diff options
| author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-08-02 01:42:59 +0000 |
|---|---|---|
| committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-08-02 01:42:59 +0000 |
| commit | 91bee1de5ab7b97cc32c8ba1c9942823757b86a6 (patch) | |
| tree | 87610c1667e6768af15d21299d168d130e590f98 | |
| parent | b85cc12a996022a40e1a3cec0caf6cd432a49f1e (diff) | |
Fix HTTPS config scripts to enable SSL certicates, HTTP basic auth, and OpenID to coexist. Add OpenID support to sample.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@981352 13f79535-47bb-0310-9956-ffa450edef68
23 files changed, 609 insertions, 77 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 17fd8ac3c7..03f5c234f5 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE} incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http -dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf +dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf httpd-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf moddir=$(prefix)/modules/http curl_test_SOURCES = curl-test.cpp diff --git a/sca-cpp/trunk/modules/http/httpd-auth-conf b/sca-cpp/trunk/modules/http/httpd-auth-conf new file mode 100755 index 0000000000..cfe81f778a --- /dev/null +++ b/sca-cpp/trunk/modules/http/httpd-auth-conf @@ -0,0 +1,46 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD SSL configuration +here=`readlink -f $0`; here=`dirname $here` +root=`readlink -f $1` +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` +httpd_prefix=`cat $here/httpd.prefix` + +# Generate basic authentication configuration +cat >>$root/conf/vhost-ssl.conf <<EOF +# Generated by: httpd-auth-conf $* +# Require clients to present a userid + password for HTTP +# basic authentication +<Location /> +AuthType Basic +AuthName "$host" +AuthUserFile "$root/conf/httpd.passwd" +Require valid-user +</Location> + +EOF + +# Create test users +$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null +$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null +$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null +$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null + diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 149bc56c4d..2cbf5120e9 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -44,7 +44,9 @@ cat >$root/conf/httpd.conf <<EOF ServerName http://$host:$pport PidFile $root/logs/httpd.pid -# Minimal set of modules +# Load a minimal set of modules, the load order is important +# (e.g. load mod_headers before mod_rewrite, so its hooks execute +# after mod_rewrite's hooks) LoadModule alias_module ${modules_prefix}/modules/mod_alias.so LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so LoadModule authn_default_module ${modules_prefix}/modules/mod_authn_default.so @@ -58,13 +60,14 @@ LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so +LoadModule headers_module ${modules_prefix}/modules/mod_headers.so LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so +LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so LoadModule mime_module ${modules_prefix}/modules/mod_mime.so LoadModule status_module ${modules_prefix}/modules/mod_status.so LoadModule asis_module ${modules_prefix}/modules/mod_asis.so LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so LoadModule dir_module ${modules_prefix}/modules/mod_dir.so -LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so <IfModule !log_config_module> LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so @@ -80,17 +83,17 @@ Timeout 45 LimitRequestBody 1048576 HostNameLookups Off -# Logging +# Log HTTP requests +LogLevel info ErrorLog $root/logs/error_log LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog $root/logs/access_log combined -LogLevel warn # Configure Mime types DefaultType text/plain TypesConfig $here/conf/mime.types -# Set document root +# Set default document root DocumentRoot $htdocs DirectoryIndex index.html @@ -113,16 +116,17 @@ Options FollowSymLinks Allow from all </Directory> -# Allow access to service components +# Allow access to root location <Location /> Options FollowSymLinks Order deny,allow Allow from all </Location> -# Setup HTTP virtual host +# Listen on HTTP port Listen $port +# Setup HTTP virtual host <VirtualHost *:$port> ServerName http://$host:$pport diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index f2f8b01614..f36da55b12 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -45,7 +45,7 @@ RewriteCond %{SERVER_PORT} !