Fix HTTPS config scripts to enable SSL certicates, HTTP basic auth, and OpenID to coexist. Add OpenID support to sample.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@981352 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 101 insertions, 33 deletions

diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index f2f8b01614..f36da55b12 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -45,7 +45,7 @@ RewriteCond %{SERVER_PORT} !^$sslpport$
 RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
 </Location>
 
-# Setup SSL support
+# Configure SSL support
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl
 SSLPassPhraseDialog  builtin
@@ -55,19 +55,19 @@ SSLMutex "file:$root/logs/ssl_mutex"
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 
-# Setup HTTPS virtual host
+# Listen on HTTPS port
 Listen $sslport
 
+# HTTPS virtual host
 <VirtualHost *:$sslport>
 ServerName https://$host:$sslpport
 
-Include conf/ssl-svhost.conf
+Include conf/svhost-ssl.conf
 
 # Allow the server admin to view the server status
 <Location /server-status>
 SetHandler server-status
 HostnameLookups on
-Deny from All
 Allow from all
 Require user admin
 </Location>
@@ -80,7 +80,7 @@ ExtendedStatus On
 EOF
 
 # Generate HTTPS vhost configuration
-cat >$root/conf/ssl-vhost.conf <<EOF
+cat >$root/conf/vhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Virtual host configuration
 UseCanonicalName Off
@@ -89,39 +89,113 @@ UseCanonicalName Off
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+SSLOptions -StrictRequire +OptRenegotiate
 
-# Logging
-CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined
+# Verify client certificates
+SSLVerifyClient optional
+SSLVerifyDepth 1
+
+# Log SSL requests
+#CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\"" sslcombined
 CustomLog $root/logs/ssl_access_log sslcombined
-LogLevel warn
 
-# Require clients to present either:
-# a certificate signed with our certification authority certificate
-# or a userid + password for HTTP basic authentication
+EOF
+
+# Generate HTTPS authentication requirement
+cat >>$root/conf/vhost-ssl.conf <<EOF
 <Location />
+# Require clients to use SSL and authenticate
+SSLRequireSSL
+
+# Also accept other forms of authentication (e.g. HTTP basic
+# authentication, or OpenID authentication)
 Satisfy Any
 
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org"
+EOF
 
-AuthType Basic
-AuthName "$host"
-AuthUserFile "$root/conf/httpd.passwd"
-Require valid-user
+proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
+if [ "$proxyconf" != "" ]; then
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In an proxy, only require a 128+ cipher key
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+# Forward received SSL client certificate info in proxied requests
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" 
+RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" 
+RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] 
+RequestHeader unset X-Forwarded-SSL-Protocol
+RequestHeader unset X-Forwarded-SSL-Cipher
+RequestHeader unset X-Forwarded-SSL-Issuer-DN
+RequestHeader unset X-Forwarded-SSL-Client-DN
+RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
+RequestHeader unset X-Forwarded-SSL-Client-DN-OU
+RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
+RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
+RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
+RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
+RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
+RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
+
+EOF
+else
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In a server, require a 128+ cipher key and one of the following
+# - another server's certificate issued by our certificate authority
+# - a proxy certificate + forwarded info on the client request certificate,
+#   both signed by our certificate authority
+# - OpenID authentication (set by mod_auth_openid in the auth_type)
+# - another valid form of authentication as per the Satisfy directive
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \
+  %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \
+%{REQUEST_URI} =~ m/^.(login|logout|openid|unprotected).*$/ )
+
+# Record received SSL client certificate info in environment vars
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+
+# Store the client certificate DN in the SSL_REMOTE_USER var,
+# that's similar to the SSLUserName directive but more flexible as
+# it can pick a client certificate DN forwarded by a proxy
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] 
+
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
+RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
+RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] 
+
+EOF
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
 </Location>
 
 EOF
 
-cat >$root/conf/ssl-svhost.conf <<EOF
+cat >$root/conf/svhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Static virtual host configuration
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/server.crt"
@@ -129,12 +203,12 @@ SSLCertificateKeyFile "$root/conf/server.key"
 
 EOF
 
-cat >$root/conf/ssl-dvhost.conf <<EOF
+cat >$root/conf/dvhost-ssl.conf <<EOF
 # Mass dynamic virtual host configuration
 # Generated by: httpd-ssl-conf $*
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare wildcard SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/vhost.crt"
@@ -142,9 +216,3 @@ SSLCertificateKeyFile "$root/conf/vhost.key"
 
 EOF
 
-# Create test users for HTTP basic authentication
-$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
-