summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2010-11-28 07:17:11 +0000
committerjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2010-11-28 07:17:11 +0000
commit14f1ada7b2bb66c6c3dae496d3963e9af3f0ab38 (patch)
tree01d610b53ba9b2088138d057f16ed6e5122cfe36
parent6c67a3ca11e4bcd7715d92df2e3e41e4e3fc0dc9 (diff)
Use different servers for cert-based and password-based auth and use event MPMs for tunnel and proxy servers.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1039840 13f79535-47bb-0310-9956-ffa450edef68
-rwxr-xr-xsca-cpp/trunk/components/cache/memcached-ssl-test2
-rwxr-xr-xsca-cpp/trunk/components/webservice/axis2-conf9
-rw-r--r--sca-cpp/trunk/modules/http/Makefile.am2
-rwxr-xr-xsca-cpp/trunk/modules/http/cert-auth-conf56
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf131
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-event-conf (renamed from sca-cpp/trunk/samples/store-python/redirect)18
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf107
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-worker-conf35
-rw-r--r--sca-cpp/trunk/modules/http/mod-ssltunnel.cpp65
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-conf25
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-member-conf10
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-conf15
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-ssl-conf6
-rwxr-xr-xsca-cpp/trunk/modules/java/java-conf2
-rwxr-xr-xsca-cpp/trunk/modules/oauth/oauth-conf6
-rwxr-xr-xsca-cpp/trunk/modules/openid/openid-conf6
-rwxr-xr-xsca-cpp/trunk/modules/python/python-conf2
-rwxr-xr-xsca-cpp/trunk/modules/server/cpp-conf2
-rwxr-xr-xsca-cpp/trunk/modules/server/scheme-conf2
-rwxr-xr-xsca-cpp/trunk/modules/server/server-conf6
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/proxy-conf1
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/proxy-ssl-conf5
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/server-ssl-conf6
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/server-test7
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/ssl-start42
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/start12
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf6
-rwxr-xr-xsca-cpp/trunk/samples/store-python/uec2-start2
-rwxr-xr-xsca-cpp/trunk/samples/store-vhost/uec2-start2
-rwxr-xr-xsca-cpp/trunk/ubuntu/ip-redirect6
-rwxr-xr-xsca-cpp/trunk/ubuntu/ip-redirect-all5
-rwxr-xr-xsca-cpp/trunk/ubuntu/ubuntu-install-all2
32 files changed, 360 insertions, 243 deletions
diff --git a/sca-cpp/trunk/components/cache/memcached-ssl-test b/sca-cpp/trunk/components/cache/memcached-ssl-test
index 7e55cfdee6..88143490f8 100755
--- a/sca-cpp/trunk/components/cache/memcached-ssl-test
+++ b/sca-cpp/trunk/components/cache/memcached-ssl-test
@@ -27,6 +27,7 @@
./memcached-start 11413
../../modules/http/httpd-conf tmp/tunnel localhost 8089 htdocs
+../../modules/http/httpd-event-conf tmp/tunnel
tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel -x
../../modules/http/tunnel-ssl-conf tmp/tunnel 11211 localhost 8453 11411
../../modules/http/tunnel-ssl-conf tmp/tunnel 11212 localhost 8453 11412
@@ -36,6 +37,7 @@ tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel
../../modules/http/httpd-conf tmp/server localhost 8090 htdocs
tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/server -x
../../modules/http/httpd-ssl-conf tmp/server 8453
+../../modules/http/cert-auth-conf tmp/server
../../modules/http/httpd-start tmp/server
sleep 1
diff --git a/sca-cpp/trunk/components/webservice/axis2-conf b/sca-cpp/trunk/components/webservice/axis2-conf
index c11e6c50d5..af5d189b24 100755
--- a/sca-cpp/trunk/components/webservice/axis2-conf
+++ b/sca-cpp/trunk/components/webservice/axis2-conf
@@ -42,11 +42,17 @@ ln -f -s $here/services.xml $root/axis2c/services/tuscany/services.xml
cp $here/axis2.xml $root/axis2c/axis2.xml
# Configure HTTPD Axis2 module
+cat >>$root/conf/modules.conf <<EOF
+# Generated by: axis2-conf $*
+# Support for Web Services
+LoadModule axis2_module $root/axis2c/lib/libmod_axis2.so
+
+EOF
+
cat >>$root/conf/httpd.conf <<EOF
# Generated by: axis2-conf $*
# Support for Web Services
SCASetEnv AXIS2C_HOME $root/axis2c
-LoadModule axis2_module $root/axis2c/lib/libmod_axis2.so
Axis2RepoPath $root/axis2c
Axis2LogFile $root/axis2c/logs/mod_axis2.log
Axis2LogLevel debug
@@ -55,3 +61,4 @@ Axis2LogLevel debug
</Location>
EOF
+
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 08d7e1b49a..af8ab4d1c3 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
incl_HEADERS = *.hpp
incldir = $(prefix)/include/modules/http
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf
moddir=$(prefix)/modules/http
curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
new file mode 100755
index 0000000000..00494d99f2
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Generate a minimal HTTPD certificate-based authentication configuration
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate authentication configuration
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Require clients to present a valid client certificate
+SSLVerifyClient require
+SSLVerifyDepth 1
+
+<Location />
+AuthType Basic
+AuthName "$host"
+AuthBasicProvider file
+AuthUserFile "$root/conf/httpd.passwd"
+Require valid-user
+</Location>
+
+EOF
+
+# Create certificate-based users
+touch $root/conf/httpd.passwd
+cat >>$root/conf/httpd.passwd <<EOF
+/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=$host/OU=proxy/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=$host/OU=tunnel/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=localhost/OU=server/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=localhost/OU=tunnel/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 79a85c0961..a77141af5f 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -47,54 +47,11 @@ cat >$root/conf/httpd.conf <<EOF
ServerName http://$host:$pport
PidFile $root/logs/httpd.pid
-# Load a minimal set of modules, the load order is important
-# (e.g. load mod_headers before mod_rewrite, so its hooks execute
-# after mod_rewrite's hooks)
-LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
-LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
-LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so
-LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so
-LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so
-LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so
-LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so
-LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so
-LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so
-LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so
-LoadModule request_module ${modules_prefix}/modules/mod_request.so
-LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so
-LoadModule filter_module ${modules_prefix}/modules/mod_filter.so
-LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
-LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
-LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
-LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
-LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so
-LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
-LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
-LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
-LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
-LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
-LoadModule status_module ${modules_prefix}/modules/mod_status.so
-LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
-LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
-LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
-LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
-<IfModule !log_config_module>
-LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
-</IfModule>
-LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
-LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
-LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
-LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
-LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
-LoadModule session_module ${modules_prefix}/modules/mod_session.so
-#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
-LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so
-LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so
-LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so
-LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so
+# Load configured MPM
+Include conf/mpm.conf
-LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so
-LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so
+# Load required modules
+Include conf/modules.conf
# Basic security precautions
User $user
@@ -179,22 +136,98 @@ RewriteCond %{HTTP_HOST} !^$host [NC]
RewriteRule .* http://$host:$pport%{REQUEST_URI} [R,L]
Include conf/svhost.conf
+
+# Allow access to document root
+<Directory "$htdocs">
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Directory>
+
+# Allow access to root location
+<Location />
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Location>
+
</VirtualHost>
EOF
+# Run with the prefork MPM
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-conf $*
+LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so
+
+EOF
+
+# Generate modules list
+cat >$root/conf/modules.conf <<EOF
+# Generated by: httpd-conf $*
+# Load a minimal set of modules, the load order is important
+# (e.g. load mod_headers before mod_rewrite, so its hooks execute
+# after mod_rewrite's hooks)
+LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
+LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
+LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so
+LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so
+LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so
+LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so
+LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so
+LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so
+LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so
+LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so
+LoadModule request_module ${modules_prefix}/modules/mod_request.so
+LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so
+LoadModule filter_module ${modules_prefix}/modules/mod_filter.so
+LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
+LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
+LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
+LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
+LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so
+LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
+LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
+LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
+LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
+LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
+LoadModule status_module ${modules_prefix}/modules/mod_status.so
+LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
+LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
+LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
+LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
+<IfModule !log_config_module>
+LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
+</IfModule>
+LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
+LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
+LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
+LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
+LoadModule session_module ${modules_prefix}/modules/mod_session.so
+#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
+LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so
+LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so
+LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so
+LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so
+
+LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so
+LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so
+
+EOF
+
# Generate auth configuration
cat >$root/conf/auth.conf <<EOF
# Generated by: httpd-conf $*
# Authentication configuration
-# Allow access to document root
+# Allow authorized access to document root
<Directory "$htdocs">
Options FollowSymLinks
Require all granted
</Directory>
-# Allow access to root location
+# Allow authorized access to root location
<Location />
Options FollowSymLinks
Require all granted
diff --git a/sca-cpp/trunk/samples/store-python/redirect b/sca-cpp/trunk/modules/http/httpd-event-conf
