(ncc) == 0) { - debug("modopenauth::outputFilter::noCacheControl"); - apr_table_unset(r->headers_out, "Cache-Control"); - continue; - } + const DirConf& dc = httpd::dirConf<DirConf>(r, &mod_tuscany_openauth); + if (!dc.enabled) + return DECLINED; - debug(ncc, "modopenauth::outputFilter::okCacheControl"); - apr_table_set(r->headers_out, "Cache-Control", c_str(ncc)); + // First look in the notes + const char* note = apr_pstrcat(r->pool, "mod_openauth", "TuscanyOpenAuth", NULL); + session_rec* zz = (session_rec*)(void*)apr_table_get(r->notes, note); + if (zz != NULL) { + *z = zz; + return OK; } - ap_remove_output_filter(f); - return ap_pass_brigade(f->next, in); -} + // Parse the cookie + const maybe<string> sid = openauth::sessionID(r, "TuscanyOpenAuth"); -/** - * Insert our cache control output filter. - */ -static void insertOutputFilter(request_rec * r) { - ap_add_output_filter("mod_openauth", NULL, r, r->connection); + // Create a new session + zz = (session_rec*)apr_pcalloc(r->pool, sizeof(session_rec)); + zz->pool = r->pool; + zz->entries = apr_table_make(r->pool, 10); + zz->encoded = hasContent(sid)? c_str(content(sid)) : NULL; + zz->uuid = (apr_uuid_t *) apr_pcalloc(r->pool, sizeof(apr_uuid_t)); + *z = zz; + + // Store it in the notes + apr_table_setn(r->notes, note, (char*)zz); + + return OK; } /** @@ -357,6 +388,7 @@ int postConfigMerge(ServerConf& mainsc, server_rec* s) { int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp, server_rec* s) { gc_scoped_pool pool(p); + ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_openauth); debug(httpd::serverName(s), "modopenauth::postConfig::serverName"); @@ -369,6 +401,7 @@ int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp, */ void childInit(apr_pool_t* p, server_rec* s) { gc_scoped_pool pool(p); + ServerConf* psc = (ServerConf*)ap_get_module_config(s->module_config, &mod_tuscany_openauth); if(psc == NULL) { cfailure << "[Tuscany] Due to one or more errors mod_tuscany_openauth loading failed. Causing apache to stop loading." << endl; @@ -395,11 +428,25 @@ const char* confLogin(cmd_parms *cmd, void *c, const char* arg) { dc.login = arg; return NULL; } +const char* confAuthnProvider(cmd_parms *cmd, void *c, const char* arg) { + gc_scoped_pool pool(cmd->pool); + DirConf& dc = httpd::dirConf<DirConf>(c); + + // Lookup and cache the Authn provider + const authn_provider* provider = (authn_provider*)ap_lookup_provider(AUTHN_PROVIDER_GROUP, arg, AUTHN_PROVIDER_VERSION); + if (provider == NULL) + return apr_psprintf(cmd->pool, "Unknown Authn provider: %s", arg); + if (!provider->check_password) + return apr_psprintf(cmd->pool, "The '%s' Authn provider doesn't support password authentication", arg); + dc.apcs = append<AuthnProviderConf>(dc.apcs, mklist<AuthnProviderConf>(AuthnProviderConf(arg, provider))); + return NULL; +} /** * HTTP server module declaration. */ const command_rec commands[] = { + AP_INIT_ITERATE("AuthOpenAuthProvider", (const char*(*)())confAuthnProvider, NULL, OR_AUTHCFG, "Auth providers for a directory or location"), AP_INIT_FLAG("AuthOpenAuth", (const char*(*)())confEnabled, NULL, OR_AUTHCFG, "Tuscany Open Auth authentication On | Off"), AP_INIT_TAKE1("AuthOpenAuthLoginPage", (const char*(*)())confLogin, NULL, OR_AUTHCFG, "Tuscany Open Auth login page"), {NULL, NULL, NULL, 0, NO_ARGS, NULL} @@ -409,8 +456,8 @@ void registerHooks(unused apr_pool_t *p) { ap_hook_post_config(postConfig, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_child_init(childInit, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_authn(checkAuthn, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF); - ap_register_output_filter("mod_openauth", outputFilter, NULL, AP_FTYPE_CONTENT_SET); - ap_hook_insert_filter(insertOutputFilter, NULL, NULL, APR_HOOK_LAST); + ap_hook_session_load(sessionCookieLoad, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_session_save(sessionCookieSave, NULL, NULL, APR_HOOK_MIDDLE); } } diff --git a/sca-cpp/trunk/modules/http/mod-security-conf b/sca-cpp/trunk/modules/http/mod-security-conf index 4d978a01cb..5d03fc5cfb 100755 --- a/sca-cpp/trunk/modules/http/mod-security-conf +++ b/sca-cpp/trunk/modules/http/mod-security-conf @@ -51,8 +51,8 @@ SecDefaultAction "phase:2,pass,nolog,auditlog" #SecDebugLog $root/logs//modsec_debug_log #SecDebugLogLevel 3 -# Allow mod-security to access request bodies -SecRequestBodyAccess On +# Process request bodies +SecRequestBodyAccess Off SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:Content-Type "application/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200 @@ -90,8 +90,8 @@ SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_ SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'" SecWriteStateLimit 50 -# Allow mod-security to access response bodies -SecResponseBodyAccess On +# Process response bodies +SecResponseBodyAccess Off SecResponseBodyMimeType text/plain text/html text/xml application/xml SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial @@ -157,28 +157,28 @@ SecRule &TX:REAL_IP "@eq 0" "phase:1,id:'981218',t:none,pass,nolog,initcol:glob # Include all base mod-security CRS rules Include ${modsecurity_prefix}/base_rules/modsecurity_crs_20_protocol_violations.conf -Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_xss_attacks.conf -Include ${modsecurity_prefix}/base_rules/modsecurity_crs_50_outbound.conf +#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_xss_attacks.conf +#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_50_outbound.