From 8fdc6a6dc4b2b23b923d8cbfba5190933155e95d Mon Sep 17 00:00:00 2001 From: jsdelfino Date: Mon, 20 Feb 2012 07:20:15 +0000 Subject: Refactor auth configuration to allow HTTP and HTTPS virtual hosts to use different auth mechanisms, and refactor log configuration to make it easier to use. git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1291133 13f79535-47bb-0310-9956-ffa450edef68 --- sca-cpp/trunk/modules/http/basic-auth-conf | 11 ++++++-- sca-cpp/trunk/modules/http/cert-auth-conf | 11 ++++++-- sca-cpp/trunk/modules/http/form-auth-conf | 11 ++++++-- sca-cpp/trunk/modules/http/group-auth-conf | 13 +++++++-- sca-cpp/trunk/modules/http/htdocs/login/index.html | 1 + .../trunk/modules/http/htdocs/logout/index.html | 1 + sca-cpp/trunk/modules/http/httpd-conf | 20 ++++++++++---- sca-cpp/trunk/modules/http/httpd-loglevel-conf | 32 ++++++++++++++++++++++ sca-cpp/trunk/modules/http/httpd-ssl-conf | 30 ++++++++++++++++++++ sca-cpp/trunk/modules/http/open-auth-conf | 11 ++++++-- sca-cpp/trunk/modules/http/vhost-conf | 10 ++++++- sca-cpp/trunk/modules/http/vhost-ssl-conf | 10 ++++++- sca-cpp/trunk/modules/oauth/oauth-conf | 14 ++++++++-- sca-cpp/trunk/modules/oauth/oauth-memcached-conf | 7 +++++ sca-cpp/trunk/modules/openid/openid-conf | 26 ++++++++++++------ sca-cpp/trunk/modules/openid/openid-step2-conf | 11 ++++++-- sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch | 6 ++++ .../domains/jane/htdocs/login/index.html | 1 + .../domains/jane/htdocs/logout/index.html | 1 + .../domains/joe/htdocs/login/index.html | 1 + .../domains/joe/htdocs/logout/index.html | 1 + .../samples/store-cluster/htdocs/login/index.html | 1 + .../samples/store-cluster/htdocs/logout/index.html | 1 + .../samples/store-python/htdocs/login/index.html | 1 + .../samples/store-python/htdocs/logout/index.html | 1 + 25 files changed, 201 insertions(+), 32 deletions(-) create mode 100755 sca-cpp/trunk/modules/http/httpd-loglevel-conf (limited to 'sca-cpp') diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf index f376124da7..77ca054f1c 100755 --- a/sca-cpp/trunk/modules/http/basic-auth-conf +++ b/sca-cpp/trunk/modules/http/basic-auth-conf @@ -25,15 +25,22 @@ root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` +sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` +if [ "$sslconf" = "" ]; then + sslsuffix="" +else + sslsuffix="-ssl" +fi + # Disallow public access to server resources -cat >$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf <$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf <$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf <$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf < diff --git a/sca-cpp/trunk/modules/http/htdocs/login/index.html b/sca-cpp/trunk/modules/http/htdocs/login/index.html index 8b0ad48bd6..99aeb31d1b 100644 --- a/sca-cpp/trunk/modules/http/htdocs/login/index.html +++ b/sca-cpp/trunk/modules/http/htdocs/login/index.html @@ -23,6 +23,7 @@ + Sign in diff --git a/sca-cpp/trunk/modules/http/htdocs/logout/index.html b/sca-cpp/trunk/modules/http/htdocs/logout/index.html index 0365af36a1..4e7df1bcf3 100644 --- a/sca-cpp/trunk/modules/http/htdocs/logout/index.html +++ b/sca-cpp/trunk/modules/http/htdocs/logout/index.html @@ -24,6 +24,7 @@ + Sign out

Sign out

diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 5bcde9f633..e5e7f27287 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -101,6 +101,9 @@ Header onsuccess set Cache-Control "max-age=604800" env=!must-revalidate Header set Cache-Control "must-revalidate, max-age=0" env=must-revalidate Header set Expires "Tue, 01 Jan 1980 00:00:00 GMT" env=must-revalidate +# Configuration auth modules +Include conf/auth.conf + # Set default document root DocumentRoot $htdocs DirectoryIndex index-min.html index.html @@ -112,11 +115,6 @@ AllowOverride None Require all denied -# Configure authentication -Include conf/noauth.conf -Include conf/auth.conf -Include conf/pubauth.conf - # Configure output filters to enable compression and rate limiting SetOutputFilter RATE_LIMIT;DEFLATE @@ -144,6 +142,12 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R] Include conf/svhost.conf + +# Configure authentication +Include conf/noauth.conf +Include conf/locauth.conf +Include conf/pubauth.conf + EOF @@ -151,7 +155,6 @@ EOF # Configure logging cat >$root/conf/log.conf <$root/conf/auth.conf <$root/conf/locauth.conf <>$root/conf/log.conf < Include conf/svhost-ssl.conf + +# Configure authentication +Include conf/noauth-ssl.conf +Include conf/locauth-ssl.conf +Include conf/pubauth-ssl.conf + EOF +# Generate auth configuration +cat >$root/conf/locauth-ssl.conf <$root/conf/pubauth-ssl.conf <$root/conf/noauth-ssl.conf <>$root/conf/svhost.conf <>$root/conf/dvhost.conf <$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf < diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf index 2bcc158f48..554a1638cd 100755 --- a/sca-cpp/trunk/modules/http/vhost-conf +++ b/sca-cpp/trunk/modules/http/vhost-conf @@ -44,9 +44,17 @@ NameVirtualHost $vhost ServerName http://vhost.$host:$pport ServerAlias *.$host -VirtualDocumentRoot $vroot/%1/$vhtdocs/ + +# Map /v// to vroot//vhtdocs/ +AliasMatch /v/([^/]+)(.*)$ $vroot/\$1/$vhtdocs/\$2 Include conf/dvhost.conf + +# Configure authentication +Include conf/noauth.conf +Include conf/auth.conf +Include conf/pubauth.conf + EOF diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 28e9eefe76..8445a20325 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -49,8 +49,16 @@ NameVirtualHost $sslvhost ServerName https://vhost.