index f73b342bf8..58923d9dd9 100755
--- a/sca-cpp/trunk/samples/store-python/redirect
+++ b/sca-cpp/trunk/modules/http/httpd-event-conf
@@ -17,7 +17,19 @@
# specific language governing permissions and limitations
# under the License.
-# Redirect ports 80 and 443
-../../ubuntu/ip-redirect-all 80 8090
-../../ubuntu/ip-redirect-all 443 8453
+# Configure HTTPD to run with the event MPM
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+
+mkdir -p $root
+mkdir -p $root/conf
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-event-conf $*
+# Use HTTPD event MPM
+LoadModule mpm_event_module ${modules_prefix}/modules/mod_mpm_event.so
+
+EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index 94352ca344..0a73809fa5 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport`
pport=`$here/httpd-addr pport $gport`
sslpport=`$here/httpd-addr pport $2`
-ssllisten=`$here/httpd-addr listen $2`
+sslport=`$here/httpd-addr listen $2`
sslvhost=`$here/httpd-addr vhost $2`
htdocs=`echo $conf | awk '{ print $8 }'`
@@ -56,7 +56,7 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
# Listen on HTTPS port
-Listen $ssllisten
+Listen $sslport
# HTTPS virtual host
<VirtualHost $sslvhost>
@@ -73,9 +73,6 @@ Require user admin
</VirtualHost>
-# Report extended server status
-ExtendedStatus On
-
EOF
# Generate HTTP vhost configuration
@@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
-# Verify client certificates
-SSLVerifyClient optional
-SSLVerifyDepth 1
-
-# Enable SSL proxy engine
-SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# Verify server certificates
-SSLProxyVerify require
-SSLProxyVerifyDepth 1
+# Require clients to use SSL and authenticate
+<Location />
+SSLRequireSSL
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+</Location>
# Log SSL requests
# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
@@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined
EOF
-# Generate HTTPS authentication requirement
-cat >>$root/conf/vhost-ssl.conf <<EOF
-<Location />
-# Require clients to use SSL and authenticate
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-EOF
-
-proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
-if [ "$proxyconf" != "" ]; then
- cat >>$root/conf/vhost-ssl.conf <<EOF
-# Forward received SSL client certificate info in proxied requests
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !=""
-RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !=""
-RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}]
-RequestHeader unset X-Forwarded-SSL-Protocol
-RequestHeader unset X-Forwarded-SSL-Cipher
-RequestHeader unset X-Forwarded-SSL-Issuer-DN
-RequestHeader unset X-Forwarded-SSL-Client-DN
-RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
-RequestHeader unset X-Forwarded-SSL-Client-DN-OU
-RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
-RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
-RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
-RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
-RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
-RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
-
-EOF
-else
- cat >>$root/conf/vhost-ssl.conf <<EOF
-
-# Record received SSL client certificate info in environment vars
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-
-# Store the client certificate DN in the SSL_REMOTE_USER var,
-# that's similar to the SSLUserName directive but more flexible as
-# it can pick a client certificate DN forwarded by a proxy
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
-RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
-RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}]
-
-EOF
-fi
-
-cat >>$root/conf/vhost-ssl.conf <<EOF
-</Location>
-
-EOF
-
proxycert="server"
if [ "$proxyconf" != "" ]; then
proxycert="proxy"
@@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt"
SSLCertificateFile "$root/cert/server.crt"
SSLCertificateKeyFile "$root/cert/server.key"
-# Declare proxy SSL client certificates
-SSLProxyCACertificateFile "$root/cert/ca.crt"
-SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
-
EOF
cat >$root/conf/dvhost-ssl.conf <<EOF
@@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
EOF
-# Configure user for HTTP fake basic auth
-cat >$root/conf/httpd.passwd <<EOF
-/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
-EOF
-
diff --git a/sca-cpp/trunk/modules/http/httpd-worker-conf b/sca-cpp/trunk/modules/http/httpd-worker-conf
new file mode 100755
index 0000000000..bb6bca4562
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/httpd-worker-conf
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Configure HTTPD to run with the worker MPM
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+
+mkdir -p $root
+mkdir -p $root/conf
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-worker-conf $*
+# Use HTTPD worker MPM
+LoadModule mpm_worker_module ${modules_prefix}/modules/mod_mpm_worker.so
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
index f5539ce785..d2c53b462e 100644
--- a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
+++ b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
@@ -111,55 +111,55 @@ int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp,
/**
* Close a connection.
*/
-extern "C" {
- AP_DECLARE(void) ap_lingering_close(conn_rec *c);
-}
-
-const int close(conn_rec* conn) {
+const int close(conn_rec* conn, apr_socket_t* csock) {
debug("modssltunnel::close");
- ap_lingering_close(conn);
+ apr_socket_close(csock);
+ conn->aborted = 1;
return OK;
}
/**
* Abort a connection.
*/
-const int abort(unused conn_rec* conn, const string& reason) {
+const int abort(conn_rec* conn, apr_socket_t* csock, const string& reason) {
debug("modssltunnel::abort");
+ apr_socket_close(csock);
+ conn->aborted = 1;
return httpd::reportStatus(mkfailure<int>(reason));
}
/**
* Tunnel traffic from a client connection to a target URL.
