From 4edb611792cbf0a3335631a181c15095e81e8afa Mon Sep 17 00:00:00 2001
From: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>
Date: Thu, 3 Jan 2013 07:42:01 +0000
Subject: Minor changes to server config scripts to get auth and session
 management to behave the same with or without a proxy.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1428194 13f79535-47bb-0310-9956-ffa450edef68
---
 sca-cpp/trunk/modules/http/basic-auth-conf     |  2 +-
 sca-cpp/trunk/modules/http/cert-auth-conf      |  2 +-
 sca-cpp/trunk/modules/http/form-auth-conf      | 28 +++++++++++++++++++++---
 sca-cpp/trunk/modules/http/httpd-conf          | 23 ++++++++++++--------
 sca-cpp/trunk/modules/http/httpd-ssl-conf      | 11 ++++++++--
 sca-cpp/trunk/modules/http/open-auth-conf      | 30 ++++++++++++++++++++------
 sca-cpp/trunk/modules/http/ssl-ca-conf         |  5 +++++
 sca-cpp/trunk/modules/js/js-conf               |  4 ++++
 sca-cpp/trunk/modules/oauth/oauth-conf         |  2 +-
 sca-cpp/trunk/modules/oauth/oauth12-conf       |  2 +-
 sca-cpp/trunk/modules/openid/openid-conf       |  3 ++-
 sca-cpp/trunk/modules/openid/openid-step2-conf |  1 +
 sca-cpp/trunk/modules/server/server-conf       |  2 +-
 13 files changed, 89 insertions(+), 26 deletions(-)

(limited to 'sca-cpp')

diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index 8710d1fdf7..3fe41e25d7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'`
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 if [ "$3" = "" ]; then
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index a30fdfff8c..56ff9e6dfd 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -35,7 +35,7 @@ fi
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 # Disallow public access to server resources
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index fbe943f3d9..ba2f99dbf1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'`
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 if [ "$3" = "" ]; then
@@ -63,19 +63,41 @@ AuthFormProvider socache $providers
 AuthnCacheProvideFor $providers
 AuthnCacheContext /
 AuthFormLoginRequiredLocation /login/
-AuthFormLogoutLocation /
 Session On
-SessionCookieName TuscanyFormAuth domain=.$host; path=/
+SessionCookieName TuscanyFormAuth domain=.$host; path=/; secure; httponly
 SessionCryptoPassphrase $pw
 Require valid-user
 </Location>
 
 <Location /login/dologin>
 SetHandler form-login-handler
+AuthType Form
+AuthName "$host"
+AuthFormProvider socache $providers
+AuthFormLoginRequiredLocation /login/?openauth_attempt=1
+Session On
+Require valid-user
 </Location>
 
 <Location /logout/dologout>
 SetHandler form-logout-handler
+AuthType Form
+AuthName "$host"
+AuthFormLogoutLocation /
+Session On
+Require valid-user
+</Location>
+
+EOF
+
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
+# Generated by: open-auth-conf $*
+# Enable Tuscany open authentication
+<Location /login/dologin>
+Session On
+</Location>
+<Location /logout/dologout>
+Session On
 </Location>
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 730775fa89..3f96304ae8 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -174,15 +174,6 @@ LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so
 
 EOF
 
-if [ $uname = "Darwin" ]; then
-    cat >>$root/conf/mpm.conf <<EOF
-# Generated by: httpd-conf $*
-# Set thread stack size
-ThreadStackSize 2097152
-
-EOF
-fi
-
 # Generate modules list
 cat >$root/conf/modules.conf <<EOF
 # Generated by: httpd-conf $*
@@ -269,28 +260,40 @@ cat >$root/conf/pubauth.conf <<EOF
 # Allow everyone to access public locations
 <Location /login>
 AuthType None
+Session Off
 Require all granted
 # Mark login page with a header
 Header set X-Login open-auth
 </Location>
+<Location /login/dologin>
+Session Off
+</Location>
 <Location /logout>
 AuthType None
+Session Off
 Require all granted
 </Location>
+<Location /logout/dologout>
+Session Off
+</Location>
 <Location /public>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /proxy/public>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /favicon.ico>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /robots.txt>
 AuthType None
+Session Off
 Require all granted
 </Location>
 
@@ -322,12 +325,14 @@ cat >$root/conf/noauth.conf <<EOF
 # Allow access to document root
 <Directory "$htdocs">
 AuthType None
+Session Off
 Require all granted
 </Directory>
 
 # Allow everyone to access root location
 <Location />
 AuthType None
+Session Off
 Require all granted
 </Location>
 
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index f99a10071c..3bd1dd63dc 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -68,6 +68,7 @@ SSLSessionCacheTimeout 300
 Mutex "file:$root/logs" ssl-cache
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
+SSLCompression Off
 
 # Listen on HTTPS port
 Listen $sslport
@@ -165,7 +166,10 @@ UseCanonicalName Off
 
 # Enable SSL
 SSLEngine on
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLProtocol ALL -SSLv2
+SSLHonorCipherOrder On
+#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
+SSLCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
 
@@ -188,9 +192,12 @@ ProxyRequests Off
 ProxyPreserveHost On
 ProxyStatus On
 SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLProxyProtocol ALL -SSLv2
+#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
+SSLProxyCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
 