$host:$sslpport ServerAlias *.$host -VirtualDocumentRoot $vroot/%1/$vhtdocs/ + +# Map /v// to vroot//vhtdocs/ +AliasMatch /v/([^/]+)(.*)$ $vroot/\$1/$vhtdocs/\$2 Include conf/dvhost-ssl.conf + +# Configure authentication +Include conf/noauth-ssl.conf +Include conf/auth-ssl.conf +Include conf/pubauth-ssl.conf + diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf index 23ec52b35f..0b8f14b636 100755 --- a/sca-cpp/trunk/modules/oauth/oauth-conf +++ b/sca-cpp/trunk/modules/oauth/oauth-conf @@ -32,6 +32,13 @@ fi conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` +sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` +if [ "$sslconf" = "" ]; then + sslsuffix="" +else + sslsuffix="-ssl" +fi + # Configure HTTPD mod_tuscany_oauth module cat >>$root/conf/modules.conf <$root/conf/noauth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf < @@ -74,6 +81,9 @@ AddAuthOAuth1ScopeAttr FIRSTNAME first-name AddAuthOAuth1ScopeAttr LASTNAME last-name +EOF + +cat >>$root/conf/auth.conf <>$root/conf/auth.conf <$root/conf/noauth.conf <>$root/conf/modules.conf <>$root/conf/auth.conf <$root/conf/noauth$sslsuffix.conf <>$root/conf/locauth$sslsuffix.conf < @@ -62,7 +70,7 @@ AuthOpenIDAXAdd LASTNAME http://axschema.org/namePerson/last EOF -cat >>$root/conf/pubauth.conf <>$root/conf/pubauth$sslsuffix.conf < diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf index e9144b873a..f6ac968bfc 100755 --- a/sca-cpp/trunk/modules/openid/openid-step2-conf +++ b/sca-cpp/trunk/modules/openid/openid-step2-conf @@ -25,8 +25,15 @@ root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` +sslconf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` +if [ "$sslconf" = "" ]; then + sslsuffix="" +else + sslsuffix="-ssl" +fi + # Configure HTTPD to serve OpenID XRDS and LRDD documents -cat >>$root/conf/auth.conf <>$root/conf/locauth$sslsuffix.conf <>$root/conf/pubauth.conf <>$root/conf/pubauth$sslsuffix.conf < diff --git a/sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch b/sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch index 2ff56de749..a0935b5bc2 100644 --- a/sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch +++ b/sca-cpp/trunk/patches/modsecurity-crs_2.2.2.patch @@ -6,3 +6,9 @@ --- > #SecRule ARGS "(?:ft|htt)ps?.*\?+$" \ > # "phase:2,rev:'2.2.2',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,status:501,msg:'Remote File Inclusion Attack',id:'950119',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" +--- base_rules/modsecurity_crs_50_outbound.conf ++++ base_rules/modsecurity_crs_50_outbound.conf +39c39 +< SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2.2.2',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" +--- +> #SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2.2.2',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" diff --git a/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/login/index.html b/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/login/index.html index 346e3fcea8..5bdd1132be 100644 --- a/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/login/index.html +++ b/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/login/index.html @@ -23,6 +23,7 @@ + Sign in diff --git a/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/logout/index.html index 7780e9dec3..56dfa71962 100644 --- a/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/logout/index.html +++ b/sca-cpp/trunk/samples/store-cluster/domains/jane/htdocs/logout/index.html @@ -23,6 +23,7 @@ + Sign out diff --git a/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/login/index.html b/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/login/index.html index 346e3fcea8..5bdd1132be 100644 --- a/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/login/index.html +++ b/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/login/index.html @@ -23,6 +23,7 @@ + Sign in diff --git a/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/logout/index.html index e16183015f..5f7880d626 100644 --- a/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/logout/index.html +++ b/sca-cpp/trunk/samples/store-cluster/domains/joe/htdocs/logout/index.html @@ -23,6 +23,7 @@ + Sign out diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html index 346e3fcea8..5bdd1132be 100644 --- a/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html @@ -23,6 +23,7 @@ + Sign in diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html index 7780e9dec3..56dfa71962 100644 --- a/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html @@ -23,6 +23,7 @@ + Sign out diff --git a/sca-cpp/trunk/samples/store-python/htdocs/login/index.html b/sca-cpp/trunk/samples/store-python/htdocs/login/index.html index 8b0ad48bd6..99aeb31d1b 100644 --- a/sca-cpp/trunk/samples/store-python/htdocs/login/index.html +++ b/sca-cpp/trunk/samples/store-python/htdocs/login/index.html @@ -23,6 +23,7 @@ + Sign in diff --git a/sca-cpp/trunk/samples/store-python/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-python/htdocs/logout/index.html index e16183015f..5f7880d626 100644 --- a/sca-cpp/trunk/samples/store-python/htdocs/logout/index.html +++ b/sca-cpp/trunk/samples/store-python/htdocs/logout/index.html @@ -23,6 +23,7 @@ + Sign out -- cgit v1.2.3