*/
-int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) {
+int tunnel(conn_rec* conn, const string& ca, const string& cert, const string& key, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) {
+
+ // Create input/output bucket brigades
+ apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc);
+ apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc);
// Get client connection socket
apr_socket_t* csock = (apr_socket_t*)ap_get_module_config(conn->conn_config, &core_module);
// Open connection to target
+ http::CURLSession cs(ca, cert, key);
const failable<bool> crc = http::connect(url, cs);
if (!hasContent(crc))
- return abort(conn, reason(crc));
+ return abort(conn, csock, reason(crc));
apr_socket_t* tsock = http::sock(cs);
- // Send preamble string
+ // Send preamble
if (length(preamble) != 0) {
- debug(preamble, "modssltunnel::tunnel::sendToTarget");
+ debug(preamble, "modssltunnel::tunnel::sendPreambleToTarget");
const failable<bool> src = http::send(c_str(preamble), length(preamble), cs);
if (!hasContent(src))
- return abort(conn, string("Couldn't send to target: ") + reason(src));
+ return abort(conn, csock, string("Couldn't send to target: ") + reason(src));
}
- // Create input/output bucket brigades
- apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc);
- apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc);
-
// Create a pollset for the client and target sockets
apr_pollset_t* pollset;
apr_status_t cprc = apr_pollset_create(&pollset, 2, pool(p), 0);
if (cprc != APR_SUCCESS)
- return abort(conn, http::apreason(cprc));
+ return abort(conn, csock, http::apreason(cprc));
const apr_pollfd_t* cpollfd = http::pollfd(csock, APR_POLLIN, p);
apr_pollset_add(pollset, cpollfd);
const apr_pollfd_t* tpollfd = http::pollfd(tsock, APR_POLLIN, p);
@@ -176,7 +176,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Receive buckets from client
const apr_status_t getrc = ap_get_brigade(conn->input_filters, ib, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN);
if (getrc != APR_SUCCESS)
- return OK;
+ return abort(conn, csock, string("Couldn't receive from client"));
for (apr_bucket* bucket = APR_BRIGADE_FIRST(ib); bucket != APR_BRIGADE_SENTINEL(ib); bucket = APR_BUCKET_NEXT(bucket)) {
if (APR_BUCKET_IS_FLUSH(bucket))
@@ -184,7 +184,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Client connection closed
if (APR_BUCKET_IS_EOS(bucket))
- return close(conn);
+ return close(conn, csock);
const char *data;
apr_size_t rl;
@@ -195,7 +195,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Send to target
const failable<bool> src = http::send(data, rl, cs);
if (!hasContent(src))
- return abort(conn, string("Couldn't send to target: ") + reason(src));
+ return abort(conn, csock, string("Couldn't send to target: ") + reason(src));
}
}
apr_brigade_cleanup(ib);
@@ -205,18 +205,19 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
char data[8192];
const failable<size_t> frl = http::recv(data, sizeof(data), cs);
if (!hasContent(frl))
- return abort(conn, string("Couldn't receive from target") + reason(frl));
+ return abort(conn, csock, string("Couldn't receive from target") + reason(frl));
const size_t rl = content(frl);
// Target connection closed
if (rl == 0)
- return close(conn);
+ return close(conn, csock);
// Send bucket to client
+ debug(string(data, rl), "modssltunnel::tunnel::sendToClient");
APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_transient_create(data, rl, conn->bucket_alloc));
APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_flush_create(conn->bucket_alloc));
if (ap_pass_brigade(ofilter, ob) != APR_SUCCESS)
- return abort(conn, "Couldn't send data bucket to client");
+ return abort(conn, csock, "Couldn't send data bucket to client");
apr_brigade_cleanup(ob);
}
}
@@ -224,9 +225,9 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Error
if (pollfds->rtnevents & (APR_POLLERR | APR_POLLHUP | APR_POLLNVAL)) {
if (pollfds->desc.s == csock)
- return abort(conn, "Couldn't receive from client");
+ return abort(conn, csock, "Couldn't receive from client");
else
- return abort(conn, "Couldn't receive from target");
+ return abort(conn, csock, "Couldn't receive from target");
}
}
@@ -234,12 +235,12 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
debug("modssltunnel::tunnel::poll");
apr_status_t pollrc = apr_pollset_poll(pollset, -1, &pollcount, &pollfds);
if (pollrc != APR_SUCCESS)
- return abort(conn, "Couldn't poll sockets");
+ return abort(conn, csock, "Couldn't poll sockets");
debug(pollcount, "modssltunnel::tunnel::pollfds");
}
// Close client connection
- return close(conn);
+ return close(conn, csock);
}
/**
@@ -269,13 +270,10 @@ int processConnection(conn_rec *conn) {
return DECLINED;
debug(sc.pass, "modssltunnel::processConnection::pass");
- // Create the target connection
- http::CURLSession cs(sc.ca, sc.cert, sc.key);
-
// Run the tunnel
const string preamble = string("SSLTUNNEL ") + sc.path + string(" HTTP/1.1\r\nHost: ") + sc.host + string("\r\n\r\n");
debug(preamble, "modssltunnel::processConnection::preamble");
- return tunnel(conn, cs, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters));
+ return tunnel(conn, sc.ca, sc.cert, sc.key, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters));
}
/**
@@ -295,11 +293,8 @@ int handler(request_rec* r) {
const string url = string(cadr(path)) + ":" + caddr(path);
debug(url, "modssltunnel::handler::target");
- // Create the target connection
- http::CURLSession cs("", "", "");
-
// Run the tunnel
- return tunnel(r->connection, cs, url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters));
+ return tunnel(r->connection, "", "", "", url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters));
}
/**
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 12340f9921..f5e2bfc4a4 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -24,10 +24,16 @@ root=`readlink -f $1`
cat >>$root/conf/vhost-ssl.conf <<EOF
# Generated by: proxy-ssl-conf $*
-# Enable HTTPS proxy
+# Enable HTTPS reverse proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
+SSLProxyEngine on
+SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+# Verify server certificates
+SSLProxyVerify require
+SSLProxyVerifyDepth 1
# Enable load balancing
ProxyPass /balancer-manager !
