From 3ac8ca7868ade978a3d0fc74113f3276e5c183ec Mon Sep 17 00:00:00 2001
From: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sun, 18 Dec 2011 20:19:11 +0000
Subject: Add ability to configure an HTTPS proxy with load balancing over a
 set of HTTP backend servers and get OAuth authentication working with that
 topology.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1220526 13f79535-47bb-0310-9956-ffa450edef68
---
 sca-cpp/trunk/modules/http/Makefile.am             |   2 +-
 sca-cpp/trunk/modules/http/basic-auth-conf         |   7 ++
 sca-cpp/trunk/modules/http/cert-auth-conf          |   7 ++
 sca-cpp/trunk/modules/http/form-auth-conf          |   7 ++
 sca-cpp/trunk/modules/http/group-auth-conf         |   8 +-
 sca-cpp/trunk/modules/http/httpd-conf              | 103 ++++++++++++--------
 sca-cpp/trunk/modules/http/httpd-ssl-conf          |  15 +--
 sca-cpp/trunk/modules/http/httpd.hpp               | 108 +++++++++++++--------
 sca-cpp/trunk/modules/http/open-auth-conf          |   7 ++
 sca-cpp/trunk/modules/http/proxy-conf              |   5 +
 sca-cpp/trunk/modules/http/proxy-member-conf       |   9 +-
 sca-cpp/trunk/modules/http/proxy-ssl-conf          |   5 +
 sca-cpp/trunk/modules/http/proxy-ssl-member-conf   |  19 ++--
 .../trunk/modules/http/proxy-ssl-nossl-member-conf |  40 ++++++++
 sca-cpp/trunk/modules/http/vhost-conf              |   8 --
 sca-cpp/trunk/modules/http/vhost-ssl-conf          |   8 --
 sca-cpp/trunk/modules/oauth/mod-oauth1.cpp         |   4 +-
 sca-cpp/trunk/modules/oauth/mod-oauth2.cpp         |   4 +-
 sca-cpp/trunk/modules/oauth/oauth-conf             |  15 ++-
 sca-cpp/trunk/modules/openid/openid-conf           |  11 ++-
 sca-cpp/trunk/modules/openid/openid-step2-conf     |   4 +-
 sca-cpp/trunk/modules/server/mod-eval.hpp          |  22 ++++-
 sca-cpp/trunk/modules/server/mod-wiring.cpp        |  23 ++++-
 sca-cpp/trunk/modules/server/server-conf           |   4 +
 sca-cpp/trunk/samples/store-cluster/server-conf    |   1 +
 .../trunk/samples/store-cluster/server-ssl-conf    |   1 +
 sca-cpp/trunk/samples/store-vhost/ssl-start        |   1 +
 sca-cpp/trunk/samples/store-vhost/start            |   1 +
 sca-cpp/trunk/samples/store-vhost/uec2-start       |   1 +
 29 files changed, 306 insertions(+), 144 deletions(-)
 create mode 100755 sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf

(limited to 'sca-cpp')

diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 89b285ea35..846c8ac6cc 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
 incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http
 
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf proxy-ssl-nossl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
 moddir = $(prefix)/modules/http
 
 curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index d8c013d853..f376124da7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: basic-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate basic authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: basic-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index 788a6f6d9f..4959fab14a 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: cert-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index 910f906078..defa1bf8b1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
 
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: form-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate form authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: form-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/group-auth-conf b/sca-cpp/trunk/modules/http/group-auth-conf
index c9cd7f6e2e..726c55982d 100755
--- a/sca-cpp/trunk/modules/http/group-auth-conf
+++ b/sca-cpp/trunk/modules/http/group-auth-conf
@@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 user=$2
 group="members"
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: group-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Add user to group
 cat $root/conf/httpd.groups | awk " BEGIN { found = 0 } /$group: / { printf \"%s %s\n\", \$0, \"$user\"; found = 1 } !/$group: / { printf \"%s\n\", \$0 } END { if (found == 0) printf \"%s: %s\n\", \"$group\", \"$user\" } " >$root/conf/.httpd.groups.tmp 2>/dev/null
 cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups
@@ -35,7 +42,6 @@ if [ "$conf" = "" ]; then
 # Generated by: group-auth-conf $1
 # Allow group member access to root location
 <Location />
-AuthGroupFile "$root/conf/httpd.groups"
 Require group members
 </Location>
 
