diff options
author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2013-01-03 07:42:01 +0000 |
---|---|---|
committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2013-01-03 07:42:01 +0000 |
commit | 4edb611792cbf0a3335631a181c15095e81e8afa (patch) | |
tree | 111cbec79d7b2861396fe886004f3be58635e99d | |
parent | d7069b5a2e7859ab14c5a909d5e5fc6bc84b80cb (diff) |
Minor changes to server config scripts to get auth and session management to behave the same with or without a proxy.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1428194 13f79535-47bb-0310-9956-ffa450edef68
-rwxr-xr-x | sca-cpp/trunk/modules/http/basic-auth-conf | 2 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/cert-auth-conf | 2 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/form-auth-conf | 28 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-conf | 23 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-ssl-conf | 11 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/open-auth-conf | 30 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/http/ssl-ca-conf | 5 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/js/js-conf | 4 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/oauth/oauth-conf | 2 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/oauth/oauth12-conf | 2 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/openid/openid-conf | 3 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/openid/openid-step2-conf | 1 | ||||
-rwxr-xr-x | sca-cpp/trunk/modules/server/server-conf | 2 |
13 files changed, 89 insertions, 26 deletions
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf index 8710d1fdf7..3fe41e25d7 100755 --- a/sca-cpp/trunk/modules/http/basic-auth-conf +++ b/sca-cpp/trunk/modules/http/basic-auth-conf @@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'` if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi if [ "$3" = "" ]; then diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf index a30fdfff8c..56ff9e6dfd 100755 --- a/sca-cpp/trunk/modules/http/cert-auth-conf +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -35,7 +35,7 @@ fi if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi # Disallow public access to server resources diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf index fbe943f3d9..ba2f99dbf1 100755 --- a/sca-cpp/trunk/modules/http/form-auth-conf +++ b/sca-cpp/trunk/modules/http/form-auth-conf @@ -28,7 +28,7 @@ host=`echo $conf | awk '{ print $6 }'` if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi if [ "$3" = "" ]; then @@ -63,19 +63,41 @@ AuthFormProvider socache $providers AuthnCacheProvideFor $providers AuthnCacheContext / AuthFormLoginRequiredLocation /login/ -AuthFormLogoutLocation / Session On -SessionCookieName TuscanyFormAuth domain=.$host; path=/ +SessionCookieName TuscanyFormAuth domain=.$host; path=/; secure; httponly SessionCryptoPassphrase $pw Require valid-user </Location> <Location /login/dologin> SetHandler form-login-handler +AuthType Form +AuthName "$host" +AuthFormProvider socache $providers +AuthFormLoginRequiredLocation /login/?openauth_attempt=1 +Session On +Require valid-user </Location> <Location /logout/dologout> SetHandler form-logout-handler +AuthType Form +AuthName "$host" +AuthFormLogoutLocation / +Session On +Require valid-user +</Location> + +EOF + +cat >>$root/conf/pubauth$sslsuffix.conf <<EOF +# Generated by: open-auth-conf $* +# Enable Tuscany open authentication +<Location /login/dologin> +Session On +</Location> +<Location /logout/dologout> +Session On </Location> EOF diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 730775fa89..3f96304ae8 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -174,15 +174,6 @@ LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so EOF -if [ $uname = "Darwin" ]; then - cat >>$root/conf/mpm.conf <<EOF -# Generated by: httpd-conf $* -# Set thread stack size -ThreadStackSize 2097152 - -EOF -fi - # Generate modules list cat >$root/conf/modules.conf <<EOF # Generated by: httpd-conf $* @@ -269,28 +260,40 @@ cat >$root/conf/pubauth.conf <<EOF # Allow everyone to access public locations <Location /login> AuthType None +Session Off Require all granted # Mark login page with a header Header set X-Login open-auth </Location> +<Location /login/dologin> +Session Off +</Location> <Location /logout> AuthType None +Session Off Require all granted </Location> +<Location /logout/dologout> +Session Off +</Location> <Location /public> AuthType None +Session Off Require all granted </Location> <Location /proxy/public> AuthType None +Session Off Require all granted </Location> <Location /favicon.ico> AuthType None +Session Off Require all granted </Location> <Location /robots.txt> AuthType None +Session Off Require all granted </Location> @@ -322,12 +325,14 @@ cat >$root/conf/noauth.conf <<EOF # Allow access to document root <Directory "$htdocs"> AuthType None +Session Off Require all granted </Directory> # Allow everyone to access root location <Location /> AuthType None +Session Off Require all granted </Location> diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index f99a10071c..3bd1dd63dc 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -68,6 +68,7 @@ SSLSessionCacheTimeout 300 Mutex "file:$root/logs" ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin +SSLCompression Off # Listen on HTTPS port Listen $sslport @@ -165,7 +166,10 @@ UseCanonicalName Off # Enable SSL SSLEngine on -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +SSLProtocol ALL -SSLv2 +SSLHonorCipherOrder On +#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL +SSLCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth @@ -188,9 +192,12 @@ ProxyRequests Off ProxyPreserveHost On ProxyStatus On SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +SSLProxyProtocol ALL -SSLv2 +#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL +SSLProxyCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL # Verify server certificates +SSLProxyCACertificateFile "$root/cert/cacert.pem" SSLProxyVerify require SSLProxyVerifyDepth 1 SSLProxyCheckPeerCN Off diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf index f4715b3a1c..5a8db92972 100755 --- a/sca-cpp/trunk/modules/http/open-auth-conf +++ b/sca-cpp/trunk/modules/http/open-auth-conf @@ -42,7 +42,7 @@ fi if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi if [ "$3" = "" ]; then @@ -76,24 +76,42 @@ AuthName "$host" AuthOpenAuthProvider socache $providers AuthnCacheProvideFor $providers AuthnCacheContext / +AuthOpenAuthLoginPage /login/ Session On SessionCryptoPassphrase $pw AuthOpenAuth On -AuthOpenAuthLoginPage /login/ Require valid-user </Location> # Use HTTPD form-based authentication <Location /login/dologin> +SetHandler form-login-handler AuthType Form AuthName "$host" AuthFormProvider socache $providers -AuthnCacheProvideFor $providers -AuthnCacheContext / AuthFormLoginRequiredLocation /login/?openauth_attempt=1 -AuthFormLogoutLocation / +Session On Require valid-user -SetHandler form-login-handler +</Location> + +<Location /logout/dologout> +SetHandler mod_tuscany_openauth_logout +AuthType Open +AuthName "$host" +Session On +Require valid-user +</Location> + +EOF + +cat >>$root/conf/pubauth$sslsuffix.conf <<EOF +# Generated by: open-auth-conf $* +# Enable Tuscany open authentication +<Location /login/dologin> +Session On +</Location> +<Location /logout/dologout> +Session On </Location> EOF diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf index bceca8f300..beadc4d3a8 100755 --- a/sca-cpp/trunk/modules/http/ssl-ca-conf +++ b/sca-cpp/trunk/modules/http/ssl-ca-conf @@ -94,3 +94,8 @@ mkdir -p $root/cert/hash cp $root/cert/ca.crt $root/cert/hash perl /usr/bin/c_rehash $root/cert/hash +# Build CA certificate bundle +curl_prefix=`cat $here/../http/curl.prefix` +cp $curl_prefix/lib/cacert.pem $root/cert/cacert.pem +cat $root/cert/ca.crt >> $root/cert/cacert.pem + diff --git a/sca-cpp/trunk/modules/js/js-conf b/sca-cpp/trunk/modules/js/js-conf index aa29920619..72b5a60120 100755 --- a/sca-cpp/trunk/modules/js/js-conf +++ b/sca-cpp/trunk/modules/js/js-conf @@ -36,18 +36,22 @@ cat >>$root/conf/pubauth.conf <<EOF # Generated by: js-conf $* <Location /ui-min.css> AuthType None +Session Off Require all granted </Location> <Location /all-min.js> AuthType None +Session Off Require all granted </Location> <Location /proxy/ui-min.css> AuthType None +Session Off Require all granted </Location> <Location /proxy/all-min.js> AuthType None +Session Off Require all granted </Location> diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf index 26e654036b..8ec6582af7 100755 --- a/sca-cpp/trunk/modules/oauth/oauth-conf +++ b/sca-cpp/trunk/modules/oauth/oauth-conf @@ -42,7 +42,7 @@ fi if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi # Configure HTTPD mod_tuscany_oauth module diff --git a/sca-cpp/trunk/modules/oauth/oauth12-conf b/sca-cpp/trunk/modules/oauth/oauth12-conf index 43c879faee..d6f6abe653 100755 --- a/sca-cpp/trunk/modules/oauth/oauth12-conf +++ b/sca-cpp/trunk/modules/oauth/oauth12-conf @@ -42,7 +42,7 @@ fi if [ "$2" = "" ]; then providers="file" else - providers="$2 file" + providers="file $2" fi # Configure HTTPD mod_tuscany_oauth module diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index 7f986fc8d7..6479a13b09 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -36,7 +36,7 @@ fi if [ "$2" = "" ]; then providers="file" else - providers="$2" + providers="file $2" fi # Configure HTTPD mod_auth_openid module @@ -84,6 +84,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF # Allow public access to /openid location <Location /openid> AuthType None +Session Off Require all granted </Location> diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf index f6ac968bfc..87f3e54925 100755 --- a/sca-cpp/trunk/modules/openid/openid-step2-conf +++ b/sca-cpp/trunk/modules/openid/openid-step2-conf @@ -54,6 +54,7 @@ cat >>$root/conf/pubauth$sslsuffix.conf <<EOF # Allow access to /.well-known/host-meta location <Location /.well-known/host-meta> AuthType None +Session Off Require all granted </Location> diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf index 2674cd9ac5..01b6b21e72 100755 --- a/sca-cpp/trunk/modules/server/server-conf +++ b/sca-cpp/trunk/modules/server/server-conf @@ -42,7 +42,7 @@ ssl=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-ssl-conf"` if [ "$ssl" != "" ]; then cat >>$root/conf/httpd.conf <<EOF # Configure SSL certificates -SCAWiringSSLCACertificateFile "$root/cert/ca.crt" +SCAWiringSSLCACertificateFile "$root/cert/cacert.pem" SCAWiringSSLCertificateFile "$root/cert/server.crt" SCAWiringSSLCertificateKeyFile "$root/cert/server.key" |