diff options
| author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-08-02 01:42:59 +0000 |
|---|---|---|
| committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-08-02 01:42:59 +0000 |
| commit | 91bee1de5ab7b97cc32c8ba1c9942823757b86a6 (patch) | |
| tree | 87610c1667e6768af15d21299d168d130e590f98 /sca-cpp/trunk/modules/http/httpd-ssl-conf | |
| parent | b85cc12a996022a40e1a3cec0caf6cd432a49f1e (diff) | |
Fix HTTPS config scripts to enable SSL certicates, HTTP basic auth, and OpenID to coexist. Add OpenID support to sample.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@981352 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-ssl-conf | 134 |
1 files changed, 101 insertions, 33 deletions
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index f2f8b01614..f36da55b12 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -45,7 +45,7 @@ RewriteCond %{SERVER_PORT} !^$sslpport$ RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L] </Location> -# Setup SSL support +# Configure SSL support AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin @@ -55,19 +55,19 @@ SSLMutex "file:$root/logs/ssl_mutex" SSLRandomSeed startup builtin SSLRandomSeed connect builtin -# Setup HTTPS virtual host +# Listen on HTTPS port Listen $sslport +# HTTPS virtual host <VirtualHost *:$sslport> ServerName https://$host:$sslpport -Include conf/ssl-svhost.conf +Include conf/svhost-ssl.conf # Allow the server admin to view the server status <Location /server-status> SetHandler server-status HostnameLookups on -Deny from All Allow from all Require user admin </Location> @@ -80,7 +80,7 @@ ExtendedStatus On EOF # Generate HTTPS vhost configuration -cat >$root/conf/ssl-vhost.conf <<EOF +cat >$root/conf/vhost-ssl.conf <<EOF # Generated by: httpd-ssl-conf $* # Virtual host configuration UseCanonicalName Off @@ -89,39 +89,113 @@ UseCanonicalName Off SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 +SSLOptions -StrictRequire +OptRenegotiate -# Logging -CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined +# Verify client certificates +SSLVerifyClient optional +SSLVerifyDepth 1 + +# Log SSL requests +#CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" +LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\"" sslcombined CustomLog $root/logs/ssl_access_log sslcombined -LogLevel warn -# Require clients to present either: -# a certificate signed with our certification authority certificate -# or a userid + password for HTTP basic authentication +EOF + +# Generate HTTPS authentication requirement +cat >>$root/conf/vhost-ssl.conf <<EOF <Location /> +# Require clients to use SSL and authenticate +SSLRequireSSL + +# Also accept other forms of authentication (e.g. HTTP basic +# authentication, or OpenID authentication) Satisfy Any -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org" +EOF -AuthType Basic -AuthName "$host" -AuthUserFile "$root/conf/httpd.passwd" -Require valid-user +proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` +if [ "$proxyconf" != "" ]; then + cat >>$root/conf/vhost-ssl.conf <<EOF +# In an proxy, only require a 128+ cipher key +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + +# Forward received SSL client certificate info in proxied requests +RewriteEngine on +RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] +RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] +RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" +RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] +RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" +RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" +RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" +RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] +RequestHeader unset X-Forwarded-SSL-Protocol +RequestHeader unset X-Forwarded-SSL-Cipher +RequestHeader unset X-Forwarded-SSL-Issuer-DN +RequestHeader unset X-Forwarded-SSL-Client-DN +RequestHeader unset X-Forwarded-SSL-Issuer-DN-O +RequestHeader unset X-Forwarded-SSL-Client-DN-OU +RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL +RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER +RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN +RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN +RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O +RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU + +EOF +else + cat >>$root/conf/vhost-ssl.conf <<EOF +# In a server, require a 128+ cipher key and one of the following +# - another server's certificate issued by our certificate authority +# - a proxy certificate + forwarded info on the client request certificate, +# both signed by our certificate authority +# - OpenID authentication (set by mod_auth_openid in the auth_type) +# - another valid form of authentication as per the Satisfy directive +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \ +( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \ +( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \ + %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \ +%{REQUEST_URI} =~ m/^.(login|logout|openid|unprotected).*$/ ) + +# Record received SSL client certificate info in environment vars +RewriteEngine on +RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] +RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] +RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" +RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] +RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" +RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] + +# Store the client certificate DN in the SSL_REMOTE_USER var, +# that's similar to the SSLUserName directive but more flexible as +# it can pick a client certificate DN forwarded by a proxy +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server" +RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] + +RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" +RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy" +RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org" +RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server" +RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] + +EOF +fi + +cat >>$root/conf/vhost-ssl.conf <<EOF </Location> EOF -cat >$root/conf/ssl-svhost.conf <<EOF +cat >$root/conf/svhost-ssl.conf <<EOF # Generated by: httpd-ssl-conf $* # Static virtual host configuration -Include conf/ssl-vhost.conf +Include conf/vhost-ssl.conf -# Configure SSL certificates +# Declare SSL certificates used in this virtual host SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateChainFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/server.crt" @@ -129,12 +203,12 @@ SSLCertificateKeyFile "$root/conf/server.key" EOF -cat >$root/conf/ssl-dvhost.conf <<EOF +cat >$root/conf/dvhost-ssl.conf <<EOF # Mass dynamic virtual host configuration # Generated by: httpd-ssl-conf $* -Include conf/ssl-vhost.conf +Include conf/vhost-ssl.conf -# Configure SSL certificates +# Declare wildcard SSL certificates used in this virtual host SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateChainFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/vhost.crt" @@ -142,9 +216,3 @@ SSLCertificateKeyFile "$root/conf/vhost.key" EOF -# Create test users for HTTP basic authentication -$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null -$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null - |