Fix HTTPS config scripts to enable SSL certicates, HTTP basic auth, and OpenID to coexist. Add OpenID support to sample.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@981352 13f79535-47bb-0310-9956-ffa450edef68

11 files changed, 183 insertions, 67 deletions

diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 17fd8ac3c7..03f5c234f5 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
 incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http
 
-dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf
+dist_mod_SCRIPTS = httpd-conf httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf httpd-ssl-conf httpd-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf
 moddir=$(prefix)/modules/http
 
 curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/httpd-auth-conf b/sca-cpp/trunk/modules/http/httpd-auth-conf
new file mode 100755
index 0000000000..cfe81f778a
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/httpd-auth-conf
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Generate a minimal HTTPD SSL configuration
+here=`readlink -f $0`; here=`dirname $here`
+root=`readlink -f $1`
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate basic authentication configuration
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: httpd-auth-conf $*
+# Require clients to present a userid + password for HTTP
+# basic authentication
+<Location />
+AuthType Basic
+AuthName "$host"
+AuthUserFile "$root/conf/httpd.passwd"
+Require valid-user
+</Location>
+
+EOF
+
+# Create test users
+$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
+
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 149bc56c4d..2cbf5120e9 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -44,7 +44,9 @@ cat >$root/conf/httpd.conf <<EOF
 ServerName http://$host:$pport
 PidFile $root/logs/httpd.pid
 
-# Minimal set of modules
+# Load a minimal set of modules, the load order is important
+# (e.g. load mod_headers before mod_rewrite, so its hooks execute
+# after mod_rewrite's hooks)
 LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
 LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
 LoadModule authn_default_module ${modules_prefix}/modules/mod_authn_default.so
@@ -58,13 +60,14 @@ LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
 LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
 LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
 LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
+LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
 LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
+LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
 LoadModule status_module ${modules_prefix}/modules/mod_status.so
 LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
 LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
 LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
-LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
 <IfModule !log_config_module>
 LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
@@ -80,17 +83,17 @@ Timeout 45
 LimitRequestBody 1048576
 HostNameLookups Off
 
-# Logging
+# Log HTTP requests
+LogLevel info
 ErrorLog $root/logs/error_log
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
 CustomLog $root/logs/access_log combined
-LogLevel warn
 
 # Configure Mime types
 DefaultType text/plain
 TypesConfig $here/conf/mime.types
 
-# Set document root
+# Set default document root
 DocumentRoot $htdocs
 DirectoryIndex index.html
 
@@ -113,16 +116,17 @@ Options FollowSymLinks
 Allow from all
 </Directory>
 
-# Allow access to service components
+# Allow access to root location
 <Location />
 Options FollowSymLinks
 Order deny,allow  
 Allow from all
 </Location>
 
-# Setup HTTP virtual host
+# Listen on HTTP port
 Listen $port
 
+# Setup HTTP virtual host
 <VirtualHost *:$port>
 ServerName http://$host:$pport
 
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index f2f8b01614..f36da55b12 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -45,7 +45,7 @@ RewriteCond %{SERVER_PORT} !^$sslpport$
 RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
 </Location>
 
-# Setup SSL support
+# Configure SSL support
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl
 SSLPassPhraseDialog  builtin
@@ -55,19 +55,19 @@ SSLMutex "file:$root/logs/ssl_mutex"
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 
-# Setup HTTPS virtual host
+# Listen on HTTPS port
 Listen $sslport
 
+# HTTPS virtual host
 <VirtualHost *:$sslport>
 ServerName https://$host:$sslpport
 
-Include conf/ssl-svhost.conf
+Include conf/svhost-ssl.conf
 
 # Allow the server admin to view the server status
 <Location /server-status>
 SetHandler server-status
 HostnameLookups on
-Deny from All
 Allow from all
 Require user admin
 </Location>
@@ -80,7 +80,7 @@ ExtendedStatus On
 EOF
 
 # Generate HTTPS vhost configuration
-cat >$root/conf/ssl-vhost.conf <<EOF
+cat >$root/conf/vhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Virtual host configuration
 UseCanonicalName Off
@@ -89,39 +89,113 @@ UseCanonicalName Off
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+SSLOptions -StrictRequire +OptRenegotiate
 
