diff options
author | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2011-12-18 20:19:11 +0000 |
---|---|---|
committer | jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> | 2011-12-18 20:19:11 +0000 |
commit | 3ac8ca7868ade978a3d0fc74113f3276e5c183ec (patch) | |
tree | bcec824aaee082426af297c1ebc331b98c25824f /sca-cpp | |
parent | 0498e9dd768e270b74045acd96075306c29a9b4a (diff) |
Add ability to configure an HTTPS proxy with load balancing over a set of HTTP backend servers and get OAuth authentication working with that topology.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1220526 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'sca-cpp')
29 files changed, 306 insertions, 144 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 89b285ea35..846c8ac6cc 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE} incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http -dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css +dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf proxy-ssl-nossl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css moddir = $(prefix)/modules/http curl_test_SOURCES = curl-test.cpp diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf index d8c013d853..f376124da7 100755 --- a/sca-cpp/trunk/modules/http/basic-auth-conf +++ b/sca-cpp/trunk/modules/http/basic-auth-conf @@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: basic-auth-conf $* +# Disallow public access to server resources + +EOF + # Generate basic authentication configuration cat >>$root/conf/auth.conf <<EOF # Generated by: basic-auth-conf $* diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf index 788a6f6d9f..4959fab14a 100755 --- a/sca-cpp/trunk/modules/http/cert-auth-conf +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: cert-auth-conf $* +# Disallow public access to server resources + +EOF + # Generate authentication configuration cat >>$root/conf/auth.conf <<EOF # Generated by: cert-auth-conf $* diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf index 910f906078..defa1bf8b1 100755 --- a/sca-cpp/trunk/modules/http/form-auth-conf +++ b/sca-cpp/trunk/modules/http/form-auth-conf @@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'` pw=`cat $root/cert/ca.key | head -2 | tail -1` +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: form-auth-conf $* +# Disallow public access to server resources + +EOF + # Generate form authentication configuration cat >>$root/conf/auth.conf <<EOF # Generated by: form-auth-conf $* diff --git a/sca-cpp/trunk/modules/http/group-auth-conf b/sca-cpp/trunk/modules/http/group-auth-conf index c9cd7f6e2e..726c55982d 100755 --- a/sca-cpp/trunk/modules/http/group-auth-conf +++ b/sca-cpp/trunk/modules/http/group-auth-conf @@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python` user=$2 group="members" +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: group-auth-conf $* +# Disallow public access to server resources + +EOF + # Add user to group cat $root/conf/httpd.groups | awk " BEGIN { found = 0 } /$group: / { printf \"%s %s\n\", \$0, \"$user\"; found = 1 } !/$group: / { printf \"%s\n\", \$0 } END { if (found == 0) printf \"%s: %s\n\", \"$group\", \"$user\" } " >$root/conf/.httpd.groups.tmp 2>/dev/null cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups @@ -35,7 +42,6 @@ if [ "$conf" = "" ]; then # Generated by: group-auth-conf $1 # Allow group member access to root location <Location /> -AuthGroupFile "$root/conf/httpd.groups" Require group members </Location> diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 5d4e9f5485..e7f191ba48 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -114,29 +114,9 @@ Require all denied </Directory> # Configure authentication +Include conf/noauth.conf Include conf/auth.conf - -# Allow access to public locations -<Location /login> -AuthType None -Require all granted -</Location> -<Location /logout> -AuthType None -Require all granted -</Location> -<Location /public> -AuthType None -Require all granted -</Location> -<Location /favicon.ico> -AuthType None -Require all granted -</Location> -<Location /robots.txt> -AuthType None -Require all granted -</Location> +Include conf/pubauth.conf # Configure output filters to enable compression and rate limiting <Location /> @@ -165,21 +145,6 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R] </Location> Include conf/svhost.conf - -# Allow access to document root -<Directory "$htdocs"> -Options FollowSymLinks -AuthType None -Require all granted -</Directory> - -# Allow access to root location -<Location /> -Options FollowSymLinks -AuthType None -Require all granted -</Location> - </VirtualHost> EOF @@ -245,6 +210,7 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so +LoadModule actions_module ${modules_prefix}/modules/mod_actions.so LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so LoadModule session_module ${modules_prefix}/modules/mod_session.so LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so @@ -261,7 +227,7 @@ EOF # Generate auth configuration cat >$root/conf/auth.conf <<EOF # Generated by: httpd-conf $* -# Authentication configuration +# Authentication and authorization configuration # Allow authorized access to document root <Directory "$htdocs"> @@ -273,13 +239,50 @@ Require all granted <Location /> Options FollowSymLinks AuthUserFile "$root/conf/httpd.passwd" +AuthGroupFile "$root/conf/httpd.groups" Require all granted </Location> -# Mark login page with a header +EOF + +cat >$root/conf/pubauth.conf <<EOF +# Generated by: httpd-conf $* +# Allow everyone to access public locations <Location /login> +AuthType None +Require all granted +# Mark login page with a header Header set X-Login open-auth </Location> +<Location /logout> +AuthType None +Require all granted +</Location> +<Location /public> +AuthType None +Require all granted +</Location> +<Location /favicon.ico> +AuthType None +Require all granted +</Location> +<Location /robots.txt> +AuthType None +Require all granted +</Location> + +# Allow the server admin to view the server status and info +<Location /server-status> +SetHandler server-status +HostnameLookups on +Require user admin +</Location> + +<Location /server-info> +SetHandler server-info +HostnameLookups on +Require user admin +</Location> EOF @@ -292,6 +295,26 @@ cat >$root/conf/httpd.groups <<EOF # Generated by: httpd-conf $* EOF + +# Allow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: httpd-conf $* +# Allow public access to server resources + +# Allow access to document root +<Directory "$htdocs"> +AuthType None +Require all granted +</Directory> + +# Allow everyone to access root location +<Location /> +AuthType None +Require all granted +</Location> + +EOF + # Generate vhost configuration cat >$root/conf/vhost.conf <<EOF # Generated by: httpd-conf $* @@ -300,7 +323,7 @@ UseCanonicalName Off # Enable HTTP reverse proxy ProxyRequests Off -ProxyPreserveHost Off +ProxyPreserveHost On ProxyStatus On EOF diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index dc3b71bcac..f397c2f7de 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -72,19 +72,6 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R] </Location> Include conf/svhost-ssl.conf - -# Allow the server admin to view the server status -<Location /server-status> -SetHandler server-status -HostnameLookups on -Require user admin -</Location> - -<Location /server-info> -SetHandler server-info -HostnameLookups on -Require user admin -</Location> </VirtualHost> EOF @@ -142,7 +129,7 @@ Include conf/log-ssl.conf # Enable HTTPS reverse proxy ProxyRequests Off -ProxyPreserveHost Off +ProxyPreserveHost On ProxyStatus On SSLProxyEngine on SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp index 5f8b867c9b..06d53e28c2 100644 --- a/sca-cpp/trunk/modules/http/httpd.hpp +++ b/sca-cpp/trunk/modules/http/httpd.hpp @@ -79,6 +79,7 @@ #include "list.hpp" #include "value.hpp" #include "monad.hpp" +#include "http.hpp" namespace tuscany { @@ -119,31 +120,6 @@ template<typename C> C& dirConf(const void* c) { } /** - * Return the name of a server. - */ -const string serverName(const server_rec* s, const string& def = "localhost") { - ostringstream n; - n << (s->server_scheme != NULL? s->server_scheme : "http") << "://" - << (s->server_hostname != NULL? s->server_hostname : def) << ":" - << (s->port != 0? s->port : 80) - << (s->path != NULL? string(s->path, s->pathlen) : ""); - return str(n); -} - -/** - * Determine the name of a server from an HTTP request. - */ -const string serverName(request_rec* r, const string& def = "localhost") { - ostringstream n; - const char* hn = ap_get_server_name(r); - n << (r->server->server_scheme != NULL? r->server->server_scheme : "http") << "://" - << (hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def)) << ":" - << (r->server->port != 0? r->server->port : 80) - << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : ""); - return str(n); -} - -/** * Return the host name for a server. */ const string hostName(const server_rec* s, const string& def = "localhost") { @@ -154,15 +130,11 @@ const string hostName(const server_rec* s, const string& def = "localhost") { * Return the host name from an HTTP request. */ const string hostName(request_rec* r, const string& def = "localhost") { - const char* hn = ap_get_server_name(r); - return hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def); -} - -/** - * Return true if a request is targeting a virtual host. - */ -const bool isVirtualHostRequest(const server_rec* s, request_rec* r) { - return hostName(r) != hostName(s); + const char* fh = apr_table_get(r->headers_in, "X-Forwarded-Server"); + if (fh != NULL) + return fh; + const char* h = ap_get_server_name(r); + return h != NULL? h : (r->server->server_hostname != NULL? r->server->server_hostname : def); } /** @@ -176,6 +148,9 @@ const string scheme(const server_rec* s, const string& def = "http") { * Return the protocol scheme from an HTTP request. */ const string scheme(request_rec* r, const string& def = "http") { + const char* fs = apr_table_get(r->headers_in, "X-Forwarded-HTTPS"); + if (fs != NULL) + return !strcmp(fs, "on")? "https" : "http"; return r->server->server_scheme != NULL? r->server->server_scheme : def; } @@ -190,7 +165,49 @@ const int port(const server_rec* s, const int def = 80) { * Return the port number from an HTTP request. */ const int port(request_rec* r, const int def = 80) { - return r->server->port != 0? r->server->port : def; + const char* fp = apr_table_get(r->headers_in, "X-Forwarded-Port"); + if (fp != NULL) + return atoi(fp); + const int p = ap_get_server_port(r); + return p != 0? p : def; +} + +/** + * Return the name of a server. + */ +const string serverName(const server_rec* s, const string& def = "localhost") { + ostringstream n; + const string sc = scheme(s); + const string h = hostName(s, def); + const int p = port(s, sc == "https"? 