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 5d4e9f5485..e7f191ba48 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -114,29 +114,9 @@ Require all denied
 </Directory>
 
 # Configure authentication
+Include conf/noauth.conf
 Include conf/auth.conf
-
-# Allow access to public locations
-<Location /login>
-AuthType None
-Require all granted
-</Location>
-<Location /logout>
-AuthType None
-Require all granted
-</Location>
-<Location /public>
-AuthType None
-Require all granted
-</Location>
-<Location /favicon.ico>
-AuthType None
-Require all granted
-</Location>
-<Location /robots.txt>
-AuthType None
-Require all granted
-</Location>
+Include conf/pubauth.conf
 
 # Configure output filters to enable compression and rate limiting
 <Location />
@@ -165,21 +145,6 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost.conf
-
-# Allow access to document root
-<Directory "$htdocs">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
-# Allow access to root location
-<Location />
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Location>
-
 </VirtualHost>
 
 EOF
@@ -245,6 +210,7 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
 LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
 LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
 LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule actions_module ${modules_prefix}/modules/mod_actions.so
 LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
 LoadModule session_module ${modules_prefix}/modules/mod_session.so
 LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
@@ -261,7 +227,7 @@ EOF
 # Generate auth configuration
 cat >$root/conf/auth.conf <<EOF
 # Generated by: httpd-conf $*
-# Authentication configuration
+# Authentication and authorization configuration
 
 # Allow authorized access to document root
 <Directory "$htdocs">
@@ -273,13 +239,50 @@ Require all granted
 <Location />
 Options FollowSymLinks
 AuthUserFile "$root/conf/httpd.passwd"
+AuthGroupFile "$root/conf/httpd.groups"
 Require all granted
 </Location>
 
-# Mark login page with a header
+EOF
+
+cat >$root/conf/pubauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow everyone to access public locations
 <Location /login>
+AuthType None
+Require all granted
+# Mark login page with a header
 Header set X-Login open-auth
 </Location>
+<Location /logout>
+AuthType None
+Require all granted
+</Location>
+<Location /public>
+AuthType None
+Require all granted
+</Location>
+<Location /favicon.ico>
+AuthType None
+Require all granted
+</Location>
+<Location /robots.txt>
+AuthType None
+Require all granted
+</Location>
+
+# Allow the server admin to view the server status and info
+<Location /server-status>
+SetHandler server-status
+HostnameLookups on
+Require user admin
+</Location>
+
+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
 
 EOF
 
@@ -292,6 +295,26 @@ cat >$root/conf/httpd.groups <<EOF
 # Generated by: httpd-conf $*
 EOF
 
+
+# Allow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow public access to server resources
+
+# Allow access to document root
+<Directory "$htdocs">
+AuthType None
+Require all granted
+</Directory>
+
+# Allow everyone to access root location
+<Location />
+AuthType None
+Require all granted
+</Location>
+
+EOF
+
 # Generate vhost configuration
 cat >$root/conf/vhost.conf <<EOF
 # Generated by: httpd-conf $*
@@ -300,7 +323,7 @@ UseCanonicalName Off
 
 # Enable HTTP reverse proxy
 ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
 ProxyStatus On
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index dc3b71bcac..f397c2f7de 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -72,19 +72,6 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost-ssl.conf
-
-# Allow the server admin to view the server status
-<Location /server-status>
-SetHandler server-status
-HostnameLookups on
-Require user admin
-</Location>
-
-<Location /server-info>
-SetHandler server-info
-HostnameLookups on
-Require user admin
-</Location>
 </VirtualHost>
 
