summaryrefslogtreecommitdiffstats
path: root/sca-cpp/trunk/modules/http
diff options
context:
space:
mode:
authorjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2011-12-18 20:19:11 +0000
committerjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2011-12-18 20:19:11 +0000
commit3ac8ca7868ade978a3d0fc74113f3276e5c183ec (patch)
treebcec824aaee082426af297c1ebc331b98c25824f /sca-cpp/trunk/modules/http
parent0498e9dd768e270b74045acd96075306c29a9b4a (diff)
Add ability to configure an HTTPS proxy with load balancing over a set of HTTP backend servers and get OAuth authentication working with that topology.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1220526 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'sca-cpp/trunk/modules/http')
-rw-r--r--sca-cpp/trunk/modules/http/Makefile.am2
-rwxr-xr-xsca-cpp/trunk/modules/http/basic-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/cert-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/form-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/group-auth-conf8
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf103
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf15
-rw-r--r--sca-cpp/trunk/modules/http/httpd.hpp108
-rwxr-xr-xsca-cpp/trunk/modules/http/open-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-conf5
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-member-conf9
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-conf5
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-member-conf19
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf40
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-conf8
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-ssl-conf8
16 files changed, 231 insertions, 127 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 89b285ea35..846c8ac6cc 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
incl_HEADERS = *.hpp
incldir = $(prefix)/include/modules/http
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf proxy-ssl-nossl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
moddir = $(prefix)/modules/http
curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index d8c013d853..f376124da7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: basic-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate basic authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: basic-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index 788a6f6d9f..4959fab14a 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: cert-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index 910f906078..defa1bf8b1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
pw=`cat $root/cert/ca.key | head -2 | tail -1`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: form-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate form authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: form-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/group-auth-conf b/sca-cpp/trunk/modules/http/group-auth-conf
index c9cd7f6e2e..726c55982d 100755
--- a/sca-cpp/trunk/modules/http/group-auth-conf
+++ b/sca-cpp/trunk/modules/http/group-auth-conf
@@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
user=$2
group="members"
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: group-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Add user to group
cat $root/conf/httpd.groups | awk " BEGIN { found = 0 } /$group: / { printf \"%s %s\n\", \$0, \"$user\"; found = 1 } !/$group: / { printf \"%s\n\", \$0 } END { if (found == 0) printf \"%s: %s\n\", \"$group\", \"$user\" } " >$root/conf/.httpd.groups.tmp 2>/dev/null
cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups
@@ -35,7 +42,6 @@ if [ "$conf" = "" ]; then
# Generated by: group-auth-conf $1
# Allow group member access to root location
<Location />
-AuthGroupFile "$root/conf/httpd.groups"
Require group members
</Location>
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 5d4e9f5485..e7f191ba48 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -114,29 +114,9 @@ Require all denied
</Directory>
# Configure authentication
+Include conf/noauth.conf
Include conf/auth.conf
-
-# Allow access to public locations
-<Location /login>
-AuthType None
-Require all granted
-</Location>
-<Location /logout>
-AuthType None
-Require all granted
-</Location>
-<Location /public>
-AuthType None
-Require all granted
-</Location>
-<Location /favicon.ico>
-AuthType None
-Require all granted
-</Location>
-<Location /robots.txt>
-AuthType None
-Require all granted
-</Location>
+Include conf/pubauth.conf
# Configure output filters to enable compression and rate limiting
<Location />
@@ -165,21 +145,6 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R]
</Location>
Include conf/svhost.conf
-
-# Allow access to document root
-<Directory "$htdocs">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
-# Allow access to root location
-<Location />
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Location>
-
</VirtualHost>
EOF
@@ -245,6 +210,7 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule actions_module ${modules_prefix}/modules/mod_actions.so
LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
LoadModule session_module ${modules_prefix}/modules/mod_session.so
LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
@@ -261,7 +227,7 @@ EOF
# Generate auth configuration
cat >$root/conf/auth.conf <<EOF
# Generated by: httpd-conf $*
-# Authentication configuration