^$sslpport$ RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L] </Location> -# Setup SSL support +# Configure SSL support AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin @@ -55,19 +55,19 @@ SSLMutex "file:$root/logs/ssl_mutex" SSLRandomSeed startup builtin SSLRandomSeed connect builtin -# Setup HTTPS virtual host +# Listen on HTTPS port Listen $sslport +# HTTPS virtual host <VirtualHost *:$sslport> ServerName https://$host:$sslpport -Include conf/ssl-svhost.conf +Include conf/svhost-ssl.conf # Allow the server admin to view the server status <Location /server-status> SetHandler server-status HostnameLookups on -Deny from All Allow from all Require user admin </Location> @@ -80,7 +80,7 @@ ExtendedStatus On EOF # Generate HTTPS vhost configuration -cat >$root/conf/ssl-vhost.conf <<EOF +cat >$root/conf/vhost-ssl.conf <<EOF # Generated by: httpd-ssl-conf $* # Virtual host configuration UseCanonicalName Off @@ -89,39 +89,113 @@ UseCanonicalName Off SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 +SSLOptions -StrictRequire +OptRenegotiate -# Logging -CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined +# Verify client certificates +SSLVerifyClient optional +SSLVerifyDepth 1 + +# Log SSL requests +#CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" +LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\"" sslcombined CustomLog $root/logs/ssl_access_log sslcombined -LogLevel warn -# Require clients to present either: -# a certificate signed with our certification authority certificate -# or a userid + password for HTTP basic authentication +EOF + +# Generate HTTPS authentication requirement +cat >>$root/conf/vhost-ssl.conf <<EOF <Location /> +# Require clients to use SSL and authenticate +SSLRequireSSL + +# Also accept other forms of authentication (e.g. HTTP basic +# authentication, or OpenID authentication) Satisfy Any -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org" +EOF -AuthType Basic -AuthName "$host" -AuthUserFile "$root/conf/httpd.passwd" -Require valid-user +proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` +if [ "$proxyconf" != "" ]; then + cat >>$root/conf/vhost-ssl.conf <<EOF +# In an proxy, only require a 128+ cipher key +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + +# Forward received SSL client certificate info in proxied requests +RewriteEngine on +RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] +RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] +RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" +RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] +RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" +RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" +RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" +RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] +RequestHeader unset X-Forwarded-SSL-Protocol +RequestHeader unset X-Forwarded-SSL-Cipher +RequestHeader unset X-Forwarded-SSL-Issuer-DN +RequestHeader unset X-Forwarded-SSL-Client-DN +RequestHeader unset X-Forwarded-SSL-Issuer-DN-O +RequestHeader unset X-Forwarded-SSL-Client-DN-OU +RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL +RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER +RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN +RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN +RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O +RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU + +EOF +else + cat >>$root/conf/vhost-ssl.conf <<EOF +# In a server, require a 128+ cipher key and one of the following +# - another server's certificate issued by our certificate authority +# - a proxy certificate + forwarded info on the client request certificate, +# both signed by our certificate authority +# - OpenID authentication (set by mod_auth_openid in the auth_type) +# - another valid form of authentication as per the Satisfy directive +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \ +( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \ +( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \ + %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \ +%{REQUEST_URI} =~ m/^.