 EOF
@@ -142,7 +129,7 @@ Include conf/log-ssl.conf
 
 # Enable HTTPS reverse proxy
 ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
 ProxyStatus On
 SSLProxyEngine on
 SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 5f8b867c9b..06d53e28c2 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -79,6 +79,7 @@
 #include "list.hpp"
 #include "value.hpp"
 #include "monad.hpp"
+#include "http.hpp"
 
 
 namespace tuscany {
@@ -118,31 +119,6 @@ template<typename C> C& dirConf(const void* c) {
     return *(C*)c;
 }
 
-/**
- * Return the name of a server.
- */
-const string serverName(const server_rec* s, const string& def = "localhost") {
-    ostringstream n;
-    n << (s->server_scheme != NULL? s->server_scheme : "http") << "://"
-        << (s->server_hostname != NULL? s->server_hostname : def) << ":"
-        << (s->port != 0? s->port : 80)
-        << (s->path != NULL? string(s->path, s->pathlen) : "");
-    return str(n);
-}
-
-/**
- * Determine the name of a server from an HTTP request.
- */
-const string serverName(request_rec* r, const string& def = "localhost") {
-    ostringstream n;
-    const char* hn = ap_get_server_name(r);
-    n << (r->server->server_scheme != NULL? r->server->server_scheme : "http") << "://"
-        << (hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def)) << ":"
-        << (r->server->port != 0? r->server->port : 80)
-        << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
-    return str(n);
-}
-
 /**
  * Return the host name for a server.
  */
@@ -154,15 +130,11 @@ const string hostName(const server_rec* s, const string& def = "localhost") {
  * Return the host name from an HTTP request.
  */
 const string hostName(request_rec* r, const string& def = "localhost") {
-    const char* hn = ap_get_server_name(r);
-    return hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def);
-}
-
-/**
- * Return true if a request is targeting a virtual host.
- */
-const bool isVirtualHostRequest(const server_rec* s, request_rec* r) {
-    return hostName(r) != hostName(s);
+    const char* fh = apr_table_get(r->headers_in, "X-Forwarded-Server");
+    if (fh != NULL)
+        return fh;
+    const char* h = ap_get_server_name(r);
+    return h != NULL? h : (r->server->server_hostname != NULL? r->server->server_hostname : def);
 }
 
 /**
@@ -176,6 +148,9 @@ const string scheme(const server_rec* s, const string& def = "http") {
  * Return the protocol scheme from an HTTP request.
  */
 const string scheme(request_rec* r, const string& def = "http") {
+    const char* fs = apr_table_get(r->headers_in, "X-Forwarded-HTTPS");
+    if (fs != NULL)
+        return !strcmp(fs, "on")? "https" : "http";
     return r->server->server_scheme != NULL? r->server->server_scheme : def;
 }
 
@@ -190,7 +165,49 @@ const int port(const server_rec* s, const int def = 80) {
  * Return the port number from an HTTP request.
  */
 const int port(request_rec* r, const int def = 80) {
-    return r->server->port != 0? r->server->port : def;
+    const char* fp = apr_table_get(r->headers_in, "X-Forwarded-Port");
+    if (fp != NULL)
+        return atoi(fp);
+    const int p = ap_get_server_port(r);
+    return p != 0? p : def;
+}
+
+/**
+ * Return the name of a server.
+ */
+const string serverName(const server_rec* s, const string& def = "localhost") {
+    ostringstream n;
+    const string sc = scheme(s);
+    const string h = hostName(s, def);
+    const int p = port(s, sc == "https"? 443 : 80);
+    n << sc << "://" << h;
+    if (!((sc == "http" && p == 80) || (sc == "https" && p == 443)))
+        n << ":" << p;
+    n << (s->path != NULL? string(s->path, s->pathlen) : "");
+    return str(n);
+}
+
+/**
+ * Determine the name of a server from an HTTP request.
+ */
+const string serverName(request_rec* r, const string& def = "localhost") {
+    ostringstream n;
+    const string s = scheme(r);
+    const string h = hostName(r, def);
+    const int p = port(r, s == "https"? 443 : 80);
+    n << s << "://" << h;
+    if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+        n << ":" << p;
+    n << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
+    return str(n);
+}
+
+/**
+ * Return true if a request is targeting a virtual host.
+ */
+const bool isVirtualHostRequest(const server_rec* s, const string& d, request_rec* r) {
+    const string rh = hostName(r);
+    return rh != hostName(s) && http::topDomain(rh) == d;
 }
 