@@ -47,3 +53,20 @@ Require user admin
EOF
+cat >>$root/conf/svhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-conf $*
+# Declare proxy SSL client certificates
+SSLProxyCACertificateFile "$root/cert/ca.crt"
+SSLProxyMachineCertificateFile "$root/cert/proxy.pem"
+
+EOF
+
+cat >>$root/conf/dvhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-conf $*
+
+# Declare proxy SSL client certificates
+SSLProxyCACertificateFile "$root/cert/ca.crt"
+SSLProxyMachineCertificateFile "$root/cert/proxy.pem"
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 3cc231a0a1..b6bf055ad8 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -25,7 +25,15 @@ root=`readlink -f $1`
host=$2
sslport=`$here/httpd-addr port $3`
-cat >>$root/conf/vhost-ssl.conf <<EOF
+cat >>$root/conf/svhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster https://$host:$sslport
+ProxyPassReverse / https://$host:$sslport/
+
+EOF
+
+cat >>$root/conf/dvhost-ssl.conf <<EOF
# Generated by: proxy-ssl-member-conf $*
# Add proxy balancer member
BalancerMember balancer://sslcluster https://$host:$sslport
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index a6d54fa32a..f45d448906 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -44,6 +44,21 @@ ServerAlias *.$host
VirtualDocumentRoot $htdocs/domains/%1/
Include conf/dvhost.conf
+
+# Allow access to document root
+<Directory "$htdocs">
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Directory>
+
+# Allow access to root location
+<Location />
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Location>
+
</VirtualHost>
EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 17434b9782..36b2a15412 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -38,16 +38,16 @@ htdocs=`readlink -f $htdocs`
cat >>$root/conf/httpd.conf <<EOF
# Generated by: vhost-ssl-conf $*
# Enable mass dynamic virtual hosting over HTTPS
-NameVirtualHost $sslvhost
SSLStrictSNIVHostCheck Off
+# HTTPS dynamic virtual host
+NameVirtualHost $sslvhost
<VirtualHost $sslvhost>
ServerName https://vhost.$host:$sslpport
ServerAlias *.$host
VirtualDocumentRoot $htdocs/domains/%1/
Include conf/dvhost-ssl.conf
-</VirtualHost>
-EOF
+</VirtualHost>
diff --git a/sca-cpp/trunk/modules/java/java-conf b/sca-cpp/trunk/modules/java/java-conf
index 0290c864e5..cf5faddb84 100755
--- a/sca-cpp/trunk/modules/java/java-conf
+++ b/sca-cpp/trunk/modules/java/java-conf
@@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here`
mkdir -p $1
root=`readlink -f $1`
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: java-conf $*
# Support for Java SCA components
LoadModule mod_tuscany_eval $here/libmod_tuscany_java.so
diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf
index 4ac231a55b..dc3a6ebc9d 100755
--- a/sca-cpp/trunk/modules/oauth/oauth-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth-conf
@@ -26,12 +26,16 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
# Configure HTTPD mod_tuscany_oauth module
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: oauth-conf $*
# Load support for OAuth authentication
LoadModule mod_tuscany_oauth1 $here/libmod_tuscany_oauth1.so
LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2.so
+EOF
+
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: oauth-conf $*
# Enable OAuth authentication
<Location />
AuthType Open
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index 1d208784de..1a5739b5aa 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -27,11 +27,15 @@ host=`echo $conf | awk '{ print $6 }'`
openid_prefix=`cat $here/openid.prefix`
# Configure OpenID authentication
-cat >>$root/conf/auth.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: openid-conf $*
# Load support for OpenID authentication
LoadModule authopenid_module $openid_prefix/modules/mod_auth_openid.so
+EOF
+
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: openid-conf $*
# Enable OpenID authentication
<Location />
AuthType Open
diff --git a/sca-cpp/trunk/modules/python/python-conf b/sca-cpp/trunk/modules/python/python-conf
index 4c0cf8b4ca..a5b45357fc 100755
--- a/sca-cpp/trunk/modules/python/python-conf
+++ b/sca-cpp/trunk/modules/python/python-conf
@@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here`
mkdir -p $1
root=`readlink -f $1`
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: python-conf $*
# Support for Python SCA components
LoadModule mod_tuscany_eval $here/libmod_tuscany_python.so
diff --git a/sca-cpp/trunk/modules/server/cpp-conf b/sca-cpp/trunk/modules/server/cpp-conf
index 62339bd4bc..086bb49d38 100755
--- a/sca-cpp/trunk/modules/server/cpp-conf