(login|logout|openid|unprotected).*$/ ) + +# Record received SSL client certificate info in environment vars +RewriteEngine on +RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] +RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] +RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" +RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] +RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" +RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] + +# Store the client certificate DN in the SSL_REMOTE_USER var, +# that's similar to the SSLUserName directive but more flexible as +# it can pick a client certificate DN forwarded by a proxy +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server" +RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] + +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy" +RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org" +RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server" +RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] + +EOF +fi + +cat >>$root/conf/vhost-ssl.conf <<EOF </Location> EOF -cat >$root/conf/ssl-svhost.conf <<EOF +cat >$root/conf/svhost-ssl.conf <<EOF # Generated by: httpd-ssl-conf $* # Static virtual host configuration -Include conf/ssl-vhost.conf +Include conf/vhost-ssl.conf -# Configure SSL certificates +# Declare SSL certificates used in this virtual host SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateChainFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/server.crt" @@ -129,12 +203,12 @@ SSLCertificateKeyFile "$root/conf/server.key" EOF -cat >$root/conf/ssl-dvhost.conf <<EOF +cat >$root/conf/dvhost-ssl.conf <<EOF # Mass dynamic virtual host configuration # Generated by: httpd-ssl-conf $* -Include conf/ssl-vhost.conf +Include conf/vhost-ssl.conf -# Configure SSL certificates +# Declare wildcard SSL certificates used in this virtual host SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateChainFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/vhost.crt" @@ -142,9 +216,3 @@ SSLCertificateKeyFile "$root/conf/vhost.key" EOF -# Create test users for HTTP basic authentication -$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null - diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf index 4970950623..dd6f344fa6 100755 --- a/sca-cpp/trunk/modules/http/proxy-conf +++ b/sca-cpp/trunk/modules/http/proxy-conf @@ -23,11 +23,12 @@ root=`readlink -f $1` cat >>$root/conf/vhost.conf <<EOF # Generated by: proxy-conf $* -# Configure HTTP proxy and balancer +# Enable HTTP reverse proxy ProxyRequests Off ProxyPreserveHost On ProxyStatus On +# Enable load balancing ProxyPass / balancer://cluster/ <Proxy balancer://cluster> diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf index bc1b63fc7d..fe7e6a5be6 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf @@ -21,17 +21,14 @@ here=`readlink -f $0`; here=`dirname $here` root=`readlink -f $1` -cat >>$root/conf/ssl-vhost.conf <<EOF +cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-conf $* -# Enable SSL proxy -SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Configure proxy and balancer +# Enable HTTPS proxy ProxyRequests Off ProxyPreserveHost On ProxyStatus On +# Enable load balancing ProxyPass /balancer-manager ! ProxyPass / balancer://sslcluster/ @@ -50,21 +47,21 @@ Allow from all Require user admin </Location> -EOF +# Enable SSL proxy engine +SSLProxyEngine on +SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -cat >>$root/conf/ssl-svhost.conf <<EOF -# Generated by: proxy-ssl-conf $* -# Setup SSL proxy certificates -SSLProxyCACertificateFile "$root/conf/ca.crt" -SSLProxyMachineCertificateFile "$root/conf/server.pem" +# Verify server certificates +SSLProxyVerify require +SSLProxyVerifyDepth 1 EOF -cat >>$root/conf/ssl-dvhost.conf <<EOF +cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-conf $* -# Setup SSL proxy certificates +# Declare the proxy SSL client certificates SSLProxyCACertificateFile "$root/conf/ca.crt" -SSLProxyMachineCertificateFile "$root/conf/server.pem" +SSLProxyMachineCertificateFile "$root/conf/proxy.pem" EOF diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf index 9f20933e35..55930b7ef2 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf @@ -23,7 +23,7 @@ root=`readlink -f $1` host=$2 sslport=`echo $3 | awk -F "/" '{ print $1 }'` -cat >>$root/conf/ssl-vhost.conf <<EOF +cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-member-conf $* # Add proxy balancer member BalancerMember balancer://sslcluster https://$host:$sslport diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf index b3c6dbbfa0..bd24ca8c21 100755 --- a/sca-cpp/trunk/modules/http/ssl-ca-conf +++ b/sca-cpp/trunk/modules/http/ssl-ca-conf @@ -43,10 +43,10 @@ x509_extensions = v3_ca C = US ST = CA L = San Francisco -O = Test Authority Organization -OU = Test Authority Unit +O = $host +OU = authority CN = $host -emailAddress = root@$host +emailAddress = admin@$host [ v3_ca ] subjectKeyIdentifier = hash diff --git a/sca-cpp/trunk/modules/http/ssl-cert-conf b/sca-cpp/trunk/modules/http/ssl-cert-conf index 959b5059e1..8b6208a449 100755 --- a/sca-cpp/trunk/modules/http/ssl-cert-conf +++ b/sca-cpp/trunk/modules/http/ssl-cert-conf @@ -47,10 +47,10 @@ distinguished_name = req_distinguished_name C = US ST = CA L = San Francisco -O = Test Organization -OU = Test Unit +O = $host +OU = $certname CN = $host -emailAddress = root@$host +emailAddress = admin@$host EOF # Generate a certificate request diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf index e49a1cd415..4f563b673e 100755 --- a/sca-cpp/trunk/modules/http/vhost-conf +++ b/sca-cpp/trunk/modules/http/vhost-conf @@ -32,7 +32,7 @@ htdocs=`readlink -f $htdocs` cat >>$root/conf/httpd.conf <<EOF # Generated by: vhost-conf $* -# Setup mass dynamic virtual hosting +# Enable mass dynamic virtual hosting NameVirtualHost *:$port <VirtualHost *:$port> diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 8a660278a3..e6801248c4 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -33,7 +33,7 @@ htdocs=`readlink -f $htdocs` cat >>$root/conf/httpd.conf <<EOF # Generated by: vhost-ssl-conf $* -# Setup mass dynamic virtual hosting +# Enable mass dynamic virtual hosting over HTTPS NameVirtualHost *:$sslport SSLStrictSNIVHostCheck Off @@ -42,7 +42,7 @@ ServerName https://vhost.$host:$sslpport ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ -Include conf/ssl-dvhost.conf +Include conf/dvhost-ssl.conf </VirtualHost> EOF diff --git a/sca-cpp/trunk/modules/openid/Makefile.am b/sca-cpp/trunk/modules/openid/Makefile.am index a28611dc41..158dd8902b 100644 --- a/sca-cpp/trunk/modules/openid/Makefile.am +++ b/sca-cpp/trunk/modules/openid/Makefile.am @@ -18,7 +18,7 @@ if WANT_OPENID -dist_mod_SCRIPTS = openid-conf +dist_mod_SCRIPTS = openid-conf openid-step2-conf moddir = $(prefix)/modules/openid mod_DATA = openid.prefix diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index 206281db38..19d7d06d99 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -20,32 +20,46 @@ # Generate an OpenID server conf here=`readlink -f $0`; here=`dirname $here` root=`readlink -f $1` -openid_prefix=`cat openid.prefix` +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` +openid_prefix=`cat $here/openid.prefix` # Configure HTTPD mod_auth_openid module cat >>$root/conf/httpd.conf <<EOF # Generated by: openid-conf $* -# Support for OpenID authentication +# Load support for OpenID authentication LoadModule authopenid_module $openid_prefix/modules/mod_auth_openid.so +# Enable OpenID authentication <Location /> +AuthType OpenID AuthOpenIDEnabled On AuthOpenIDCookiePath / AuthOpenIDLoginPage /login AuthOpenIDAXAdd EMAIL http://axschema.org/contact/email </Location> -<Location /unprotected> -AuthOpenIDEnabled Off -</Location> - +# Enable unauthenticated access to unprotected areas <Location /login> AuthOpenIDEnabled Off </Location> - <Location /logout> AuthOpenIDEnabled Off </Location> +<Location /unprotected> +AuthOpenIDEnabled Off +</Location> + +EOF + +cat >>$root/conf/vhost-ssl.conf <<EOF +# Generated by: openid-conf $* +# Require OpenID authentication +<Location /> +AuthType OpenID +AuthName "$host" +Require valid-user +</Location> EOF diff --git a/sca-cpp/trunk/modules/openid/start-test b/sca-cpp/trunk/modules/openid/start-test index b9d3191b11..67020cf701 