 /**
@@ -223,18 +240,25 @@ const list<value> pathInfo(const list<value>& uri, const list<value>& path) {
 }
 
 /**
- * Convert a URI and a path to an absolute URL.
+ * Convert a URI to an absolute URL.
  */
-const string url(const string& uri, const list<value>& p, request_rec* r) {
-    const string u = uri + path(p);
-    return ap_construct_url(r->pool, c_str(u), r);
+const string url(const string& uri, request_rec* r) {
+    ostringstream n;
+    const string s = scheme(r);
+    const string h = hostName(r, "localhost");
+    const int p = port(r, s == "https"? 443 : 80);
+    n << s << "://" << h;
+    if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+        n << ":" << p;
+    n << uri;
+    return str(n);
 }
 
 /**
- * Convert a URI to an absolute URL.
+ * Convert a URI and a path to an absolute URL.
  */
-const string url(const string& uri, request_rec* r) {
-    return ap_construct_url(r->pool, c_str(uri), r);
+const string url(const string& uri, const list<value>& p, request_rec* r) {
+    return url(uri + path(p), r);
 }
 
 /**
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index 66d36242e2..cb702596ef 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
 
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: open-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate form authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: open-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 9094996b4b..76e5b2f3dd 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -32,5 +32,10 @@ Require all granted
 ProxySet lbmethod=byrequests
 </Proxy>
 
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-member-conf b/sca-cpp/trunk/modules/http/proxy-member-conf
index 2e279e87c7..83c43df49f 100755
--- a/sca-cpp/trunk/modules/http/proxy-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-member-conf
@@ -24,12 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 
 host=$2
 port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+    portsuffix=""
+else
+    portsuffix=":$port"
+fi
 
 cat >>$root/conf/vhost.conf <<EOF
 # Generated by: proxy-member-conf $*
 # Add proxy balancer member
-BalancerMember balancer://cluster http://$host:$port
-ProxyPassReverse / http://$host:$port/
+BalancerMember balancer://cluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 6897a0ff47..7e8003d283 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -40,6 +40,11 @@ HostnameLookups on
 Require user admin
 </Location> 
 
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
 EOF
 
 cat >>$root/conf/svhost-ssl.conf <<EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 0ae98af482..cb42a1e9db 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -24,20 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 
 host=$2
 sslport=`$here/httpd-addr port $3`
+if [ "$sslport" = "443" ]; then
+    sslportsuffix=""
+else
+    sslportsuffix=":$sslport"
+fi
 
-cat >>$root/conf/svhost-ssl.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-member-conf $*
 # Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
-
-EOF
-
-cat >>$root/conf/dvhost-ssl.conf <<EOF
-# Generated by: proxy-ssl-member-conf $*
-# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
+BalancerMember balancer://sslcluster https://$host$sslportsuffix
+ProxyPassReverse / https://$host$sslportsuffix/
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
new file mode 100755
index 0000000000..17b766d986
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Add a proxy balancer member
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+
+host=$2
+port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+    portsuffix=""
+else
+    portsuffix=":$port"
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-nossl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index 150d57f115..2bcc158f48 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -47,14 +47,6 @@ ServerAlias *.$host
 VirtualDocumentRoot $vroot/%1/$vhtdocs/
 
 Include conf/dvhost.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
 </VirtualHost>
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 7ddbee08e0..28e9eefe76 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -52,13 +52,5 @@ ServerAlias *.$host
 VirtualDocumentRoot $vroot/%1/$vhtdocs/
 
 Include conf/dvhost-ssl.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
 </VirtualHost>
 
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
index 2381b16810..94e9698d70 100644
--- a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
+++ b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
@@ -376,8 +376,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r,
         return mkfailure<int>(reason(prc));
 
     // Send session ID to the client in a cookie
-    debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth1::access_token::setcookie");
-    apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server))));
+    debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth1::access_token::setcookie");
+    apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r))));
     return httpd::externalRedirect(httpd::url(r->uri, r), r);
 }
 
