diff options
| author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-11-28 07:17:11 +0000 |
|---|---|---|
| committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2010-11-28 07:17:11 +0000 |
| commit | 14f1ada7b2bb66c6c3dae496d3963e9af3f0ab38 (patch) | |
| tree | 01d610b53ba9b2088138d057f16ed6e5122cfe36 /sca-cpp/trunk/modules/http/httpd-ssl-conf | |
| parent | 6c67a3ca11e4bcd7715d92df2e3e41e4e3fc0dc9 (diff) | |
Use different servers for cert-based and password-based auth and use event MPMs for tunnel and proxy servers.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1039840 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'sca-cpp/trunk/modules/http/httpd-ssl-conf')
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-ssl-conf | 107 |
1 files changed, 7 insertions, 100 deletions
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 94352ca344..0a73809fa5 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport` pport=`$here/httpd-addr pport $gport` sslpport=`$here/httpd-addr pport $2` -ssllisten=`$here/httpd-addr listen $2` +sslport=`$here/httpd-addr listen $2` sslvhost=`$here/httpd-addr vhost $2` htdocs=`echo $conf | awk '{ print $8 }'` @@ -56,7 +56,7 @@ SSLRandomSeed startup builtin SSLRandomSeed connect builtin # Listen on HTTPS port -Listen $ssllisten +Listen $sslport # HTTPS virtual host <VirtualHost $sslvhost> @@ -73,9 +73,6 @@ Require user admin </VirtualHost> -# Report extended server status -ExtendedStatus On - EOF # Generate HTTP vhost configuration @@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth -# Verify client certificates -SSLVerifyClient optional -SSLVerifyDepth 1 - -# Enable SSL proxy engine -SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Verify server certificates -SSLProxyVerify require -SSLProxyVerifyDepth 1 +# Require clients to use SSL and authenticate +<Location /> +SSLRequireSSL +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 +</Location> # Log SSL requests # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol @@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined EOF -# Generate HTTPS authentication requirement -cat >>$root/conf/vhost-ssl.conf <<EOF -<Location /> -# Require clients to use SSL and authenticate -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -EOF - -proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` -if [ "$proxyconf" != "" ]; then - cat >>$root/conf/vhost-ssl.conf <<EOF -# Forward received SSL client certificate info in proxied requests -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" -RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" -RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] -RequestHeader unset X-Forwarded-SSL-Protocol -RequestHeader unset X-Forwarded-SSL-Cipher -RequestHeader unset X-Forwarded-SSL-Issuer-DN -RequestHeader unset X-Forwarded-SSL-Client-DN -RequestHeader unset X-Forwarded-SSL-Issuer-DN-O -RequestHeader unset X-Forwarded-SSL-Client-DN-OU -RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL -RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER -RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN -RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN -RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O -RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU - -EOF -else - cat >>$root/conf/vhost-ssl.conf <<EOF - -# Record received SSL client certificate info in environment vars -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] - -# Store the client certificate DN in the SSL_REMOTE_USER var, -# that's similar to the SSLUserName directive but more flexible as -# it can pick a client certificate DN forwarded by a proxy -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy" -RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org" -RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] - -EOF -fi - -cat >>$root/conf/vhost-ssl.conf <<EOF -</Location> - -EOF - proxycert="server" if [ "$proxyconf" != "" ]; then proxycert="proxy" @@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/server.crt" SSLCertificateKeyFile "$root/cert/server.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF cat >$root/conf/dvhost-ssl.conf <<EOF @@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" EOF -# Configure user for HTTP fake basic auth -cat >$root/conf/httpd.passwd <<EOF -/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ -EOF - |