+++ b/sca-cpp/trunk/modules/server/cpp-conf
@@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here`
mkdir -p $1
root=`readlink -f $1`
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: cpp-conf $*
# Support for C++ SCA components
LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so
diff --git a/sca-cpp/trunk/modules/server/scheme-conf b/sca-cpp/trunk/modules/server/scheme-conf
index 454cab424b..cd3c82b280 100755
--- a/sca-cpp/trunk/modules/server/scheme-conf
+++ b/sca-cpp/trunk/modules/server/scheme-conf
@@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here`
mkdir -p $1
root=`readlink -f $1`
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: scheme-conf $*
# Support for Scheme SCA components
LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so
diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf
index e790a147e0..5a77125463 100755
--- a/sca-cpp/trunk/modules/server/server-conf
+++ b/sca-cpp/trunk/modules/server/server-conf
@@ -41,11 +41,15 @@ if [ "$sslconf" != "" ]; then
servername="https://$host:$sslpport"
fi
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/modules.conf <<EOF
# Generated by: server-conf $*
# Support for SCA component wiring
LoadModule mod_tuscany_wiring $here/libmod_tuscany_wiring.so
+EOF
+
+cat >>$root/conf/httpd.conf <<EOF
+# Generated by: server-conf $*
# Route all wiring through the configured server name
SCAWiringServerName $servername
diff --git a/sca-cpp/trunk/samples/store-cluster/proxy-conf b/sca-cpp/trunk/samples/store-cluster/proxy-conf
index 5a61f13399..b60e7ba7f9 100755
--- a/sca-cpp/trunk/samples/store-cluster/proxy-conf
+++ b/sca-cpp/trunk/samples/store-cluster/proxy-conf
@@ -26,6 +26,7 @@ set -x
../../modules/http/httpd-conf $root sca-store.com $port/80 $root/htdocs
../../modules/http/vhost-conf $root
../../modules/http/proxy-conf $root
+../../modules/http/httpd-event-conf $root
# Aggregate proxy balancer logs
category=`basename $root`
diff --git a/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf b/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf
index 3379a3c789..fc329f0d18 100755
--- a/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf
+++ b/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf
@@ -24,11 +24,12 @@ sslport=$3
set -x
# Configure an SSL-enabled proxy balancer
-../../modules/http/httpd-conf $root sca-store.com $port/80 $root/htdocs
+../../modules/http/httpd-conf $root sca-store.com $port $root/htdocs
../../modules/http/vhost-conf $root
../../modules/http/proxy-conf $root
+../../modules/http/httpd-event-conf $root
tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x
-../../modules/http/httpd-ssl-conf $root $sslport/443
+../../modules/http/httpd-ssl-conf $root $sslport
../../modules/http/vhost-ssl-conf $root
../../modules/http/proxy-ssl-conf $root
diff --git a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
index 8799fbdf6d..70662daab2 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
+++ b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
@@ -24,14 +24,13 @@ sslport=$3
set -x
# Configure an SSL-enabled app server
-../../modules/http/httpd-conf $root sca-store.com $port/80 htdocs
+../../modules/http/httpd-conf $root sca-store.com $port htdocs
../../modules/http/vhost-conf $root
tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x
-../../modules/http/httpd-ssl-conf $root $sslport/443
+../../modules/http/httpd-ssl-conf $root $sslport
../../modules/http/vhost-ssl-conf $root
-#../../modules/http/basic-auth-conf $root
../../modules/oauth/oauth-conf $root
../../modules/oauth/oauth-memcached-conf $root localhost 11211
../../modules/oauth/oauth-memcached-conf $root localhost 11212
@@ -41,6 +40,7 @@ tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x
../../modules/openid/openid-memcached-conf $root localhost 11211
../../modules/openid/openid-memcached-conf $root localhost 11212
../../modules/openid/openid-memcached-conf $root localhost 11213
+../../modules/http/open-auth-conf $root
../../modules/server/server-conf $root
../../modules/python/python-conf $root
diff --git a/sca-cpp/trunk/samples/store-cluster/server-test b/sca-cpp/trunk/samples/store-cluster/server-test
index 7f6ff4ead6..68856f530e 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-test
+++ b/sca-cpp/trunk/samples/store-cluster/server-test
@@ -17,6 +17,9 @@
# specific language governing permissions and limitations
# under the License.
+# For this test to work, add the test domain to your etc/hosts as follows:
+# 127.0.0.1 sca-store.com joe.sca-store.com joe.sca-store.com
+
echo "Testing..."