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
index 3d567040ac..0c49be879e 100644
--- a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
+++ b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
@@ -231,8 +231,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r,
         return mkfailure<int>(reason(prc));
 
     // Send session ID to the client in a cookie
-    debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth2::access_token::setcookie");
-    apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server))));
+    debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth2::access_token::setcookie");
+    apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r))));
     return httpd::externalRedirect(httpd::url(r->uri, r), r);
 }
 
diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf
index 21fc51cac8..23ec52b35f 100755
--- a/sca-cpp/trunk/modules/oauth/oauth-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth-conf
@@ -41,12 +41,14 @@ LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2$libsuffix
 
 EOF
 
-cat >$root/cert/oauth-keys.conf <<EOF
-# Generated by: oauth-conf $*
-# OAuth App keys
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: oauth-auth-conf $*
+# Disallow public access to server resources
 
 EOF
 
+# Configure OAuth authentication
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: oauth-conf $*
 # Enable OAuth authentication
@@ -77,6 +79,13 @@ Include $root/cert/oauth-keys.conf
 
 EOF
 
+mkdir -p $root/cert
+cat >$root/cert/oauth-keys.conf <<EOF
+# Generated by: oauth-conf $*
+# OAuth App keys
+
+EOF
+
 if [ -d "$HOME/.oauth" ]; then
     cat >>$root/conf/auth.conf <<EOF
 # Configure OAuth App keys
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index c6e63c128d..c9e2d85586 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -26,6 +26,13 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 openid_prefix=`cat $here/openid.prefix`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: openid-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Configure OpenID authentication
 cat >>$root/conf/modules.conf <<EOF
 # Generated by: openid-conf $*
@@ -55,9 +62,9 @@ AuthOpenIDAXAdd LASTNAME http://axschema.org/namePerson/last
 
 EOF
 
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/pubauth.conf <<EOF
 # Generated by: openid-conf $*
-# Allow access to /openid location
+# Allow public access to /openid location
 <Location /openid>
 AuthType None
 Require all granted
diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf
index 9a32da498e..e9144b873a 100755
--- a/sca-cpp/trunk/modules/openid/openid-step2-conf
+++ b/sca-cpp/trunk/modules/openid/openid-step2-conf
@@ -42,8 +42,8 @@ ForceType text/plain
 
 EOF
 
-cat >>$root/conf/httpd.conf <<EOF
-# Generated by: openid-conf $*
+cat >>$root/conf/pubauth.conf <<EOF
+# Generated by: openid-step2-conf $*
 # Allow access to /.well-known/host-meta location
 <Location /.well-known/host-meta>
 AuthType None
diff --git a/sca-cpp/trunk/modules/server/mod-eval.hpp b/sca-cpp/trunk/modules/server/mod-eval.hpp
index 4c305fccbf..31e850d18c 100644
--- a/sca-cpp/trunk/modules/server/mod-eval.hpp
+++ b/sca-cpp/trunk/modules/server/mod-eval.hpp
@@ -56,10 +56,10 @@ namespace modeval {
  */
 class ServerConf {
 public:
-    ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") {
+    ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") {
     }
 
-    ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) {
+    ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) {
     }
 
     const gc_pool p;
@@ -67,6 +67,7 @@ public:
     lambda<value(const list<value>&)> lifecycle;
     string contributionPath;
     string compositeName;
+    string virtualHostDomain;
     string virtualHostContributionPath;
     string virtualHostCompositeName;
     string ca;
@@ -83,6 +84,13 @@ const bool hasCompositeConf(const ServerConf& sc) {
     return sc.contributionPath != "" && sc.compositeName != "";
 }
 
+/**
+ * Return true if a server contains a virtual host domain configuration.
+ */
+const bool hasVirtualDomainConf(const ServerConf& sc) {
+    return sc.virtualHostDomain != "";
+}
+
 /**
  * Return true if a server contains a virtual host composite configuration.
  */
@@ -812,7 +820,7 @@ const int handleRequest(const ServerConf& sc, const list<value>& rpath, request_
 