 # Verify server certificates
+SSLProxyCACertificateFile "$root/cert/cacert.pem"
 SSLProxyVerify require
 SSLProxyVerifyDepth 1
 SSLProxyCheckPeerCN Off
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index f4715b3a1c..5a8db92972 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -42,7 +42,7 @@ fi
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 if [ "$3" = "" ]; then
@@ -76,24 +76,42 @@ AuthName "$host"
 AuthOpenAuthProvider socache $providers
 AuthnCacheProvideFor $providers
 AuthnCacheContext /
+AuthOpenAuthLoginPage /login/
 Session On
 SessionCryptoPassphrase $pw
 AuthOpenAuth On
-AuthOpenAuthLoginPage /login/
 Require valid-user
 </Location>
 
 # Use HTTPD form-based authentication
 <Location /login/dologin>
+SetHandler form-login-handler
 AuthType Form
 AuthName "$host"
 AuthFormProvider socache $providers
-AuthnCacheProvideFor $providers
-AuthnCacheContext /
 AuthFormLoginRequiredLocation /login/?openauth_attempt=1
-AuthFormLogoutLocation /
+Session On
 Require valid-user
-SetHandler form-login-handler
+</Location>
+
+<Location /logout/dologout>
+SetHandler mod_tuscany_openauth_logout
+AuthType Open
+AuthName "$host"
+Session On
+Require valid-user
+</Location>
+
+EOF
+
+cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
+# Generated by: open-auth-conf $*
+# Enable Tuscany open authentication
+<Location /login/dologin>
+Session On
+</Location>
+<Location /logout/dologout>
+Session On
 </Location>
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf
index bceca8f300..beadc4d3a8 100755
--- a/sca-cpp/trunk/modules/http/ssl-ca-conf
+++ b/sca-cpp/trunk/modules/http/ssl-ca-conf
@@ -94,3 +94,8 @@ mkdir -p $root/cert/hash
 cp $root/cert/ca.crt $root/cert/hash
 perl /usr/bin/c_rehash $root/cert/hash
 
+# Build CA certificate bundle
+curl_prefix=`cat $here/../http/curl.prefix`
+cp $curl_prefix/lib/cacert.pem $root/cert/cacert.pem
+cat $root/cert/ca.crt >> $root/cert/cacert.pem
+
diff --git a/sca-cpp/trunk/modules/js/js-conf b/sca-cpp/trunk/modules/js/js-conf
index aa29920619..72b5a60120 100755
--- a/sca-cpp/trunk/modules/js/js-conf
+++ b/sca-cpp/trunk/modules/js/js-conf
@@ -36,18 +36,22 @@ cat >>$root/conf/pubauth.conf <<EOF
 # Generated by: js-conf $*
 <Location /ui-min.css>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /all-min.js>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /proxy/ui-min.css>
 AuthType None
+Session Off
 Require all granted
 </Location>
 <Location /proxy/all-min.js>
 AuthType None
+Session Off
 Require all granted
 </Location>
 
diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf
index 26e654036b..8ec6582af7 100755
--- a/sca-cpp/trunk/modules/oauth/oauth-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth-conf
@@ -42,7 +42,7 @@ fi
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 # Configure HTTPD mod_tuscany_oauth module
diff --git a/sca-cpp/trunk/modules/oauth/oauth12-conf b/sca-cpp/trunk/modules/oauth/oauth12-conf
index 43c879faee..d6f6abe653 100755
--- a/sca-cpp/trunk/modules/oauth/oauth12-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth12-conf
@@ -42,7 +42,7 @@ fi
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2 file"
+    providers="file $2"
 fi
 
 # Configure HTTPD mod_tuscany_oauth module
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index 7f986fc8d7..6479a13b09 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -36,7 +36,7 @@ fi
 if [ "$2" = "" ]; then
     providers="file"
 else
-    providers="$2"
+    providers="file $2"
 fi
 
 # Configure HTTPD mod_auth_openid module
@@ -84,6 +84,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
 # Allow public access to /openid location
 <Location /openid>
 AuthType None
+Session Off
 Require all granted
 </Location>
 
diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf
index f6ac968bfc..87f3e54925 100755
--- a/sca-cpp/trunk/modules/openid/openid-step2-conf
+++ b/sca-cpp/trunk/modules/openid/openid-step2-conf
@@ -54,6 +54,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF
 # Allow access to /.well-known/host-meta location
 <Location /.well-known/host-meta>
 AuthType None
+Session Off
 Require all granted
 </Location>
 
diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf
index 2674cd9ac5..01b6b21e72 100755
--- a/sca-cpp/trunk/modules/server/server-conf
+++ b/sca-cpp/trunk/modules/server/server-conf
@@ -42,7 +42,7 @@ ssl=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"`
 if [ "$ssl" != "" ]; then
     cat >>$root/conf/httpd.conf <<EOF
 # Configure SSL certificates
-SCAWiringSSLCACertificateFile "$root/cert/ca.crt"
+SCAWiringSSLCACertificateFile "$root/cert/cacert.pem"
 SCAWiringSSLCertificateFile "$root/cert/server.crt"
 SCAWiringSSLCertificateKeyFile "$root/cert/server.key"
 
-- 
cgit v1.2.3