here=`readlink -f $0`; here=`dirname $here`
curl_prefix=`cat $here/../../modules/http/curl.prefix`
@@ -25,10 +28,6 @@ curl_prefix=`cat $here/../../modules/http/curl.prefix`
./start
sleep 2
-# For this test to work, add the test domain to your etc/hosts as follows:
-# 127.0.0.1 sca-store.com joe.sca-store.com joe.sca-store.com
-# then run ../../ubuntu/ip-redirect-all 80 8091
-
# Test HTTP GET
$curl_prefix/bin/curl http://joe.sca-store.com/ 2>/dev/null >tmp/index.html
diff tmp/index.html htdocs/domains/joe/index.html
diff --git a/sca-cpp/trunk/samples/store-cluster/ssl-start b/sca-cpp/trunk/samples/store-cluster/ssl-start
index 13a462bd49..f80bb075d6 100755
--- a/sca-cpp/trunk/samples/store-cluster/ssl-start
+++ b/sca-cpp/trunk/samples/store-cluster/ssl-start
@@ -19,15 +19,29 @@
set -x
+# Redirect traffic from ports 80, 443 and 444 to proxy1
+sudo ../../ubuntu/ip-redirect-all 80 8090
+sudo ../../ubuntu/ip-redirect-all 443 8091
+sudo ../../ubuntu/ip-redirect-all 444 8092
+
+# Redirect traffic from ports 80, 443 and 444 to proxy2
+#sudo ../../ubuntu/ip-redirect-all 80 8093
+#sudo ../../ubuntu/ip-redirect-all 443 8094
+#sudo ../../ubuntu/ip-redirect-all 444 8095
+
+# Redirect traffic from ports 119 and 563 to tunnel
+sudo ../../ubuntu/ip-redirect-all 119 8119
+sudo ../../ubuntu/ip-redirect-all 563 8563
+
# Generate SSL certificates
../../modules/http/ssl-ca-conf tmp/ssl sca-store.com
-../../modules/http/ssl-cert-conf tmp/ssl sca-store.com server
+../../modules/http/ssl-cert-conf tmp/ssl localhost server
../../modules/http/ssl-cert-conf tmp/ssl *.sca-store.com vhost
../../modules/http/ssl-cert-conf tmp/ssl sca-store.com proxy
-../../modules/http/ssl-cert-conf tmp/ssl sca-store.com tunnel
+../../modules/http/ssl-cert-conf tmp/ssl localhost tunnel
# Start an SSL tunnel
-./tunnel-ssl-conf tmp/tunnel 8119 8563
+./tunnel-ssl-conf tmp/tunnel 8119/119 8563/563
../../modules/http/httpd-start tmp/tunnel
sleep 1
@@ -74,20 +88,20 @@ sleep 1
../../modules/http/httpd-start tmp/sqldb3
# Start three app servers
-./server-ssl-conf tmp/server1 8101 8441
+./server-ssl-conf tmp/server1 8101/80 8441/443
../../modules/http/httpd-start tmp/server1
sleep 1
-./server-ssl-conf tmp/server2 8102 8442
+./server-ssl-conf tmp/server2 8102/80 8442/443
../../modules/http/httpd-start tmp/server2
sleep 1
-./server-ssl-conf tmp/server3 8103 8443
+./server-ssl-conf tmp/server3 8103/80 8443/443
../../modules/http/httpd-start tmp/server3
sleep 1
# Start two proxy balancers
-./proxy-ssl-conf tmp/proxy1 8091 8093
+./proxy-ssl-conf tmp/proxy1 8090/80 8091/443
../../modules/http/proxy-member-conf tmp/proxy1 localhost 8101
../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8441
../../modules/http/proxy-member-conf tmp/proxy1 localhost 8102
@@ -96,7 +110,7 @@ sleep 1
../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8443
../../modules/http/httpd-start tmp/proxy1
-./proxy-ssl-conf tmp/proxy2 8092 8094
+./proxy-ssl-conf tmp/proxy2 8093/80 8094/443
../../modules/http/proxy-member-conf tmp/proxy2 localhost 8101
../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8441
../../modules/http/proxy-member-conf tmp/proxy2 localhost 8102
@@ -105,15 +119,3 @@ sleep 1
../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8443
../../modules/http/httpd-start tmp/proxy2
-# Redirect traffic from ports 80 and 443 to proxy1
-#sudo ../../ubuntu/ip-redirect-all 80 8091
-#sudo ../../ubuntu/ip-redirect-all 443 8093
-
-# Redirect traffic from ports 80 and 443 to proxy2
-#sudo ../../ubuntu/ip-redirect-all 80 8092
-#sudo ../../ubuntu/ip-redirect-all 443 8094
-
-# Redirect traffic from ports 119 and 563 to tunnel
-#sudo ../../ubuntu/ip-redirect-all 119 8119
-#sudo ../../ubuntu/ip-redirect-all 563 8563
-
diff --git a/sca-cpp/trunk/samples/store-cluster/start b/sca-cpp/trunk/samples/store-cluster/start
index 98293d3f98..67434d6a0e 100755
--- a/sca-cpp/trunk/samples/store-cluster/start
+++ b/sca-cpp/trunk/samples/store-cluster/start
@@ -19,6 +19,12 @@
set -x
+# Redirect traffic from port 80 to proxy1
+sudo ../../ubuntu/ip-redirect-all 80 8090
+
+# Redirect traffic from port 80 to proxy2