100755 --- a/sca-cpp/trunk/modules/openid/start-test +++ b/sca-cpp/trunk/modules/openid/start-test @@ -18,7 +18,10 @@ # under the License. # Setup +../../modules/http/ssl-ca-conf tmp localhost +../../modules/http/ssl-cert-conf tmp localhost ../../modules/http/httpd-conf tmp localhost 8090 htdocs +../../modules/http/httpd-ssl-conf tmp 8453 ./openid-conf tmp ./openid-step2-conf tmp ../../modules/server/server-conf tmp diff --git a/sca-cpp/trunk/modules/server/mod-eval.hpp b/sca-cpp/trunk/modules/server/mod-eval.hpp index 857fd0a1e1..0aff56f59d 100644 --- a/sca-cpp/trunk/modules/server/mod-eval.hpp +++ b/sca-cpp/trunk/modules/server/mod-eval.hpp @@ -612,8 +612,9 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) { return OK; ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_eval); debug(httpd::serverName(s), "modeval::postConfigMerge::serverName"); - if (sc.wiringServerName == "") sc.wiringServerName = httpd::serverName(s); - debug(httpd::serverName(s), "modeval::postConfigMerge::wiringServerName"); + if (sc.wiringServerName == "") + sc.wiringServerName = mainsc.wiringServerName != ""? mainsc.wiringServerName : httpd::serverName(s); + debug(sc.wiringServerName, "modeval::postConfigMerge::wiringServerName"); sc.contributionPath = mainsc.contributionPath; sc.compositeName = mainsc.compositeName; sc.virtualHostContributionPath = mainsc.virtualHostContributionPath; diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html new file mode 100644 index 0000000000..14f378e968 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/login/index.html @@ -0,0 +1,97 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body><h1>Sign in with an OpenID provider</h1> + +<script type="text/javascript"> +function queryParams() { + qp = new Array(); + qs = window.location.search.substring(1).split('&'); + for (i = 0; i < qs.length; i++) { + e = qs[i].indexOf('='); + if (e > 0) + qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1)); + } + return qp; +} + +function openidReferrer() { + r = queryParams()['modauthopenid.referrer']; + if (typeof(r) == 'undefined') + return r; + q = r.indexOf('?'); + if (q > 0) + return r.substring(0, q); + return r; +} + +if (typeof(openidReferrer()) == 'undefined') { + document.location = '/'; +} + +function submitSignin(w) { + document.signin.openid_identifier.value = w(); + document.signin.action = openidReferrer(); + document.signin.submit(); +} + + +function withGoogle() { + return 'https://www.google.com/accounts/o8/id'; +} + +function withYahoo() { + return 'https://me.yahoo.com/'; +} + +function withMyOpenID() { + return 'http://www.myopenid.com/xrds'; +} + +function withVerisign() { + return 'https://pip.verisignlabs.com/'; +} + +function withGoogleApps() { + return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value; +} + +function withXRDSEndpoint() { + return document.fields.endpoint.value; +} +</script> + +<form name="signin" action="/" method="GET"> +<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/> +</form> + +<form name="fields"> +<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p> +<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p> +<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p> +<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p> +<p>Sign in with a Google apps domain<br/> +<input type="text" size="20" name="domain" value="example.com"/><br/> +<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p> +<p>Sign in with an OpenID endpoint<br/> +<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/> +<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p> +</form> + +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html new file mode 100644 index 0000000000..55cbfac110 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/jane/logout/index.html @@ -0,0 +1,33 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body> +<h1>Sign out</h1> + +<form name="signout" action="/login" method="GET"> +<script type="text/javascript"> +function submitSignout() { + document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/'; + document.signout.submit(); + return true; +} +</script> +<input type="button" onclick="submitSignout()" value="Sign out"/> +</form> +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html