-# Logging
-CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined
+# Verify client certificates
+SSLVerifyClient optional
+SSLVerifyDepth 1
+
+# Log SSL requests
+#CustomLog "$root/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+LogFormat "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\"" sslcombined
 CustomLog $root/logs/ssl_access_log sslcombined
-LogLevel warn
 
-# Require clients to present either:
-# a certificate signed with our certification authority certificate
-# or a userid + password for HTTP basic authentication
+EOF
+
+# Generate HTTPS authentication requirement
+cat >>$root/conf/vhost-ssl.conf <<EOF
 <Location />
+# Require clients to use SSL and authenticate
+SSLRequireSSL
+
+# Also accept other forms of authentication (e.g. HTTP basic
+# authentication, or OpenID authentication)
 Satisfy Any
 
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org"
+EOF
 
-AuthType Basic
-AuthName "$host"
-AuthUserFile "$root/conf/httpd.passwd"
-Require valid-user
+proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
+if [ "$proxyconf" != "" ]; then
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In an proxy, only require a 128+ cipher key
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+# Forward received SSL client certificate info in proxied requests
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" 
+RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" 
+RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] 
+RequestHeader unset X-Forwarded-SSL-Protocol
+RequestHeader unset X-Forwarded-SSL-Cipher
+RequestHeader unset X-Forwarded-SSL-Issuer-DN
+RequestHeader unset X-Forwarded-SSL-Client-DN
+RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
+RequestHeader unset X-Forwarded-SSL-Client-DN-OU
+RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
+RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
+RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
+RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
+RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
+RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
+
+EOF
+else
+    cat >>$root/conf/vhost-ssl.conf <<EOF
+# In a server, require a 128+ cipher key and one of the following
+# - another server's certificate issued by our certificate authority
+# - a proxy certificate + forwarded info on the client request certificate,
+#   both signed by our certificate authority
+# - OpenID authentication (set by mod_auth_openid in the auth_type)
+# - another valid form of authentication as per the Satisfy directive
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \
+( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \
+  %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \
+%{REQUEST_URI} =~ m/^.(login|logout|openid|unprotected).*$/ )
+
+# Record received SSL client certificate info in environment vars
+RewriteEngine on
+RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
+RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
+RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" 
+RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] 
+RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" 
+RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] 
+
+# Store the client certificate DN in the SSL_REMOTE_USER var,
+# that's similar to the SSLUserName directive but more flexible as
+# it can pick a client certificate DN forwarded by a proxy
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] 
+
+RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
+RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
+RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
+RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
+RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] 
+
+EOF
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
 </Location>
 
 EOF
 
-cat >$root/conf/ssl-svhost.conf <<EOF
+cat >$root/conf/svhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Static virtual host configuration
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/server.crt"
@@ -129,12 +203,12 @@ SSLCertificateKeyFile "$root/conf/server.key"
 
 EOF
 
-cat >$root/conf/ssl-dvhost.conf <<EOF
+cat >$root/conf/dvhost-ssl.conf <<EOF
 # Mass dynamic virtual host configuration
 # Generated by: httpd-ssl-conf $*
-Include conf/ssl-vhost.conf
+Include conf/vhost-ssl.conf
 
-# Configure SSL certificates
+# Declare wildcard SSL certificates used in this virtual host
 SSLCACertificateFile "$root/conf/ca.crt"
 SSLCertificateChainFile "$root/conf/ca.crt"
 SSLCertificateFile "$root/conf/vhost.crt"
@@ -142,9 +216,3 @@ SSLCertificateKeyFile "$root/conf/vhost.key"
 
 EOF
 
-# Create test users for HTTP basic authentication
-$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
-$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
-
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 4970950623..dd6f344fa6 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -23,11 +23,12 @@ root=`readlink -f $1`
 
 cat >>$root/conf/vhost.conf <<EOF
 # Generated by: proxy-conf $*
-# Configure HTTP proxy and balancer
+# Enable HTTP reverse proxy
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyStatus On
 
+# Enable load balancing
 ProxyPass / balancer://cluster/
 
 <Proxy balancer://cluster>
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index bc1b63fc7d..fe7e6a5be6 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -21,17 +21,14 @@
 here=`readlink -f $0`; here=`dirname $here`
 root=`readlink -f $1`
 