443 : 80); + n << sc << "://" << h; + if (!((sc == "http" && p == 80) || (sc == "https" && p == 443))) + n << ":" << p; + n << (s->path != NULL? string(s->path, s->pathlen) : ""); + return str(n); +} + +/** + * Determine the name of a server from an HTTP request. + */ +const string serverName(request_rec* r, const string& def = "localhost") { + ostringstream n; + const string s = scheme(r); + const string h = hostName(r, def); + const int p = port(r, s == "https"? 443 : 80); + n << s << "://" << h; + if (!((s == "http" && p == 80) || (s == "https" && p == 443))) + n << ":" << p; + n << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : ""); + return str(n); +} + +/** + * Return true if a request is targeting a virtual host. + */ +const bool isVirtualHostRequest(const server_rec* s, const string& d, request_rec* r) { + const string rh = hostName(r); + return rh != hostName(s) && http::topDomain(rh) == d; } /** @@ -223,18 +240,25 @@ const list<value> pathInfo(const list<value>& uri, const list<value>& path) { } /** - * Convert a URI and a path to an absolute URL. + * Convert a URI to an absolute URL. */ -const string url(const string& uri, const list<value>& p, request_rec* r) { - const string u = uri + path(p); - return ap_construct_url(r->pool, c_str(u), r); +const string url(const string& uri, request_rec* r) { + ostringstream n; + const string s = scheme(r); + const string h = hostName(r, "localhost"); + const int p = port(r, s == "https"? 443 : 80); + n << s << "://" << h; + if (!((s == "http" && p == 80) || (s == "https" && p == 443))) + n << ":" << p; + n << uri; + return str(n); } /** - * Convert a URI to an absolute URL. + * Convert a URI and a path to an absolute URL. */ -const string url(const string& uri, request_rec* r) { - return ap_construct_url(r->pool, c_str(uri), r); +const string url(const string& uri, const list<value>& p, request_rec* r) { + return url(uri + path(p), r); } /** diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf index 66d36242e2..cb702596ef 100755 --- a/sca-cpp/trunk/modules/http/open-auth-conf +++ b/sca-cpp/trunk/modules/http/open-auth-conf @@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'` pw=`cat $root/cert/ca.key | head -2 | tail -1` +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: open-auth-conf $* +# Disallow public access to server resources + +EOF + # Generate form authentication configuration cat >>$root/conf/auth.conf <<EOF # Generated by: open-auth-conf $* diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf index 9094996b4b..76e5b2f3dd 100755 --- a/sca-cpp/trunk/modules/http/proxy-conf +++ b/sca-cpp/trunk/modules/http/proxy-conf @@ -32,5 +32,10 @@ Require all granted ProxySet lbmethod=byrequests </Proxy> +<Location /> +RequestHeader set X-Forwarded-HTTPS %{HTTPS}s +RequestHeader set X-Forwarded-Port %{SERVER_PORT}s +</Location> + EOF diff --git a/sca-cpp/trunk/modules/http/proxy-member-conf b/sca-cpp/trunk/modules/http/proxy-member-conf index 2e279e87c7..83c43df49f 100755 --- a/sca-cpp/trunk/modules/http/proxy-member-conf +++ b/sca-cpp/trunk/modules/http/proxy-member-conf @@ -24,12 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python` host=$2 port=`$here/httpd-addr port $3` +if [ "$port" = "80" ]; then + portsuffix="" +else + portsuffix=":$port" +fi cat >>$root/conf/vhost.conf <<EOF # Generated by: proxy-member-conf $* # Add proxy balancer member -BalancerMember balancer://cluster http://$host:$port -ProxyPassReverse / http://$host:$port/ +BalancerMember balancer://cluster http://$host$portsuffix +ProxyPassReverse / http://$host$portsuffix/ EOF diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf index 6897a0ff47..7e8003d283 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf @@ -40,6 +40,11 @@ HostnameLookups on Require user admin </Location> +<Location /> +RequestHeader set X-Forwarded-HTTPS %{HTTPS}s +RequestHeader set X-Forwarded-Port %{SERVER_PORT}s +</Location> + EOF cat >>$root/conf/svhost-ssl.conf <<EOF diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf index 0ae98af482..cb42a1e9db 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf @@ -24,20 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python` host=$2 sslport=`$here/httpd-addr port $3` +if [ "$sslport" = "443" ]; then + sslportsuffix="" +else + sslportsuffix=":$sslport" +fi -cat >>$root/conf/svhost-ssl.conf <<EOF +cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-member-conf $* # Add proxy balancer member -BalancerMember