new file mode 100644 index 0000000000..14f378e968 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/login/index.html @@ -0,0 +1,97 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body><h1>Sign in with an OpenID provider</h1> + +<script type="text/javascript"> +function queryParams() { + qp = new Array(); + qs = window.location.search.substring(1).split('&'); + for (i = 0; i < qs.length; i++) { + e = qs[i].indexOf('='); + if (e > 0) + qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1)); + } + return qp; +} + +function openidReferrer() { + r = queryParams()['modauthopenid.referrer']; + if (typeof(r) == 'undefined') + return r; + q = r.indexOf('?'); + if (q > 0) + return r.substring(0, q); + return r; +} + +if (typeof(openidReferrer()) == 'undefined') { + document.location = '/'; +} + +function submitSignin(w) { + document.signin.openid_identifier.value = w(); + document.signin.action = openidReferrer(); + document.signin.submit(); +} + + +function withGoogle() { + return 'https://www.google.com/accounts/o8/id'; +} + +function withYahoo() { + return 'https://me.yahoo.com/'; +} + +function withMyOpenID() { + return 'http://www.myopenid.com/xrds'; +} + +function withVerisign() { + return 'https://pip.verisignlabs.com/'; +} + +function withGoogleApps() { + return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value; +} + +function withXRDSEndpoint() { + return document.fields.endpoint.value; +} +</script> + +<form name="signin" action="/" method="GET"> +<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/> +</form> + +<form name="fields"> +<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p> +<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p> +<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p> +<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p> +<p>Sign in with a Google apps domain<br/> +<input type="text" size="20" name="domain" value="example.com"/><br/> +<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p> +<p>Sign in with an OpenID endpoint<br/> +<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/> +<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p> +</form> + +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html new file mode 100644 index 0000000000..55cbfac110 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/domains/joe/logout/index.html @@ -0,0 +1,33 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body> +<h1>Sign out</h1> + +<form name="signout" action="/login" method="GET"> +<script type="text/javascript"> +function submitSignout() { + document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/'; + document.signout.submit(); + return true; +} +</script> +<input type="button" onclick="submitSignout()" value="Sign out"/> +</form> +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html new file mode 100644 index 0000000000..14f378e968 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/login/index.html @@ -0,0 +1,97 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body><h1>Sign in with an OpenID provider</h1> + +<script type="text/javascript"> +function queryParams() { + qp = new Array(); + qs = window.location.search.substring(1).split('&'); + for (i = 0; i < qs.length; i++) { + e = qs[i].indexOf('='); + if (e > 0) + qp[qs[i].substring(0, e)] = unescape(qs[i].substring(e + 1)); + } + return qp; +} + +function openidReferrer() { + r = queryParams()['modauthopenid.referrer']; + if (typeof(r) == 'undefined') + return r; + q = r.indexOf('?'); + if (q > 0) + return r.substring(0, q); + return r; +} + +if (typeof(openidReferrer()) == 'undefined') { + document.location = '/'; +} + +function submitSignin(w) { + document.signin.openid_identifier.value = w(); + document.signin.action = openidReferrer(); + document.signin.submit(); +} + + +function withGoogle() { + return 'https://www.google.com/accounts/o8/id'; +} + +function withYahoo() { + return 'https://me.yahoo.com/'; +} + +function withMyOpenID() { + return 'http://www.myopenid.com/xrds'; +} + +function withVerisign() { + return 'https://pip.verisignlabs.com/'; +} + +function withGoogleApps() { + return 'https://www.google.com/accounts/o8/site-xrds?ns=2&hd=' + document.fields.domain.value; +} + +function