+# Authentication and authorization configuration
# Allow authorized access to document root
<Directory "$htdocs">
@@ -273,13 +239,50 @@ Require all granted
<Location />
Options FollowSymLinks
AuthUserFile "$root/conf/httpd.passwd"
+AuthGroupFile "$root/conf/httpd.groups"
Require all granted
</Location>
-# Mark login page with a header
+EOF
+
+cat >$root/conf/pubauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow everyone to access public locations
<Location /login>
+AuthType None
+Require all granted
+# Mark login page with a header
Header set X-Login open-auth
</Location>
+<Location /logout>
+AuthType None
+Require all granted
+</Location>
+<Location /public>
+AuthType None
+Require all granted
+</Location>
+<Location /favicon.ico>
+AuthType None
+Require all granted
+</Location>
+<Location /robots.txt>
+AuthType None
+Require all granted
+</Location>
+
+# Allow the server admin to view the server status and info
+<Location /server-status>
+SetHandler server-status
+HostnameLookups on
+Require user admin
+</Location>
+
+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
EOF
@@ -292,6 +295,26 @@ cat >$root/conf/httpd.groups <<EOF
# Generated by: httpd-conf $*
EOF
+
+# Allow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow public access to server resources
+
+# Allow access to document root
+<Directory "$htdocs">
+AuthType None
+Require all granted
+</Directory>
+
+# Allow everyone to access root location
+<Location />
+AuthType None
+Require all granted
+</Location>
+
+EOF
+
# Generate vhost configuration
cat >$root/conf/vhost.conf <<EOF
# Generated by: httpd-conf $*
@@ -300,7 +323,7 @@ UseCanonicalName Off
# Enable HTTP reverse proxy
ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
ProxyStatus On
EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index dc3b71bcac..f397c2f7de 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -72,19 +72,6 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
</Location>
Include conf/svhost-ssl.conf
-
-# Allow the server admin to view the server status
-<Location /server-status>
-SetHandler server-status
-HostnameLookups on
-Require user admin
-</Location>
-
-<Location /server-info>
-SetHandler server-info
-HostnameLookups on
-Require user admin
-</Location>
</VirtualHost>
EOF
@@ -142,7 +129,7 @@ Include conf/log-ssl.conf
# Enable HTTPS reverse proxy
ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
ProxyStatus On
SSLProxyEngine on
SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 5f8b867c9b..06d53e28c2 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -79,6 +79,7 @@
#include "list.hpp"
#include "value.hpp"
#include "monad.hpp"
+#include "http.hpp"
namespace tuscany {
@@ -119,31 +120,6 @@ template<typename C> C& dirConf(const void* c) {
}
/**
- * Return the name of a server.
- */
-const string serverName(const server_rec* s, const string& def = "localhost") {
- ostringstream n;
- n << (s->server_scheme != NULL? s->server_scheme : "http") << "://"
- << (s->server_hostname != NULL? s->server_hostname : def) << ":"
- << (s->port != 0? s->port : 80)
- << (s->path != NULL? string(s->path, s->pathlen) : "");
- return str(n);
-}
-
-/**
- * Determine the name of a server from an HTTP request.
- */
-const string serverName(request_rec* r, const string& def = "localhost") {
- ostringstream n;
- const char* hn = ap_get_server_name(r);
- n << (r->server->server_scheme != NULL? r->server->server_scheme : "http") << "://"
- << (hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def)) << ":"
- << (r->server->port != 0? r->server->port : 80)
- << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
- return str(n);
-}
-
-/**
* Return the host name for a server.
*/
const string hostName(const server_rec* s, const string& def = "localhost") {
@@ -154,15 +130,11 @@ const string hostName(const server_rec* s, const string& def = "localhost") {
* Return the host name from an HTTP request.
*/
const string hostName(request_rec* r, const string& def = "localhost") {
- const char* hn = ap_get_server_name(r);
- return hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def);
-}
-
-/**
- * Return true if a request is targeting a virtual host.
- */
-const bool isVirtualHostRequest(const server_rec* s, request_rec* r) {
- return hostName(r) != hostName(s);
+ const char* fh = apr_table_get(r->headers_in, "X-Forwarded-Server");
+ if (fh != NULL)
+ return fh;
+ const char* h = ap_get_server_name(r);
+ return h != NULL? h : (r->server->server_hostname != NULL? r->server->server_hostname : def);
}
/**
@@ -176,6 +148,9 @@ const string scheme(const server_rec* s, const string& def = "http") {
* Return the protocol scheme from an HTTP request.
*/
const string scheme(request_rec* r, const string& def = "http") {
+ const char* fs = apr_table_get(r->headers_in, "X-Forwarded-HTTPS");
+ if (fs != NULL)
+ return !strcmp(fs, "on")? "https" : "http";
return r->server->server_scheme != NULL? r->server->server_scheme : def;
}
@@ -190,7 +165,49 @@ const int port(const server_rec* s, const int def = 80) {
* Return the port number from an HTTP request.
*/
const int port(request_rec* r, const int def = 80) {
- return r->server->port != 0? r->server->port : def;
+ const char* fp = apr_table_get(r->headers_in, "X-Forwarded-Port");
+ if (fp != NULL)
+ return atoi(fp);
+ const int p = ap_get_server_port(r);
+ return p != 0? p : def;
+}
+
+/**
+ * Return the name of a server.
