Add ability to configure an HTTPS proxy with load balancing over a set of HTTP backend servers and get OAuth authentication working with that topology.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1220526 13f79535-47bb-0310-9956-ffa450edef68

16 files changed, 231 insertions, 127 deletions

diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 89b285ea35..846c8ac6cc 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
 incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http
 
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf proxy-ssl-nossl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
 moddir = $(prefix)/modules/http
 
 curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index d8c013d853..f376124da7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: basic-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate basic authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: basic-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index 788a6f6d9f..4959fab14a 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: cert-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index 910f906078..defa1bf8b1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
 
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: form-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate form authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: form-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/group-auth-conf b/sca-cpp/trunk/modules/http/group-auth-conf
index c9cd7f6e2e..726c55982d 100755
--- a/sca-cpp/trunk/modules/http/group-auth-conf
+++ b/sca-cpp/trunk/modules/http/group-auth-conf
@@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 user=$2
 group="members"
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: group-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Add user to group
 cat $root/conf/httpd.groups | awk " BEGIN { found = 0 } /$group: / { printf \"%s %s\n\", \$0, \"$user\"; found = 1 } !/$group: / { printf \"%s\n\", \$0 } END { if (found == 0) printf \"%s: %s\n\", \"$group\", \"$user\" } " >$root/conf/.httpd.groups.tmp 2>/dev/null
 cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups
@@ -35,7 +42,6 @@ if [ "$conf" = "" ]; then
 # Generated by: group-auth-conf $1
 # Allow group member access to root location
 <Location />
-AuthGroupFile "$root/conf/httpd.groups"
 Require group members
 </Location>
 
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 5d4e9f5485..e7f191ba48 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -114,29 +114,9 @@ Require all denied
 </Directory>
 
 # Configure authentication
+Include conf/noauth.conf
 Include conf/auth.conf
-
-# Allow access to public locations
-<Location /login>
-AuthType None
-Require all granted
-</Location>
-<Location /logout>
-AuthType None
-Require all granted
-</Location>
-<Location /public>
-AuthType None
-Require all granted
-</Location>
-<Location /favicon.ico>
-AuthType None
-Require all granted
-</Location>
-<Location /robots.txt>
-AuthType None
-Require all granted
-</Location>
+Include conf/pubauth.conf
 
 # Configure output filters to enable compression and rate limiting
 <Location />
@@ -165,21 +145,6 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost.conf
-
-# Allow access to document root
-<Directory "$htdocs">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
-# Allow access to root location
-<Location />
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Location>
-
 </VirtualHost>
 
 EOF
@@ -245,6 +210,7 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
 LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
 LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
 LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule actions_module ${modules_prefix}/modules/mod_actions.so
 LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
 LoadModule session_module ${modules_prefix}/modules/mod_session.so
 LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
@@ -261,7 +227,7 @@ EOF
 # Generate auth configuration
 cat >$root/conf/auth.conf <<EOF
 # Generated by: httpd-conf $*
-# Authentication configuration
+# Authentication and authorization configuration
 
 # Allow authorized access to document root
 <Directory "$htdocs">
@@ -273,13 +239,50 @@ Require all granted
 <Location />
 Options FollowSymLinks
 AuthUserFile "$root/conf/httpd.passwd"
+AuthGroupFile "$root/conf/httpd.groups"
 Require all granted
 </Location>
 
-# Mark login page with a header
+EOF
+
+cat >$root/conf/pubauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow everyone to access public locations
 <Location /login>
+AuthType None
+Require all granted
+# Mark login page with a header
 Header set X-Login open-auth
 </Location>
+<Location /logout>
+AuthType None
+Require all granted
+</Location>
+<Location /public>
+AuthType None
+Require all granted
+</Location>
+<Location /favicon.ico>
+AuthType None
+Require all granted
+</Location>
+<Location /robots.txt>
+AuthType None
+Require all granted
+</Location>
+
+# Allow the server admin to view the server status and info
+<Location /server-status>
+SetHandler server-status
+HostnameLookups on
+Require user admin
+</Location>
+
+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
 
 EOF
 
@@ -292,6 +295,26 @@ cat >$root/conf/httpd.groups <<EOF
 # Generated by: httpd-conf $*
 EOF
 
+
+# Allow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow public access to server resources
+
+# Allow access to document root
+<Directory "$htdocs">
+AuthType None
+Require all granted
+</Directory>
+
+# Allow everyone to access root location
+<Location />
+AuthType None
+Require all granted
+</Location>
+
+EOF
+
 # Generate vhost configuration
 cat >$root/conf/vhost.conf <<EOF
 # Generated by: httpd-conf $*
@@ -300,7 +323,7 @@ UseCanonicalName Off
 
 # Enable HTTP reverse proxy
 ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
 ProxyStatus On
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index dc3b71bcac..f397c2f7de 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -72,19 +72,6 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
 </Location>
 
 Include conf/svhost-ssl.conf
-
-# Allow the server admin to view the server status
-<Location /server-status>
-SetHandler server-status
-HostnameLookups on
-Require user admin
-</Location>
-
-<Location /server-info>
-SetHandler server-info
-HostnameLookups on
-Require user admin
-</Location>
 </VirtualHost>
 
 EOF
@@ -142,7 +129,7 @@ Include conf/log-ssl.conf
 
 # Enable HTTPS reverse proxy
 ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
 ProxyStatus On
 SSLProxyEngine on
 SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 5f8b867c9b..06d53e28c2 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -79,6 +79,7 @@
 #include "list.hpp"
 #include "value.hpp"
 #include "monad.hpp"
+#include "http.hpp"
 
 
 namespace tuscany {
@@ -119,31 +120,6 @@ template<typename C> C& dirConf(const void* c) {
 }
 
 /**
- * Return the name of a server.
- */
-const string serverName(const server_rec* s, const string& def = "localhost") {
-    ostringstream n;
-    n << (s->server_scheme != NULL? s->server_scheme : "http") << "://"
-        << (s->server_hostname != NULL? s->server_hostname : def) << ":"
-        << (s->port != 0? s->port : 80)
-        << (s->path != NULL? string(s->path, s->pathlen) : "");
-    return str(n);
-}
-
-/**
- * Determine the name of a server from an HTTP request.
- */
-const string serverName(request_rec* r, const string& def = "localhost") {
-    ostringstream n;
-    const char* hn = ap_get_server_name(r);
-    n << (r->server->server_scheme != NULL? r->server->server_scheme : "http") << "://"
-        << (hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def)) << ":"
-        << (r->server->port != 0? r->server->port : 80)
-        << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
-    return str(n);
-}
-
-/**
  * Return the host name for a server.
  */
 const string hostName(const server_rec* s, const string& def = "localhost") {
@@ -154,15 +130,11 @@ const string hostName(const server_rec* s, const string& def = "localhost") {
  * Return the host name from an HTTP request.
  */
 const string hostName(request_rec* r, const string& def = "localhost") {
-    const char* hn = ap_get_server_name(r);
-    return hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def);
-}
-
-/**
- * Return true if a request is targeting a virtual host.
- */
-const bool isVirtualHostRequest(const server_rec* s, request_rec* r) {
-    return hostName(r) != hostName(s);
+    const char* fh = apr_table_get(r->headers_in, "X-Forwarded-Server");
+    if (fh != NULL)
+        return fh;
+    const char* h = ap_get_server_name(r);
+    return h != NULL? h : (r->server->server_hostname != NULL? r->server->server_hostname : def);
 }
 
 /**
@@ -176,6 +148,9 @@ const string scheme(const server_rec* s, const string& def = "http") {
  * Return the protocol scheme from an HTTP request.
  */
 const string scheme(request_rec* r, const string& def = "http") {
+    const char* fs = apr_table_get(r->headers_in, "X-Forwarded-HTTPS");
+    if (fs != NULL)
+        return !strcmp(fs, "on")? "https" : "http";
     return r->server->server_scheme != NULL? r->server->server_scheme : def;
 }
 
@@ -190,7 +165,49 @@ const int port(const server_rec* s, const int def = 80) {
  * Return the port number from an HTTP request.
  */
 const int port(request_rec* r, const int def = 80) {
-    return r->server->port != 0? r->server->port : def;
+    const char* fp = apr_table_get(r->headers_in, "X-Forwarded-Port");
+    if (fp != NULL)
+        return atoi(fp);
+    const int p = ap_get_server_port(r);
+    return p != 0? p : def;
+}
+
+/**
+ * Return the name of a server.
+ */
+const string serverName(const server_rec* s, const string& def = "localhost") {
+    ostringstream n;
+    const string sc = scheme(s);
+    const string h = hostName(s, def);
+    const int p = port(s, sc == "https"? 443 : 80);
+    n << sc << "://" << h;
+    if (!((sc == "http" && p == 80) || (sc == "https" && p == 443)))
+        n << ":" << p;
+    n << (s->path != NULL? string(s->path, s->pathlen) : "");
+    return str(n);
+}
+
+/**
+ * Determine the name of a server from an HTTP request.
+ */
+const string serverName(request_rec* r, const string& def = "localhost") {
+    ostringstream n;
+    const string s = scheme(r);
+    const string h = hostName(r, def);
+    const int p = port(r, s == "https"? 443 : 80);
+    n << s << "://" << h;
+    if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+        n << ":" << p;
+    n << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
+    return str(n);
+}
+
+/**
+ * Return true if a request is targeting a virtual host.
+ */
+const bool isVirtualHostRequest(const server_rec* s, const string& d, request_rec* r) {
+    const string rh = hostName(r);
+    return rh != hostName(s) && http::topDomain(rh) == d;
 }
 
 /**
@@ -223,18 +240,25 @@ const list<value> pathInfo(const list<value>& uri, const list<value>& path) {
 }
 
 /**
- * Convert a URI and a path to an absolute URL.
+ * Convert a URI to an absolute URL.
  */
-const string url(const string& uri, const list<value>& p, request_rec* r) {
-    const string u = uri + path(p);
-    return ap_construct_url(r->pool, c_str(u), r);
+const string url(const string& uri, request_rec* r) {
+    ostringstream n;
+    const string s = scheme(r);
+    const string h = hostName(r, "localhost");
+    const int p = port(r, s == "https"? 443 : 80);
+    n << s << "://" << h;
+    if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+        n << ":" << p;
+    n << uri;
+    return str(n);
 }
 
 /**
- * Convert a URI to an absolute URL.
+ * Convert a URI and a path to an absolute URL.
  */
-const string url(const string& uri, request_rec* r) {
-    return ap_construct_url(r->pool, c_str(uri), r);
+const string url(const string& uri, const list<value>& p, request_rec* r) {
+    return url(uri + path(p), r);
 }
 
 /**
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index 66d36242e2..cb702596ef 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
 
 pw=`cat $root/cert/ca.key | head -2 | tail -1`
 
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: open-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
 # Generate form authentication configuration
 cat >>$root/conf/auth.conf <<EOF
 # Generated by: open-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 9094996b4b..76e5b2f3dd 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -32,5 +32,10 @@ Require all granted
 ProxySet lbmethod=byrequests
 </Proxy>
 
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-member-conf b/sca-cpp/trunk/modules/http/proxy-member-conf
index 2e279e87c7..83c43df49f 100755
--- a/sca-cpp/trunk/modules/http/proxy-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-member-conf
@@ -24,12 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 
 host=$2
 port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+    portsuffix=""
+else
+    portsuffix=":$port"
+fi
 
 cat >>$root/conf/vhost.conf <<EOF
 # Generated by: proxy-member-conf $*
 # Add proxy balancer member
-BalancerMember balancer://cluster http://$host:$port
-ProxyPassReverse / http://$host:$port/
+BalancerMember balancer://cluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 6897a0ff47..7e8003d283 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -40,6 +40,11 @@ HostnameLookups on
 Require user admin
 </Location> 
 
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
 EOF
 
 cat >>$root/conf/svhost-ssl.conf <<EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 0ae98af482..cb42a1e9db 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -24,20 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
 
 host=$2
 sslport=`$here/httpd-addr port $3`
+if [ "$sslport" = "443" ]; then
+    sslportsuffix=""
+else
+    sslportsuffix=":$sslport"
+fi
 
-cat >>$root/conf/svhost-ssl.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
 # Generated by: proxy-ssl-member-conf $*
 # Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
-
-EOF
-
-cat >>$root/conf/dvhost-ssl.conf <<EOF
-# Generated by: proxy-ssl-member-conf $*
-# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
+BalancerMember balancer://sslcluster https://$host$sslportsuffix
+ProxyPassReverse / https://$host$sslportsuffix/
 
 EOF
 
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
new file mode 100755
index 0000000000..17b766d986
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Add a proxy balancer member
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+
+host=$2
+port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+    portsuffix=""
+else
+    portsuffix=":$port"
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-nossl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index 150d57f115..2bcc158f48 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -47,14 +47,6 @@ ServerAlias *.$host
 VirtualDocumentRoot $vroot/%1/$vhtdocs/
 
 Include conf/dvhost.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
 </VirtualHost>
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 7ddbee08e0..28e9eefe76 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -52,13 +52,5 @@ ServerAlias *.$host
 VirtualDocumentRoot $vroot/%1/$vhtdocs/
 
 Include conf/dvhost-ssl.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
 </VirtualHost>