withXRDSEndpoint() { + return document.fields.endpoint.value; +} +</script> + +<form name="signin" action="/" method="GET"> +<input type="hidden" name="openid_identifier" value="https://www.google.com/accounts/o8/id"/> +</form> + +<form name="fields"> +<p>Sign in with your Google account<br/><input type="button" onclick="submitSignin(withGoogle)" value="Sign in"/></p> +<p>Sign in with your Yahoo account<br/><input type="button" onclick="submitSignin(withYahoo)" value="Sign in"/></p> +<p>Sign in with your MyOpenID account<br/><input type="button" onclick="submitSignin(withMyOpenID)" value="Sign in"/></p> +<p>Sign in with your Verisign account<br/><input type="button" onclick="submitSignin(withVerisign)" value="Sign in"/></p> +<p>Sign in with a Google apps domain<br/> +<input type="text" size="20" name="domain" value="example.com"/><br/> +<input type="button" onclick="submitSignin(withGoogleApps)" value="Sign in"/></p> +<p>Sign in with an OpenID endpoint<br/> +<input type="text" size="50" name="endpoint" value="https://www.google.com/accounts/o8/id"/><br/> +<input type="button" onclick="submitSignin(withXRDSEndpoint)" value="Sign in"/></p> +</form> + +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html new file mode 100644 index 0000000000..55cbfac110 --- /dev/null +++ b/sca-cpp/trunk/samples/store-cluster/htdocs/logout/index.html @@ -0,0 +1,33 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<html><body> +<h1>Sign out</h1> + +<form name="signout" action="/login" method="GET"> +<script type="text/javascript"> +function submitSignout() { + document.cookie = 'open_id_session_id=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/'; + document.signout.submit(); + return true; +} +</script> +<input type="button" onclick="submitSignout()" value="Sign out"/> +</form> +</body></html> diff --git a/sca-cpp/trunk/samples/store-cluster/ssl-start b/sca-cpp/trunk/samples/store-cluster/ssl-start index d9d0fec67d..da55846654 100755 --- a/sca-cpp/trunk/samples/store-cluster/ssl-start +++ b/sca-cpp/trunk/samples/store-cluster/ssl-start @@ -21,6 +21,7 @@ ../../modules/http/ssl-ca-conf tmp/ssl sca-store.com ../../modules/http/ssl-cert-conf tmp/ssl sca-store.com server ../../modules/http/ssl-cert-conf tmp/ssl *.sca-store.com vhost +../../modules/http/ssl-cert-conf tmp/ssl sca-store.com proxy # Start three identical app servers ../../modules/http/httpd-conf tmp/server1 sca-store.com 8101/80 htdocs @@ -28,6 +29,8 @@ cp `../../modules/http/ssl-ls tmp/ssl` tmp/server1/conf ../../modules/http/httpd-ssl-conf tmp/server1 8441/443 ../../modules/http/vhost-ssl-conf tmp/server1 +../../modules/openid/openid-conf tmp/server1 +../../modules/openid/openid-step2-conf tmp/server1 ../../modules/server/server-conf tmp/server1 ../../modules/python/python-conf tmp/server1 cat >>tmp/server1/conf/httpd.conf <<EOF @@ -43,6 +46,8 @@ EOF cp `../../modules/http/ssl-ls tmp/ssl` tmp/server2/conf ../../modules/http/httpd-ssl-conf tmp/server2 8442/443 ../../modules/http/vhost-ssl-conf tmp/server2 +../../modules/openid/openid-conf tmp/server2 +../../modules/openid/openid-step2-conf tmp/server2 ../../modules/server/server-conf tmp/server2 ../../modules/python/python-conf tmp/server2 cat >>tmp/server2/conf/httpd.conf <<EOF @@ -58,6 +63,8 @@ EOF cp `../../modules/http/ssl-ls tmp/ssl` tmp/server3/conf ../../modules/http/httpd-ssl-conf tmp/server3 8443/443 ../../modules/http/vhost-ssl-conf tmp/server3 +../../modules/openid/openid-conf tmp/server3 +../../modules/openid/openid-step2-conf tmp/server3 ../../modules/server/server-conf tmp/server3 ../../modules/python/python-conf tmp/server3 cat >>tmp/server3/conf/httpd.conf <<EOF diff --git a/sca-cpp/trunk/samples/store-python/ssl-start b/sca-cpp/trunk/samples/store-python/ssl-start index 8f83508578..83f7a5a271 100755 --- a/sca-cpp/trunk/samples/store-python/ssl-start +++ b/sca-cpp/trunk/samples/store-python/ssl-start @@ -21,6 +21,7 @@ ../../modules/http/ssl-cert-conf tmp localhost ../../modules/http/httpd-conf tmp localhost 8090 htdocs ../../modules/http/httpd-ssl-conf tmp 8453 +../../modules/http/httpd-auth-conf tmp ../../modules/server/server-conf tmp ../../modules/python/python-conf tmp cat >>tmp/conf/httpd.conf <<EOF |