-cat >>$root/conf/ssl-vhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-conf $*
-# Enable SSL proxy
-SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# Configure proxy and balancer
+# Enable HTTPS proxy
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyStatus On
 
+# Enable load balancing
 ProxyPass /balancer-manager !
 ProxyPass / balancer://sslcluster/
 
@@ -50,21 +47,21 @@ Allow from all
 Require user admin
 </Location> 
 
-EOF
+# Enable SSL proxy engine
+SSLProxyEngine on
+SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
-cat >>$root/conf/ssl-svhost.conf <<EOF
-# Generated by: proxy-ssl-conf $*
-# Setup SSL proxy certificates
-SSLProxyCACertificateFile "$root/conf/ca.crt"
-SSLProxyMachineCertificateFile "$root/conf/server.pem"
+# Verify server certificates
+SSLProxyVerify require
+SSLProxyVerifyDepth 1
 
 EOF
 
-cat >>$root/conf/ssl-dvhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-conf $*
-# Setup SSL proxy certificates
+# Declare the proxy SSL client certificates
 SSLProxyCACertificateFile "$root/conf/ca.crt"
-SSLProxyMachineCertificateFile "$root/conf/server.pem"
+SSLProxyMachineCertificateFile "$root/conf/proxy.pem"
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 9f20933e35..55930b7ef2 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -23,7 +23,7 @@ root=`readlink -f $1`
 host=$2
 sslport=`echo $3 | awk -F "/" '{ print $1 }'`
 
-cat >>$root/conf/ssl-vhost.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-member-conf $*
 # Add proxy balancer member
 BalancerMember balancer://sslcluster https://$host:$sslport
diff --git a/sca-cpp/trunk/modules/http/ssl-ca-conf b/sca-cpp/trunk/modules/http/ssl-ca-conf
index b3c6dbbfa0..bd24ca8c21 100755
--- a/sca-cpp/trunk/modules/http/ssl-ca-conf
+++ b/sca-cpp/trunk/modules/http/ssl-ca-conf
@@ -43,10 +43,10 @@ x509_extensions = v3_ca
 C = US
 ST = CA
 L = San Francisco
-O = Test Authority Organization
-OU = Test Authority Unit
+O = $host
+OU = authority
 CN = $host
-emailAddress = root@$host
+emailAddress = admin@$host
 
 [ v3_ca ]
 subjectKeyIdentifier = hash
diff --git a/sca-cpp/trunk/modules/http/ssl-cert-conf b/sca-cpp/trunk/modules/http/ssl-cert-conf
index 959b5059e1..8b6208a449 100755
--- a/sca-cpp/trunk/modules/http/ssl-cert-conf
+++ b/sca-cpp/trunk/modules/http/ssl-cert-conf
@@ -47,10 +47,10 @@ distinguished_name = req_distinguished_name
 C = US
 ST = CA
 L = San Francisco
-O = Test Organization
-OU = Test Unit
+O = $host
+OU = $certname
 CN = $host
-emailAddress = root@$host
+emailAddress = admin@$host
 EOF
 
 # Generate a certificate request
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index e49a1cd415..4f563b673e 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -32,7 +32,7 @@ htdocs=`readlink -f $htdocs`
 
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: vhost-conf $*
-# Setup mass dynamic virtual hosting
+# Enable mass dynamic virtual hosting
 NameVirtualHost *:$port
 
 <VirtualHost *:$port>
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 8a660278a3..e6801248c4 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -33,7 +33,7 @@ htdocs=`readlink -f $htdocs`
 
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: vhost-ssl-conf $*
-# Setup mass dynamic virtual hosting
+# Enable mass dynamic virtual hosting over HTTPS
 NameVirtualHost *:$sslport
 SSLStrictSNIVHostCheck Off
 
@@ -42,7 +42,7 @@ ServerName https://vhost.$host:$sslpport
 ServerAlias *.$host
 VirtualDocumentRoot $htdocs/domains/%1/
 
-Include conf/ssl-dvhost.conf
+Include conf/dvhost-ssl.conf
 </VirtualHost>
 
 EOF