balancer://sslcluster https://$host:$sslport -ProxyPassReverse / https://$host:$sslport/ - -EOF - -cat >>$root/conf/dvhost-ssl.conf <<EOF -# Generated by: proxy-ssl-member-conf $* -# Add proxy balancer member -BalancerMember balancer://sslcluster https://$host:$sslport -ProxyPassReverse / https://$host:$sslport/ +BalancerMember balancer://sslcluster https://$host$sslportsuffix +ProxyPassReverse / https://$host$sslportsuffix/ EOF diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf new file mode 100755 index 0000000000..17b766d986 --- /dev/null +++ b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf @@ -0,0 +1,40 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Add a proxy balancer member +here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here` +mkdir -p $1 +root=`echo "import os; print os.path.realpath('$1')" | python` + +host=$2 +port=`$here/httpd-addr port $3` +if [ "$port" = "80" ]; then + portsuffix="" +else + portsuffix=":$port" +fi + +cat >>$root/conf/vhost-ssl.conf <<EOF +# Generated by: proxy-ssl-nossl-member-conf $* +# Add proxy balancer member +BalancerMember balancer://sslcluster http://$host$portsuffix +ProxyPassReverse / http://$host$portsuffix/ + +EOF + diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf index 150d57f115..2bcc158f48 100755 --- a/sca-cpp/trunk/modules/http/vhost-conf +++ b/sca-cpp/trunk/modules/http/vhost-conf @@ -47,14 +47,6 @@ ServerAlias *.$host VirtualDocumentRoot $vroot/%1/$vhtdocs/ Include conf/dvhost.conf - -# Allow access to document root -<Directory "$vroot"> -Options FollowSymLinks -AuthType None -Require all granted -</Directory> - </VirtualHost> EOF diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 7ddbee08e0..28e9eefe76 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -52,13 +52,5 @@ ServerAlias *.$host VirtualDocumentRoot $vroot/%1/$vhtdocs/ Include conf/dvhost-ssl.conf - -# Allow access to document root -<Directory "$vroot"> -Options FollowSymLinks -AuthType None -Require all granted -</Directory> - </VirtualHost> diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp index 2381b16810..94e9698d70 100644 --- a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp +++ b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp @@ -376,8 +376,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r, return mkfailure<int>(reason(prc)); // Send session ID to the client in a cookie - debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth1::access_token::setcookie"); - apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server)))); + debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth1::access_token::setcookie"); + apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r)))); return httpd::externalRedirect(httpd::url(r->uri, r), r); } diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp index 3d567040ac..0c49be879e 100644 --- a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp +++ b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp @@ -231,8 +231,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r, return mkfailure<int>(reason(prc)); // Send session ID to the client in a cookie - debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth2::access_token::setcookie"); - apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server)))); + debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth2::access_token::setcookie"); + apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r)))); return httpd::externalRedirect(httpd::url(r->uri, r), r); } diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf index 21fc51cac8..23ec52b35f 100755 --- a/sca-cpp/trunk/modules/oauth/oauth-conf +++ b/sca-cpp/trunk/modules/oauth/oauth-conf @@ -41,12 +41,14 @@ LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2$libsuffix EOF -cat >$root/cert/oauth-keys.conf <<EOF -# Generated by: oauth-conf $* -# OAuth App keys +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: oauth-auth-conf $* +# Disallow public access to server resources EOF +# Configure OAuth authentication cat >>$root/conf/auth.conf <<EOF # Generated by: oauth-conf $* # Enable OAuth authentication @@ -77,6 +79,13 @@ Include $root/cert/oauth-keys.conf EOF +mkdir -p $root/cert +cat >$root/cert/oauth-keys.conf <<EOF +# Generated by: oauth-conf $* +# OAuth App keys + +EOF + if [ -d "$HOME/.oauth" ]; then cat >>$root/conf/auth.conf <<EOF # Configure OAuth App keys diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index c6e63c128d..c9e2d85586 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -26,6 +26,13 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` openid_prefix=`cat $here/openid.prefix` +# Disallow public access to server resources +cat >$root/conf/noauth.conf <<EOF +# Generated by: openid-auth-conf $* +# Disallow public access to server resources + +EOF + # Configure OpenID authentication cat >>$root/conf/modules.conf <<EOF # Generated by: openid-conf $* @@ -55,9 +62,9 @@ AuthOpenIDAXAdd LASTNAME http://axschema.org/namePerson/last EOF -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/pubauth.conf <<EOF # Generated by: openid-conf $* -# Allow access to /openid location +# