diff options
| author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-11-28 07:17:11 +0000 |
|---|---|---|
| committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-11-28 07:17:11 +0000 |
| commit | 14f1ada7b2bb66c6c3dae496d3963e9af3f0ab38 (patch) | |
| tree | 01d610b53ba9b2088138d057f16ed6e5122cfe36 | |
| parent | 6c67a3ca11e4bcd7715d92df2e3e41e4e3fc0dc9 (diff) | |
Use different servers for cert-based and password-based auth and use event MPMs for tunnel and proxy servers.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1039840 13f79535-47bb-0310-9956-ffa450edef68
32 files changed, 360 insertions, 243 deletions
diff --git a/sca-cpp/trunk/components/cache/memcached-ssl-test b/sca-cpp/trunk/components/cache/memcached-ssl-test index 7e55cfdee6..88143490f8 100755 --- a/sca-cpp/trunk/components/cache/memcached-ssl-test +++ b/sca-cpp/trunk/components/cache/memcached-ssl-test @@ -27,6 +27,7 @@ ./memcached-start 11413 ../../modules/http/httpd-conf tmp/tunnel localhost 8089 htdocs +../../modules/http/httpd-event-conf tmp/tunnel tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel -x ../../modules/http/tunnel-ssl-conf tmp/tunnel 11211 localhost 8453 11411 ../../modules/http/tunnel-ssl-conf tmp/tunnel 11212 localhost 8453 11412 @@ -36,6 +37,7 @@ tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel ../../modules/http/httpd-conf tmp/server localhost 8090 htdocs tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/server -x ../../modules/http/httpd-ssl-conf tmp/server 8453 +../../modules/http/cert-auth-conf tmp/server ../../modules/http/httpd-start tmp/server sleep 1 diff --git a/sca-cpp/trunk/components/webservice/axis2-conf b/sca-cpp/trunk/components/webservice/axis2-conf index c11e6c50d5..af5d189b24 100755 --- a/sca-cpp/trunk/components/webservice/axis2-conf +++ b/sca-cpp/trunk/components/webservice/axis2-conf @@ -42,11 +42,17 @@ ln -f -s $here/services.xml $root/axis2c/services/tuscany/services.xml cp $here/axis2.xml $root/axis2c/axis2.xml # Configure HTTPD Axis2 module +cat >>$root/conf/modules.conf <<EOF +# Generated by: axis2-conf $* +# Support for Web Services +LoadModule axis2_module $root/axis2c/lib/libmod_axis2.so + +EOF + cat >>$root/conf/httpd.conf <<EOF # Generated by: axis2-conf $* # Support for Web Services SCASetEnv AXIS2C_HOME $root/axis2c -LoadModule axis2_module $root/axis2c/lib/libmod_axis2.so Axis2RepoPath $root/axis2c Axis2LogFile $root/axis2c/logs/mod_axis2.log Axis2LogLevel debug @@ -55,3 +61,4 @@ Axis2LogLevel debug </Location> EOF + diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 08d7e1b49a..af8ab4d1c3 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE} incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http -dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf +dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf moddir=$(prefix)/modules/http curl_test_SOURCES = curl-test.cpp diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf new file mode 100755 index 0000000000..00494d99f2 --- /dev/null +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -0,0 +1,56 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD certificate-based authentication configuration +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` + +httpd_prefix=`cat $here/httpd.prefix` + +# Generate authentication configuration +cat >>$root/conf/auth.conf <<EOF +# Generated by: cert-auth-conf $* +# Require clients to present a valid client certificate +SSLVerifyClient require +SSLVerifyDepth 1 + +<Location /> +AuthType Basic +AuthName "$host" +AuthBasicProvider file +AuthUserFile "$root/conf/httpd.passwd" +Require valid-user +</Location> + +EOF + +# Create certificate-based users +touch $root/conf/httpd.passwd +cat >>$root/conf/httpd.passwd <<EOF +/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=$host/OU=proxy/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=$host/OU=tunnel/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=localhost/OU=server/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=localhost/OU=tunnel/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +EOF + diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 79a85c0961..a77141af5f 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -47,54 +47,11 @@ cat >$root/conf/httpd.conf <<EOF ServerName http://$host:$pport PidFile $root/logs/httpd.pid -# Load a minimal set of modules, the load order is important -# (e.g. load mod_headers before mod_rewrite, so its hooks execute -# after mod_rewrite's hooks) -LoadModule alias_module ${modules_prefix}/modules/mod_alias.so -LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so -LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so -LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so -LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so -LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so -LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so -LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so -LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so -LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so -LoadModule request_module ${modules_prefix}/modules/mod_request.so -LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so -LoadModule filter_module ${modules_prefix}/modules/mod_filter.so -LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so -LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so -LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so -LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so -LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so -LoadModule headers_module ${modules_prefix}/modules/mod_headers.so -LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so -LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so -LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so -LoadModule mime_module ${modules_prefix}/modules/mod_mime.so -LoadModule status_module ${modules_prefix}/modules/mod_status.so -LoadModule asis_module ${modules_prefix}/modules/mod_asis.so -LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so -LoadModule dir_module ${modules_prefix}/modules/mod_dir.so -LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so -<IfModule !log_config_module> -LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so -</IfModule> -LoadModule logio_module ${modules_prefix}/modules/mod_logio.so -LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so -LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so -LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so -LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so -LoadModule session_module ${modules_prefix}/modules/mod_session.so -#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so -LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so -LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so -LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so -LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so +# Load configured MPM +Include conf/mpm.conf -LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so -LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so +# Load required modules +Include conf/modules.conf # Basic security precautions User $user @@ -179,22 +136,98 @@ RewriteCond %{HTTP_HOST} !^$host [NC] RewriteRule .* http://$host:$pport%{REQUEST_URI} [R,L] Include conf/svhost.conf + +# Allow access to document root +<Directory "$htdocs"> +Options FollowSymLinks +AuthType None +Require all granted +</Directory> + +# Allow access to root location +<Location /> +Options FollowSymLinks +AuthType None +Require all granted +</Location> + </VirtualHost> EOF +# Run with the prefork MPM +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-conf $* +LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so + +EOF + +# Generate modules list +cat >$root/conf/modules.conf <<EOF +# Generated by: httpd-conf $* +# Load a minimal set of modules, the load order is important +# (e.g. load mod_headers before mod_rewrite, so its hooks execute +# after mod_rewrite's hooks) +LoadModule alias_module ${modules_prefix}/modules/mod_alias.so +LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so +LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so +LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so +LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so +LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so +LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so +LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so +LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so +LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so +LoadModule request_module ${modules_prefix}/modules/mod_request.so +LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so +LoadModule filter_module ${modules_prefix}/modules/mod_filter.so +LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so +LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so +LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so +LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so +LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so +LoadModule headers_module ${modules_prefix}/modules/mod_headers.so +LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so +LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so +LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so +LoadModule mime_module ${modules_prefix}/modules/mod_mime.so +LoadModule status_module ${modules_prefix}/modules/mod_status.so +LoadModule asis_module ${modules_prefix}/modules/mod_asis.so +LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so +LoadModule dir_module ${modules_prefix}/modules/mod_dir.so +LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so +<IfModule !log_config_module> +LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so +</IfModule> +LoadModule logio_module ${modules_prefix}/modules/mod_logio.so +LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so +LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so +LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so +LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so +LoadModule session_module ${modules_prefix}/modules/mod_session.so +#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so +LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so +LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so +LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so +LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so + +LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so +LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so + +EOF + # Generate auth configuration cat >$root/conf/auth.conf <<EOF # Generated by: httpd-conf $* # Authentication configuration -# Allow access to document root +# Allow authorized access to document root <Directory "$htdocs"> Options FollowSymLinks Require all granted </Directory> -# Allow access to root location +# Allow authorized access to root location <Location /> Options FollowSymLinks Require all granted diff --git a/sca-cpp/trunk/samples/store-python/redirect b/sca-cpp/trunk/modules/http/httpd-event-conf index f73b342bf8..58923d9dd9 100755 --- a/sca-cpp/trunk/samples/store-python/redirect +++ b/sca-cpp/trunk/modules/http/httpd-event-conf @@ -17,7 +17,19 @@ # specific language governing permissions and limitations # under the License. -# Redirect ports 80 and 443 -../../ubuntu/ip-redirect-all 80 8090 -../../ubuntu/ip-redirect-all 443 8453 +# Configure HTTPD to run with the event MPM +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` + +mkdir -p $root +mkdir -p $root/conf +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-event-conf $* +# Use HTTPD event MPM +LoadModule mpm_event_module ${modules_prefix}/modules/mod_mpm_event.so + +EOF diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 94352ca344..0a73809fa5 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport` pport=`$here/httpd-addr pport $gport` sslpport=`$here/httpd-addr pport $2` -ssllisten=`$here/httpd-addr listen $2` +sslport=`$here/httpd-addr listen $2` sslvhost=`$here/httpd-addr vhost $2` htdocs=`echo $conf | awk '{ print $8 }'` @@ -56,7 +56,7 @@ SSLRandomSeed startup builtin SSLRandomSeed connect builtin # Listen on HTTPS port -Listen $ssllisten +Listen $sslport # HTTPS virtual host <VirtualHost $sslvhost> @@ -73,9 +73,6 @@ Require user admin </VirtualHost> -# Report extended server status -ExtendedStatus On - EOF # Generate HTTP vhost configuration @@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth -# Verify client certificates -SSLVerifyClient optional -SSLVerifyDepth 1 - -# Enable SSL proxy engine -SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Verify server certificates -SSLProxyVerify require -SSLProxyVerifyDepth 1 +# Require clients to use SSL and authenticate +<Location /> +SSLRequireSSL +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 +</Location> # Log SSL requests # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol @@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined EOF -# Generate HTTPS authentication requirement -cat >>$root/conf/vhost-ssl.conf <<EOF -<Location /> -# Require clients to use SSL and authenticate -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -EOF - -proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` -if [ "$proxyconf" != "" ]; then - cat >>$root/conf/vhost-ssl.conf <<EOF -# Forward received SSL client certificate info in proxied requests -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" -RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" -RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] -RequestHeader unset X-Forwarded-SSL-Protocol -RequestHeader unset X-Forwarded-SSL-Cipher -RequestHeader unset X-Forwarded-SSL-Issuer-DN -RequestHeader unset X-Forwarded-SSL-Client-DN -RequestHeader unset X-Forwarded-SSL-Issuer-DN-O -RequestHeader unset X-Forwarded-SSL-Client-DN-OU -RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL -RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER -RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN -RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN -RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O -RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU - -EOF -else - cat >>$root/conf/vhost-ssl.conf <<EOF - -# Record received SSL client certificate info in environment vars -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] - -# Store the client certificate DN in the SSL_REMOTE_USER var, -# that's similar to the SSLUserName directive but more flexible as -# it can pick a client certificate DN forwarded by a proxy -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy" -RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org" -RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] - -EOF -fi - -cat >>$root/conf/vhost-ssl.conf <<EOF -</Location> - -EOF - proxycert="server" if [ "$proxyconf" != "" ]; then proxycert="proxy" @@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/server.crt" SSLCertificateKeyFile "$root/cert/server.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF cat >$root/conf/dvhost-ssl.conf <<EOF @@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" EOF -# Configure user for HTTP fake basic auth -cat >$root/conf/httpd.passwd <<EOF -/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ -EOF - diff --git a/sca-cpp/trunk/modules/http/httpd-worker-conf b/sca-cpp/trunk/modules/http/httpd-worker-conf new file mode 100755 index 0000000000..bb6bca4562 --- /dev/null +++ b/sca-cpp/trunk/modules/http/httpd-worker-conf @@ -0,0 +1,35 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Configure HTTPD to run with the worker MPM +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` + +mkdir -p $root +mkdir -p $root/conf +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-worker-conf $* +# Use HTTPD worker MPM +LoadModule mpm_worker_module ${modules_prefix}/modules/mod_mpm_worker.so + +EOF + diff --git a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp index f5539ce785..d2c53b462e 100644 --- a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp +++ b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp @@ -111,55 +111,55 @@ int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp, /** * Close a connection. */ -extern "C" { - AP_DECLARE(void) ap_lingering_close(conn_rec *c); -} - -const int close(conn_rec* conn) { +const int close(conn_rec* conn, apr_socket_t* csock) { debug("modssltunnel::close"); - ap_lingering_close(conn); + apr_socket_close(csock); + conn->aborted = 1; return OK; } /** * Abort a connection. */ -const int abort(unused conn_rec* conn, const string& reason) { +const int abort(conn_rec* conn, apr_socket_t* csock, const string& reason) { debug("modssltunnel::abort"); + apr_socket_close(csock); + conn->aborted = 1; return httpd::reportStatus(mkfailure<int>(reason)); } /** * Tunnel traffic from a client connection to a target URL. */ -int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { +int tunnel(conn_rec* conn, const string& ca, const string& cert, const string& key, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { + + // Create input/output bucket brigades + apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); + apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); // Get client connection socket apr_socket_t* csock = (apr_socket_t*)ap_get_module_config(conn->conn_config, &core_module); // Open connection to target + http::CURLSession cs(ca, cert, key); const failable<bool> crc = http::connect(url, cs); if (!hasContent(crc)) - return abort(conn, reason(crc)); + return abort(conn, csock, reason(crc)); apr_socket_t* tsock = http::sock(cs); - // Send preamble string + // Send preamble if (length(preamble) != 0) { - debug(preamble, "modssltunnel::tunnel::sendToTarget"); + debug(preamble, "modssltunnel::tunnel::sendPreambleToTarget"); const failable<bool> src = http::send(c_str(preamble), length(preamble), cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } - // Create input/output bucket brigades - apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); - apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); - // Create a pollset for the client and target sockets apr_pollset_t* pollset; apr_status_t cprc = apr_pollset_create(&pollset, 2, pool(p), 0); if (cprc != APR_SUCCESS) - return abort(conn, http::apreason(cprc)); + return abort(conn, csock, http::apreason(cprc)); const apr_pollfd_t* cpollfd = http::pollfd(csock, APR_POLLIN, p); apr_pollset_add(pollset, cpollfd); const apr_pollfd_t* tpollfd = http::pollfd(tsock, APR_POLLIN, p); @@ -176,7 +176,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Receive buckets from client const apr_status_t getrc = ap_get_brigade(conn->input_filters, ib, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); if (getrc != APR_SUCCESS) - return OK; + return abort(conn, csock, string("Couldn't receive from client")); for (apr_bucket* bucket = APR_BRIGADE_FIRST(ib); bucket != APR_BRIGADE_SENTINEL(ib); bucket = APR_BUCKET_NEXT(bucket)) { if (APR_BUCKET_IS_FLUSH(bucket)) @@ -184,7 +184,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Client connection closed if (APR_BUCKET_IS_EOS(bucket)) - return close(conn); + return close(conn, csock); const char *data; apr_size_t rl; @@ -195,7 +195,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Send to target const failable<bool> src = http::send(data, rl, cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } } apr_brigade_cleanup(ib); @@ -205,18 +205,19 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin char data[8192]; const failable<size_t> frl = http::recv(data, sizeof(data), cs); if (!hasContent(frl)) - return abort(conn, string("Couldn't receive from target") + reason(frl)); + return abort(conn, csock, string("Couldn't receive from target") + reason(frl)); const size_t rl = content(frl); // Target connection closed if (rl == 0) - return close(conn); + return close(conn, csock); // Send bucket to client + debug(string(data, rl), "modssltunnel::tunnel::sendToClient"); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_transient_create(data, rl, conn->bucket_alloc)); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_flush_create(conn->bucket_alloc)); if (ap_pass_brigade(ofilter, ob) != APR_SUCCESS) - return abort(conn, "Couldn't send data bucket to client"); + return abort(conn, csock, "Couldn't send data bucket to client"); apr_brigade_cleanup(ob); } } @@ -224,9 +225,9 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Error if (pollfds->rtnevents & (APR_POLLERR | APR_POLLHUP | APR_POLLNVAL)) { if (pollfds->desc.s == csock) - return abort(conn, "Couldn't receive from client"); + return abort(conn, csock, "Couldn't receive from client"); else - return abort(conn, "Couldn't receive from target"); + return abort(conn, csock, "Couldn't receive from target"); } } @@ -234,12 +235,12 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin debug("modssltunnel::tunnel::poll"); apr_status_t pollrc = apr_pollset_poll(pollset, -1, &pollcount, &pollfds); if (pollrc != APR_SUCCESS) - return abort(conn, "Couldn't poll sockets"); + return abort(conn, csock, "Couldn't poll sockets"); debug(pollcount, "modssltunnel::tunnel::pollfds"); } // Close client connection - return close(conn); + return close(conn, csock); } /** @@ -269,13 +270,10 @@ int processConnection(conn_rec *conn) { return DECLINED; debug(sc.pass, "modssltunnel::processConnection::pass"); - // Create the target connection - http::CURLSession cs(sc.ca, sc.cert, sc.key); - // Run the tunnel const string preamble = string("SSLTUNNEL ") + sc.path + string(" HTTP/1.1\r\nHost: ") + sc.host + string("\r\n\r\n"); debug(preamble, "modssltunnel::processConnection::preamble"); - return tunnel(conn, cs, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); + return tunnel(conn, sc.ca, sc.cert, sc.key, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); } /** @@ -295,11 +293,8 @@ int handler(request_rec* r) { const string url = string(cadr(path)) + ":" + caddr(path); debug(url, "modssltunnel::handler::target"); - // Create the target connection - http::CURLSession cs("", "", ""); - // Run the tunnel - return tunnel(r->connection, cs, url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); + return tunnel(r->connection, "", "", "", url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); } /** diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf index 12340f9921..f5e2bfc4a4 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf @@ -24,10 +24,16 @@ root=`readlink -f $1` cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-conf $* -# Enable HTTPS proxy +# Enable HTTPS reverse proxy ProxyRequests Off ProxyPreserveHost On ProxyStatus On +SSLProxyEngine on +SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + +# Verify server certificates +SSLProxyVerify require +SSLProxyVerifyDepth 1 # Enable load balancing ProxyPass /balancer-manager ! @@ -47,3 +53,20 @@ Require user admin EOF +cat >>$root/conf/svhost-ssl.conf <<EOF +# Generated by: proxy-ssl-conf $* +# Declare proxy SSL client certificates +SSLProxyCACertificateFile "$root/cert/ca.crt" +SSLProxyMachineCertificateFile "$root/cert/proxy.pem" + +EOF + +cat >>$root/conf/dvhost-ssl.conf <<EOF +# Generated by: proxy-ssl-conf $* + +# Declare proxy SSL client certificates +SSLProxyCACertificateFile "$root/cert/ca.crt" +SSLProxyMachineCertificateFile "$root/cert/proxy.pem" + +EOF + diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf index 3cc231a0a1..b6bf055ad8 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf @@ -25,7 +25,15 @@ root=`readlink -f $1` host=$2 sslport=`$here/httpd-addr port $3` -cat >>$root/conf/vhost-ssl.conf <<EOF +cat >>$root/conf/svhost-ssl.conf <<EOF +# Generated by: proxy-ssl-member-conf $* +# Add proxy balancer member +BalancerMember balancer://sslcluster https://$host:$sslport +ProxyPassReverse / https://$host:$sslport/ + +EOF + +cat >>$root/conf/dvhost-ssl.conf <<EOF # Generated by: proxy-ssl-member-conf $* # Add proxy balancer member BalancerMember balancer://sslcluster https://$host:$sslport diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf index a6d54fa32a..f45d448906 100755 --- a/sca-cpp/trunk/modules/http/vhost-conf +++ b/sca-cpp/trunk/modules/http/vhost-conf @@ -44,6 +44,21 @@ ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ Include conf/dvhost.conf + +# Allow access to document root +<Directory "$htdocs"> +Options FollowSymLinks +AuthType None +Require all granted +</Directory> + +# Allow access to root location +<Location /> +Options FollowSymLinks +AuthType None +Require all granted +</Location> + </VirtualHost> EOF diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 17434b9782..36b2a15412 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -38,16 +38,16 @@ htdocs=`readlink -f $htdocs` cat >>$root/conf/httpd.conf <<EOF # Generated by: vhost-ssl-conf $* # Enable mass dynamic virtual hosting over HTTPS -NameVirtualHost $sslvhost SSLStrictSNIVHostCheck Off +# HTTPS dynamic virtual host +NameVirtualHost $sslvhost <VirtualHost $sslvhost> ServerName https://vhost.