+ */
+const string serverName(const server_rec* s, const string& def = "localhost") {
+ ostringstream n;
+ const string sc = scheme(s);
+ const string h = hostName(s, def);
+ const int p = port(s, sc == "https"? 443 : 80);
+ n << sc << "://" << h;
+ if (!((sc == "http" && p == 80) || (sc == "https" && p == 443)))
+ n << ":" << p;
+ n << (s->path != NULL? string(s->path, s->pathlen) : "");
+ return str(n);
+}
+
+/**
+ * Determine the name of a server from an HTTP request.
+ */
+const string serverName(request_rec* r, const string& def = "localhost") {
+ ostringstream n;
+ const string s = scheme(r);
+ const string h = hostName(r, def);
+ const int p = port(r, s == "https"? 443 : 80);
+ n << s << "://" << h;
+ if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+ n << ":" << p;
+ n << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
+ return str(n);
+}
+
+/**
+ * Return true if a request is targeting a virtual host.
+ */
+const bool isVirtualHostRequest(const server_rec* s, const string& d, request_rec* r) {
+ const string rh = hostName(r);
+ return rh != hostName(s) && http::topDomain(rh) == d;
}
/**
@@ -223,18 +240,25 @@ const list<value> pathInfo(const list<value>& uri, const list<value>& path) {
}
/**
- * Convert a URI and a path to an absolute URL.
+ * Convert a URI to an absolute URL.
*/
-const string url(const string& uri, const list<value>& p, request_rec* r) {
- const string u = uri + path(p);
- return ap_construct_url(r->pool, c_str(u), r);
+const string url(const string& uri, request_rec* r) {
+ ostringstream n;
+ const string s = scheme(r);
+ const string h = hostName(r, "localhost");
+ const int p = port(r, s == "https"? 443 : 80);
+ n << s << "://" << h;
+ if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+ n << ":" << p;
+ n << uri;
+ return str(n);
}
/**
- * Convert a URI to an absolute URL.
+ * Convert a URI and a path to an absolute URL.
*/
-const string url(const string& uri, request_rec* r) {
- return ap_construct_url(r->pool, c_str(uri), r);
+const string url(const string& uri, const list<value>& p, request_rec* r) {
+ return url(uri + path(p), r);
}
/**
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index 66d36242e2..cb702596ef 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
pw=`cat $root/cert/ca.key | head -2 | tail -1`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: open-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate form authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: open-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 9094996b4b..76e5b2f3dd 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -32,5 +32,10 @@ Require all granted
ProxySet lbmethod=byrequests
</Proxy>
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-member-conf b/sca-cpp/trunk/modules/http/proxy-member-conf
index 2e279e87c7..83c43df49f 100755
--- a/sca-cpp/trunk/modules/http/proxy-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-member-conf
@@ -24,12 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
host=$2
port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+ portsuffix=""
+else
+ portsuffix=":$port"
+fi
cat >>$root/conf/vhost.conf <<EOF
# Generated by: proxy-member-conf $*
# Add proxy balancer member
-BalancerMember balancer://cluster http://$host:$port
-ProxyPassReverse / http://$host:$port/
+BalancerMember balancer://cluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 6897a0ff47..7e8003d283 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -40,6 +40,11 @@ HostnameLookups on
Require user admin
</Location>
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
EOF
cat >>$root/conf/svhost-ssl.conf <<EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 0ae98af482..cb42a1e9db 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -24,20 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
host=$2
sslport=`$here/httpd-addr port $3`
+if [ "$sslport" = "443" ]; then
+ sslportsuffix=""
+else
+ sslportsuffix=":$sslport"
+fi
-cat >>$root/conf/svhost-ssl.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
# Generated by: proxy-ssl-member-conf $*
# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
-
-EOF
-
-cat >>$root/conf/dvhost-ssl.conf <<EOF
-# Generated by: proxy-ssl-member-conf $*
-# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
+BalancerMember balancer://sslcluster https://$host$sslportsuffix
+ProxyPassReverse / https://$host$sslportsuffix/
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
new file mode 100755
index 0000000000..17b766d986
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Add a proxy balancer member
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+
+host=$2
+port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+ portsuffix=""
+else
+ portsuffix=":$port"
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-nossl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index 150d57f115..2bcc158f48 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -47,14 +47,6 @@ ServerAlias *.$host
VirtualDocumentRoot $vroot/%1/$vhtdocs/
Include conf/dvhost.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
</VirtualHost>
EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 7ddbee08e0..28e9eefe76 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -52,13 +52,5 @@ ServerAlias *.$host
VirtualDocumentRoot $vroot/%1/$vhtdocs/
Include conf/dvhost-ssl.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
</VirtualHost>