     // Handle a request targeting a virtual host or virtual app
     if (hasVirtualCompositeConf(sc)) {
-        if (httpd::isVirtualHostRequest(sc.server, r)) {
+        if (hasVirtualDomainConf(sc) && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) {
             ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r)));
             if (!hasContent(virtualHostConfig(vsc, sc, r)))
                 return HTTP_INTERNAL_SERVER_ERROR;
@@ -916,6 +924,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) {
     sc.lifecycle = mainsc.lifecycle;
     sc.contributionPath = mainsc.contributionPath;
     sc.compositeName = mainsc.compositeName;
+    sc.virtualHostDomain = mainsc.virtualHostDomain;
     sc.virtualHostContributionPath = mainsc.virtualHostContributionPath;
     sc.virtualHostCompositeName = mainsc.virtualHostCompositeName;
     if (sc.ca == "") sc.ca = mainsc.ca;
@@ -1026,6 +1035,12 @@ const char* confComposite(cmd_parms *cmd, unused void *c, const char *arg) {
     sc.compositeName = arg;
     return NULL;
 }
+const char* confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) {
+    gc_scoped_pool pool(cmd->pool);
+    ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval);
+    sc.virtualHostDomain = arg;
+    return NULL;
+}
 const char* confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) {
     gc_scoped_pool pool(cmd->pool);
     ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval);
@@ -1068,6 +1083,7 @@ const char* confEnv(unused cmd_parms *cmd, unused void *c, const char *name, con
 const command_rec commands[] = {
     AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"),
     AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"),
+    AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"),
     AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"),
     AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual composite location"),
     AP_INIT_TAKE12("SCASetEnv", (const char*(*)())confEnv, NULL, OR_FILEINFO, "Environment variable name and optional value"),
diff --git a/sca-cpp/trunk/modules/server/mod-wiring.cpp b/sca-cpp/trunk/modules/server/mod-wiring.cpp
index 39e43c0420..c61e90a6a1 100644
--- a/sca-cpp/trunk/modules/server/mod-wiring.cpp
+++ b/sca-cpp/trunk/modules/server/mod-wiring.cpp
@@ -54,16 +54,17 @@ const bool useModProxy = true;
  */
 class ServerConf {
 public:
-    ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
+    ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
     }
 
-    ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName("") {
+    ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
     }
 
     const gc_pool p;
     server_rec* server;
     string contributionPath;
     string compositeName;
+    string virtualHostDomain;
     string virtualHostContributionPath;
     string virtualHostCompositeName;
     list<value> references;
@@ -77,6 +78,13 @@ const bool hasCompositeConf(const ServerConf& sc) {
     return sc.contributionPath != "" && sc.compositeName != "";
 }
 
+/**
+ * Return true if a server contains a virtual host domain configuration.
+ */
+const bool hasVirtualDomainConf(const ServerConf& sc) {
+    return sc.virtualHostDomain != "";
+}
+
 /**
  * Return true if a server contains a virtual host composite configuration.
  */
@@ -304,8 +312,9 @@ const int translateRequest(const ServerConf& sc, request_rec *r, const list<valu
 