$host:$sslpport ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ Include conf/dvhost-ssl.conf -</VirtualHost> -EOF +</VirtualHost> diff --git a/sca-cpp/trunk/modules/java/java-conf b/sca-cpp/trunk/modules/java/java-conf index 0290c864e5..cf5faddb84 100755 --- a/sca-cpp/trunk/modules/java/java-conf +++ b/sca-cpp/trunk/modules/java/java-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: java-conf $* # Support for Java SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_java.so diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf index 4ac231a55b..dc3a6ebc9d 100755 --- a/sca-cpp/trunk/modules/oauth/oauth-conf +++ b/sca-cpp/trunk/modules/oauth/oauth-conf @@ -26,12 +26,16 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` # Configure HTTPD mod_tuscany_oauth module -cat >>$root/conf/auth.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: oauth-conf $* # Load support for OAuth authentication LoadModule mod_tuscany_oauth1 $here/libmod_tuscany_oauth1.so LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2.so +EOF + +cat >>$root/conf/auth.conf <<EOF +# Generated by: oauth-conf $* # Enable OAuth authentication <Location /> AuthType Open diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index 1d208784de..1a5739b5aa 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -27,11 +27,15 @@ host=`echo $conf | awk '{ print $6 }'` openid_prefix=`cat $here/openid.prefix` # Configure OpenID authentication -cat >>$root/conf/auth.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: openid-conf $* # Load support for OpenID authentication LoadModule authopenid_module $openid_prefix/modules/mod_auth_openid.so +EOF + +cat >>$root/conf/auth.conf <<EOF +# Generated by: openid-conf $* # Enable OpenID authentication <Location /> AuthType Open diff --git a/sca-cpp/trunk/modules/python/python-conf b/sca-cpp/trunk/modules/python/python-conf index 4c0cf8b4ca..a5b45357fc 100755 --- a/sca-cpp/trunk/modules/python/python-conf +++ b/sca-cpp/trunk/modules/python/python-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: python-conf $* # Support for Python SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_python.so diff --git a/sca-cpp/trunk/modules/server/cpp-conf b/sca-cpp/trunk/modules/server/cpp-conf index 62339bd4bc..086bb49d38 100755 --- a/sca-cpp/trunk/modules/server/cpp-conf +++ b/sca-cpp/trunk/modules/server/cpp-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: cpp-conf $* # Support for C++ SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so diff --git a/sca-cpp/trunk/modules/server/scheme-conf b/sca-cpp/trunk/modules/server/scheme-conf index 454cab424b..cd3c82b280 100755 --- a/sca-cpp/trunk/modules/server/scheme-conf +++ b/sca-cpp/trunk/modules/server/scheme-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: scheme-conf $* # Support for Scheme SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf index e790a147e0..5a77125463 100755 --- a/sca-cpp/trunk/modules/server/server-conf +++ b/sca-cpp/trunk/modules/server/server-conf @@ -41,11 +41,15 @@ if [ "$sslconf" != "" ]; then servername="https://$host:$sslpport" fi -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: server-conf $* # Support for SCA component wiring LoadModule mod_tuscany_wiring $here/libmod_tuscany_wiring.so +EOF + +cat >>$root/conf/httpd.conf <<EOF +# Generated by: server-conf $* # Route all wiring through the configured server name SCAWiringServerName $servername diff --git a/sca-cpp/trunk/samples/store-cluster/proxy-conf b/sca-cpp/trunk/samples/store-cluster/proxy-conf index 5a61f13399..b60e7ba7f9 100755 --- a/sca-cpp/trunk/samples/store-cluster/proxy-conf +++ b/sca-cpp/trunk/samples/store-cluster/proxy-conf @@ -26,6 +26,7 @@ set -x ../../modules/http/httpd-conf $root sca-store.com $port/80 $root/htdocs ../../modules/http/vhost-conf $root ../../modules/http/proxy-conf $root +../../modules/http/httpd-event-conf $root # Aggregate proxy balancer logs category=`basename $root` diff --git a/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf b/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf index 3379a3c789..fc329f0d18 100755 --- a/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf +++ b/sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf @@ -24,11 +24,12 @@ sslport=$3 set -x # Configure an SSL-enabled proxy balancer -../../modules/http/httpd-conf $root sca-store.com $port/80 $root/htdocs +../../modules/http/httpd-conf $root sca-store.com $port $root/htdocs ../../modules/http/vhost-conf $root ../../modules/http/proxy-conf $root +../../modules/http/httpd-event-conf $root tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x -../../modules/http/httpd-ssl-conf $root $sslport/443 +../../modules/http/httpd-ssl-conf $root $sslport ../../modules/http/vhost-ssl-conf $root ../../modules/http/proxy-ssl-conf $root diff --git a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf index 8799fbdf6d..70662daab2 100755 --- a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf +++ b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf @@ -24,14 +24,13 @@ sslport=$3 set -x # Configure an SSL-enabled app server -../../modules/http/httpd-conf $root sca-store.com $port/80 htdocs +../../modules/http/httpd-conf $root sca-store.com $port htdocs ../../modules/http/vhost-conf $root tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x -../../modules/http/httpd-ssl-conf $root $sslport/443 +../../modules/http/httpd-ssl-conf $root $sslport ../../modules/http/vhost-ssl-conf $root -#../../modules/http/basic-auth-conf $root ../../modules/oauth/oauth-conf $root ../../modules/oauth/oauth-memcached-conf $root localhost 11211 ../../modules/oauth/oauth-memcached-conf $root localhost 11212 @@ -41,6 +40,7 @@ tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x ../../modules/openid/openid-memcached-conf $root localhost 11211 ../../modules/openid/openid-memcached-conf $root localhost 11212 ../../modules/openid/openid-memcached-conf $root localhost 11213 +../../modules/http/open-auth-conf $root ../../modules/server/server-conf $root ../../modules/python/python-conf $root diff --git a/sca-cpp/trunk/samples/store-cluster/server-test b/sca-cpp/trunk/samples/store-cluster/server-test index 7f6ff4ead6..68856f530e 100755 --- a/sca-cpp/trunk/samples/store-cluster/server-test +++ b/sca-cpp/trunk/samples/store-cluster/server-test @@ -17,6 +17,9 @@ # specific language governing permissions and limitations # under the License. +# For this test to work, add the test domain to your etc/hosts as follows: +# 127.0.0.1 sca-store.com joe.sca-store.com joe.sca-store.com + echo "Testing..." here=`readlink -f $0`; here=`dirname $here` curl_prefix=`cat $here/../../modules/http/curl.prefix` @@ -25,10 +28,6 @@ curl_prefix=`cat $here/../../modules/http/curl.prefix` ./start sleep 2 -# For this test to work, add the test domain to your etc/hosts as follows: -# 127.0.0.1 sca-store.com joe.sca-store.com joe.sca-store.com -# then run ../../ubuntu/ip-redirect-all 80 8091 - # Test HTTP GET $curl_prefix/bin/curl http://joe.sca-store.com/ 2>/dev/null >tmp/index.html diff tmp/index.html htdocs/domains/joe/index.html diff --git a/sca-cpp/trunk/samples/store-cluster/ssl-start b/sca-cpp/trunk/samples/store-cluster/ssl-start index 13a462bd49..f80bb075d6 100755 --- a/sca-cpp/trunk/samples/store-cluster/ssl-start +++ b/sca-cpp/trunk/samples/store-cluster/ssl-start @@ -19,15 +19,29 @@ set -x +# Redirect traffic from ports 80, 443 and 444 to proxy1 +sudo ../../ubuntu/ip-redirect-all 80 8090 +sudo ../../ubuntu/ip-redirect-all 443 8091 +sudo ../../ubuntu/ip-redirect-all 444 8092 + +# Redirect traffic from ports 80, 443 and 444 to proxy2 +#sudo ../../ubuntu/ip-redirect-all 80 8093 +#sudo ../../ubuntu/ip-redirect-all 443 8094 +#sudo ../../ubuntu/ip-redirect-all 444 8095 + +# Redirect traffic from ports 119 and 563 to tunnel +sudo ../../ubuntu/ip-redirect-all 119 8119 +sudo ../../ubuntu/ip-redirect-all 563 8563 + # Generate SSL certificates ../../modules/http/ssl-ca-conf tmp/ssl sca-store.com -../../modules/http/ssl-cert-conf tmp/ssl sca-store.com server +../../modules/http/ssl-cert-conf tmp/ssl localhost server ../../modules/http/ssl-cert-conf tmp/ssl *.sca-store.com vhost ../../modules/http/ssl-cert-conf tmp/ssl sca-store.com proxy -../../modules/http/ssl-cert-conf tmp/ssl sca-store.com tunnel +../../modules/http/ssl-cert-conf tmp/ssl localhost tunnel # Start an SSL tunnel -./tunnel-ssl-conf tmp/tunnel 8119 8563 +./tunnel-ssl-conf tmp/tunnel 8119/119 8563/563 ../../modules/http/httpd-start tmp/tunnel sleep 1 @@ -74,20 +88,20 @@ sleep 1 ../../modules/http/httpd-start tmp/sqldb3 # Start three app servers -./server-ssl-conf tmp/server1 8101 8441 +./server-ssl-conf tmp/server1 8101/80 8441/443 ../../modules/http/httpd-start tmp/server1 sleep 1 -./server-ssl-conf tmp/server2 8102 8442 +./server-ssl-conf tmp/server2 8102/80 8442/443 ../../modules/http/httpd-start tmp/server2 sleep 1 -./server-ssl-conf tmp/server3 8103 8443 +./server-ssl-conf tmp/server3 8103/80 8443/443 ../../modules/http/httpd-start tmp/server3 sleep 1 # Start two proxy balancers -./proxy-ssl-conf tmp/proxy1 8091 8093 +./proxy-ssl-conf tmp/proxy1 8090/80 8091/443 ../../modules/http/proxy-member-conf tmp/proxy1 localhost 8101 ../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8441 ../../modules/http/proxy-member-conf tmp/proxy1 localhost 8102 @@ -96,7 +110,7 @@ sleep 1 ../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8443 ../../modules/http/httpd-start tmp/proxy1 -./proxy-ssl-conf tmp/proxy2 8092 8094 +./proxy-ssl-conf tmp/proxy2 8093/80 8094/443 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8101 ../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8441 