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_35_bad_robots.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_47_common_exceptions.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_60_correlation.conf -Include ${modsecurity_prefix}/base_rules/modsecurity_crs_40_generic_attacks.conf +#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_40_generic_attacks.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_21_protocol_anomalies.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_30_http_policy.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_49_inbound_blocking.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_sql_injection_attacks.conf -Include ${modsecurity_prefix}/base_rules/modsecurity_crs_45_trojans.conf +#Include ${modsecurity_prefix}/base_rules/modsecurity_crs_45_trojans.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_59_outbound_blocking.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_23_request_limits.conf Include ${modsecurity_prefix}/base_rules/modsecurity_crs_42_tight_security.conf # Include some optional mod-security CRS rules -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_10_ignore_static.conf -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_13_xml_enabler.conf -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf -Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_10_ignore_static.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_13_xml_enabler.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf +#Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf EOF diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf index 5226622058..f4715b3a1c 100755 --- a/sca-cpp/trunk/modules/http/open-auth-conf +++ b/sca-cpp/trunk/modules/http/open-auth-conf @@ -40,14 +40,20 @@ else fi if [ "$2" = "" ]; then + providers="file" +else + providers="$2 file" +fi + +if [ "$3" = "" ]; then pw=`cat $root/cert/ca.key | head -2 | tail -1` else - pw="$2" + pw="$3" fi # Configure HTTPD mod_tuscany_openauth module cat >>$root/conf/modules.conf <<EOF -# Generated by: openauth-conf $* +# Generated by: open-auth-conf $* # Load support for Open authentication LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth$libsuffix @@ -67,11 +73,13 @@ cat >>$root/conf/locauth$sslsuffix.conf <<EOF <Location /> AuthType Open AuthName "$host" +AuthOpenAuthProvider socache $providers +AuthnCacheProvideFor $providers +AuthnCacheContext / Session On -SessionCookieName TuscanyOpenAuth domain=.$host; path=/ SessionCryptoPassphrase $pw AuthOpenAuth On -AuthOpenAuthLoginPage /login +AuthOpenAuthLoginPage /login/ Require valid-user </Location> @@ -79,8 +87,10 @@ Require valid-user <Location /login/dologin> AuthType Form AuthName "$host" -AuthFormProvider file -AuthFormLoginRequiredLocation /login +AuthFormProvider socache $providers +AuthnCacheProvideFor $providers +AuthnCacheContext / +AuthFormLoginRequiredLocation /login/?openauth_attempt=1 AuthFormLogoutLocation / Require valid-user SetHandler form-login-handler diff --git a/sca-cpp/trunk/modules/http/openauth.hpp b/sca-cpp/trunk/modules/http/openauth.hpp index 5d887885aa..3ffa88d362 100644 --- a/sca-cpp/trunk/modules/http/openauth.hpp +++ b/sca-cpp/trunk/modules/http/openauth.hpp @@ -77,7 +77,7 @@ const string cookie(const string& key, const string& sid, const string& domain) const time_t t = time(NULL) + 86400; char exp[32]; strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t)); - const string c = key + string("=") + sid + "; expires=" + string(exp) + "; domain=." + domain + "; path=/"; + const string c = key + string("=") + sid + "; expires=" + string(exp) + "; domain=." + httpd::realm(domain) + "; path=/"; debug(c, "openauth::cookie"); return c; } @@ -85,9 +85,11 @@ const string cookie(const string& key, const string& sid, const string& domain) /** * Redirect to the configured login page. */ -const failable<int> login(const string& page, request_rec* r) { - const list<list<value> > largs = mklist<list<value> >(mklist<value>("openauth_referrer", httpd::escape(httpd::url(r->uri, r)))); - const string loc = httpd::url(page, r) + string("?") + http::queryString(largs); +const failable<int> login(const string& page, const value& ref, const value& attempt, request_rec* r) { + const list<list<value> > rarg = ref == string("/")? list<list<value> >() : mklist<list<value> >(mklist<value>("openauth_referrer", httpd::escape(httpd::url(isNil(ref)? r->uri : ref, r)))); + const list<list<value> > aarg = isNil(attempt)? list<list<value> >() : mklist<list<value> >(mklist<value>("openauth_attempt", attempt)); + const list<list<value> > largs = append<list<value> >(rarg, aarg); + const string loc = isNil(largs)? httpd::url(page, r) : httpd::url(page, r) + string("?") + http::queryString(largs); debug(loc, "openauth::login::uri"); return httpd::externalRedirect(loc, r); } diff --git a/sca-cpp/trunk/modules/http/passwd-auth-conf b/sca-cpp/trunk/modules/http/passwd-auth-conf index 119b0fbb3b..718b96de0a 100755 --- a/sca-cpp/trunk/modules/http/passwd-auth-conf +++ b/sca-cpp/trunk/modules/http/passwd-auth-conf @@ -27,5 +27,5 @@ httpd_prefix=`cat $here/httpd.prefix` # Create password file touch $root/conf/httpd.passwd -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd $user $pass 2>/dev/null +$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd "$user" "$pass" 2>/dev/null |