         // If the request is targeting a virtual host, use the corresponding
         // virtual host configuration
+        const bool vdc = hasVirtualDomainConf(sc);
         const bool vcc = hasVirtualCompositeConf(sc);
-        if (vcc && httpd::isVirtualHostRequest(sc.server, r)) {
+        if (vdc && vcc && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) {
             ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r)));
             if (!hasContent(virtualHostConfig(vsc, sc, r)))
                 return HTTP_INTERNAL_SERVER_ERROR;
@@ -409,6 +418,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) {
     ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_wiring);
     sc.contributionPath = mainsc.contributionPath;
     sc.compositeName = mainsc.compositeName;
+    sc.virtualHostDomain = mainsc.virtualHostDomain;
     sc.virtualHostContributionPath = mainsc.virtualHostContributionPath;
     sc.virtualHostCompositeName = mainsc.virtualHostCompositeName;
     sc.references = mainsc.references;
@@ -462,6 +472,12 @@ const char *confComposite(cmd_parms *cmd, unused void *c, const char *arg) {
     sc.compositeName = arg;
     return NULL;
 }
+const char *confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) {
+    gc_scoped_pool pool(cmd->pool);
+    ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring);
+    sc.virtualHostDomain = arg;
+    return NULL;
+}
 const char *confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) {
     gc_scoped_pool pool(cmd->pool);
     ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring);
@@ -481,6 +497,7 @@ const char *confVirtualComposite(cmd_parms *cmd, unused void *c, const char *arg
 const command_rec commands[] = {
     AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"),
     AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"),
+    AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"),
     AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"),
     AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual host composite location"),
     {NULL, NULL, NULL, 0, NO_ARGS, NULL}
diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf
index 5b3024abbc..47934f973e 100755
--- a/sca-cpp/trunk/modules/server/server-conf
+++ b/sca-cpp/trunk/modules/server/server-conf
@@ -54,6 +54,10 @@ Alias /scdl.js $jsprefix/htdocs/scdl.js
 Alias /all.js $jsprefix/htdocs/all.js
 Alias /all-min.js $jsprefix/htdocs/all-min.js
 
+EOF
+
+cat >>$root/conf/pubauth.conf <<EOF
+# Generated by: server-conf $*
 <Location /component.js>
 AuthType None
 Require all granted
diff --git a/sca-cpp/trunk/samples/store-cluster/server-conf b/sca-cpp/trunk/samples/store-cluster/server-conf
index f65ba37d3a..5113bc36f4 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-conf
+++ b/sca-cpp/trunk/samples/store-cluster/server-conf
@@ -34,6 +34,7 @@ SCAContribution `pwd`/shared/
 SCAComposite shared.composite
 
 # Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
 SCAVirtualContribution `pwd`/domains/
 SCAVirtualComposite store.composite
 
diff --git a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
index 83628bbacd..a7813b2a01 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
+++ b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
@@ -52,6 +52,7 @@ SCAContribution `pwd`/shared/
 SCAComposite shared.composite
 
 # Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
 SCAVirtualContribution `pwd`/domains/
 SCAVirtualComposite store.composite
 
diff --git a/sca-cpp/trunk/samples/store-vhost/ssl-start b/sca-cpp/trunk/samples/store-vhost/ssl-start
index 3a6bb82bd8..a556d48dfc 100755
--- a/sca-cpp/trunk/samples/store-vhost/ssl-start
+++ b/sca-cpp/trunk/samples/store-vhost/ssl-start
@@ -38,6 +38,7 @@ SCAContribution `pwd`/shared/
 SCAComposite shared.composite
 
 # Configure SCA Composite for mass dynamic virtual Hosting
+SCAVirtualDomain sca-store.com
 SCAVirtualContribution `pwd`/domains/
 SCAVirtualComposite store.composite
 
diff --git a/sca-cpp/trunk/samples/store-vhost/start b/sca-cpp/trunk/samples/store-vhost/start
index 38661e711c..ee6f613bad 100755
--- a/sca-cpp/trunk/samples/store-vhost/start
+++ b/sca-cpp/trunk/samples/store-vhost/start
@@ -28,6 +28,7 @@ SCAContribution `pwd`/shared/
 SCAComposite shared.composite
 
 # Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
 SCAVirtualContribution `pwd`/domains/
 SCAVirtualComposite store.composite
 
diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start
index f7208b7403..70de35efa1 100755
--- a/sca-cpp/trunk/samples/store-vhost/uec2-start
+++ b/sca-cpp/trunk/samples/store-vhost/uec2-start
@@ -41,6 +41,7 @@ sudo ../../ubuntu/ip-redirect-all 443 8453
 ../../modules/python/python-conf tmp
 cat >>tmp/conf/httpd.conf <<EOF
 # Configure SCA Composite for mass dynamic virtual Hosting
+SCAVirtualDomain $host
 SCAVirtualContribution `pwd`/domains/
 SCAVirtualComposite store.composite
 
-- 
cgit v1.2.3