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8102 @@ -105,15 +119,3 @@ sleep 1 ../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8443 ../../modules/http/httpd-start tmp/proxy2 -# Redirect traffic from ports 80 and 443 to proxy1 -#sudo ../../ubuntu/ip-redirect-all 80 8091 -#sudo ../../ubuntu/ip-redirect-all 443 8093 - -# Redirect traffic from ports 80 and 443 to proxy2 -#sudo ../../ubuntu/ip-redirect-all 80 8092 -#sudo ../../ubuntu/ip-redirect-all 443 8094 - -# Redirect traffic from ports 119 and 563 to tunnel -#sudo ../../ubuntu/ip-redirect-all 119 8119 -#sudo ../../ubuntu/ip-redirect-all 563 8563 - diff --git a/sca-cpp/trunk/samples/store-cluster/start b/sca-cpp/trunk/samples/store-cluster/start index 98293d3f98..67434d6a0e 100755 --- a/sca-cpp/trunk/samples/store-cluster/start +++ b/sca-cpp/trunk/samples/store-cluster/start @@ -19,6 +19,12 @@ set -x +# Redirect traffic from port 80 to proxy1 +sudo ../../ubuntu/ip-redirect-all 80 8090 + +# Redirect traffic from port 80 to proxy2 +#sudo ../../ubuntu/ip-redirect-all 80 8091 + # Start scribe logging ../../components/log/scribed-central-conf tmp/monitor ../../components/log/scribed-client-conf tmp/monitor localhost @@ -71,9 +77,3 @@ sleep 1 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8103 ../../modules/http/httpd-start tmp/proxy2 -# Redirect traffic from port 80 to proxy1 -#sudo ../../ubuntu/ip-redirect-all 80 8090 - -# Redirect traffic from port 80 to proxy2 -#sudo ../../ubuntu/ip-redirect-all 80 8091 - diff --git a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf index ef3074691a..7a9a8ad305 100755 --- a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf +++ b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf @@ -24,7 +24,9 @@ sslport=$3 set -x # Configure an SSL-enabled tunnel server -../../modules/http/httpd-conf $root sca-store.com $port/119 $root/htdocs +../../modules/http/httpd-conf $root sca-store.com $port $root/htdocs +../../modules/http/httpd-event-conf $root tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x -../../modules/http/httpd-ssl-conf $root $sslport/563 +../../modules/http/httpd-ssl-conf $root $sslport +../../modules/http/cert-auth-conf $root diff --git a/sca-cpp/trunk/samples/store-python/uec2-start b/sca-cpp/trunk/samples/store-python/uec2-start index af98e1ac7f..84c170e596 100755 --- a/sca-cpp/trunk/samples/store-python/uec2-start +++ b/sca-cpp/trunk/samples/store-python/uec2-start @@ -24,7 +24,7 @@ else host="localhost" fi -# Ports 80, 443, 8090, 8453 need to be open +# Ports 80, 443, 444, 8090, 8453, 8454 need to be open sudo ../../ubuntu/ip-redirect-all 80 8090 sudo ../../ubuntu/ip-redirect-all 443 8453 diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start index c4720cafd5..b8a267d617 100755 --- a/sca-cpp/trunk/samples/store-vhost/uec2-start +++ b/sca-cpp/trunk/samples/store-vhost/uec2-start @@ -25,7 +25,7 @@ else host="sca-store.com" fi -# Ports 80, 443, 8090, 8453 need to be open +# Ports 80, 443, 444, 8090, 8453, 8454 need to be open sudo ../../ubuntu/ip-redirect-all 80 8090 sudo ../../ubuntu/ip-redirect-all 443 8453 diff --git a/sca-cpp/trunk/ubuntu/ip-redirect b/sca-cpp/trunk/ubuntu/ip-redirect index 93c60ccfb7..e78c63935b 100755 --- a/sca-cpp/trunk/ubuntu/ip-redirect +++ b/sca-cpp/trunk/ubuntu/ip-redirect @@ -26,8 +26,10 @@ tport=$2 dest=$3 # Redirect external incoming traffic -sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport +sudo /sbin/iptables -t nat -S PREROUTING | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport # Redirect local traffic as well -sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport +sudo /sbin/iptables -t nat -S OUTPUT | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport diff --git a/sca-cpp/trunk/ubuntu/ip-redirect-all b/sca-cpp/trunk/ubuntu/ip-redirect-all index aba5bc15ae..f796b0589e 100755 --- a/sca-cpp/trunk/ubuntu/ip-redirect-all +++ b/sca-cpp/trunk/ubuntu/ip-redirect-all @@ -22,5 +22,10 @@ here=`readlink -f $0`; here=`dirname $here` sport=$1 tport=$2 +# Cleanup existing rules +sudo /sbin/iptables -t nat -S PREROUTING | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -S OUTPUT | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh + +# Redirect traffic /sbin/ifconfig | grep "inet addr:" | awk -F ":" '{ print $2 }' | awk '{ print $1 }' | xargs -i $here/ip-redirect $sport $tport {} diff --git a/sca-cpp/trunk/ubuntu/ubuntu-install-all b/sca-cpp/trunk/ubuntu/ubuntu-install-all index ab9244b30e..3cc582bc89 100755 --- a/sca-cpp/trunk/ubuntu/ubuntu-install-all +++ b/sca-cpp/trunk/ubuntu/ubuntu-install-all @@ -54,7 +54,7 @@ tar xzf httpd-2.3.8.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.3.8-deps.tar.gz tar xzf httpd-2.3.8-deps.tar.gz cd httpd-2.3.8 -./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin +./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --enable-mpms-shared="prefork worker event" --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin make make install if [ "$?" != "0" ]; then |