+#sudo ../../ubuntu/ip-redirect-all 80 8091
+
# Start scribe logging
../../components/log/scribed-central-conf tmp/monitor
../../components/log/scribed-client-conf tmp/monitor localhost
@@ -71,9 +77,3 @@ sleep 1
../../modules/http/proxy-member-conf tmp/proxy2 localhost 8103
../../modules/http/httpd-start tmp/proxy2
-# Redirect traffic from port 80 to proxy1
-#sudo ../../ubuntu/ip-redirect-all 80 8090
-
-# Redirect traffic from port 80 to proxy2
-#sudo ../../ubuntu/ip-redirect-all 80 8091
-
diff --git a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf
index ef3074691a..7a9a8ad305 100755
--- a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf
+++ b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf
@@ -24,7 +24,9 @@ sslport=$3
set -x
# Configure an SSL-enabled tunnel server
-../../modules/http/httpd-conf $root sca-store.com $port/119 $root/htdocs
+../../modules/http/httpd-conf $root sca-store.com $port $root/htdocs
+../../modules/http/httpd-event-conf $root
tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x
-../../modules/http/httpd-ssl-conf $root $sslport/563
+../../modules/http/httpd-ssl-conf $root $sslport
+../../modules/http/cert-auth-conf $root
diff --git a/sca-cpp/trunk/samples/store-python/uec2-start b/sca-cpp/trunk/samples/store-python/uec2-start
index af98e1ac7f..84c170e596 100755
--- a/sca-cpp/trunk/samples/store-python/uec2-start
+++ b/sca-cpp/trunk/samples/store-python/uec2-start
@@ -24,7 +24,7 @@ else
host="localhost"
fi
-# Ports 80, 443, 8090, 8453 need to be open
+# Ports 80, 443, 444, 8090, 8453, 8454 need to be open
sudo ../../ubuntu/ip-redirect-all 80 8090
sudo ../../ubuntu/ip-redirect-all 443 8453
diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start
index c4720cafd5..b8a267d617 100755
--- a/sca-cpp/trunk/samples/store-vhost/uec2-start
+++ b/sca-cpp/trunk/samples/store-vhost/uec2-start
@@ -25,7 +25,7 @@ else
host="sca-store.com"
fi
-# Ports 80, 443, 8090, 8453 need to be open
+# Ports 80, 443, 444, 8090, 8453, 8454 need to be open
sudo ../../ubuntu/ip-redirect-all 80 8090
sudo ../../ubuntu/ip-redirect-all 443 8453
diff --git a/sca-cpp/trunk/ubuntu/ip-redirect b/sca-cpp/trunk/ubuntu/ip-redirect
index 93c60ccfb7..e78c63935b 100755
--- a/sca-cpp/trunk/ubuntu/ip-redirect
+++ b/sca-cpp/trunk/ubuntu/ip-redirect
@@ -26,8 +26,10 @@ tport=$2
dest=$3
# Redirect external incoming traffic
-sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport
+sudo /sbin/iptables -t nat -S PREROUTING | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh
+sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport
# Redirect local traffic as well
-sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport
+sudo /sbin/iptables -t nat -S OUTPUT | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh
+sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport
diff --git a/sca-cpp/trunk/ubuntu/ip-redirect-all b/sca-cpp/trunk/ubuntu/ip-redirect-all
index aba5bc15ae..f796b0589e 100755
--- a/sca-cpp/trunk/ubuntu/ip-redirect-all
+++ b/sca-cpp/trunk/ubuntu/ip-redirect-all
@@ -22,5 +22,10 @@ here=`readlink -f $0`; here=`dirname $here`
sport=$1
tport=$2
+# Cleanup existing rules
+sudo /sbin/iptables -t nat -S PREROUTING | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh
+sudo /sbin/iptables -t nat -S OUTPUT | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh
+
+# Redirect traffic
/sbin/ifconfig | grep "inet addr:" | awk -F ":" '{ print $2 }' | awk '{ print $1 }' | xargs -i $here/ip-redirect $sport $tport {}
diff --git a/sca-cpp/trunk/ubuntu/ubuntu-install-all b/sca-cpp/trunk/ubuntu/ubuntu-install-all
index ab9244b30e..3cc582bc89 100755
--- a/sca-cpp/trunk/ubuntu/ubuntu-install-all
+++ b/sca-cpp/trunk/ubuntu/ubuntu-install-all
@@ -54,7 +54,7 @@ tar xzf httpd-2.3.8.tar.gz
wget http://archive.apache.org/dist/httpd/httpd-2.3.8-deps.tar.gz
tar xzf httpd-2.3.8-deps.tar.gz
cd httpd-2.3.8
-./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin
+./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --enable-mpms-shared="prefork worker event" --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin
make
make install
if [ "$?" != "0" ]; then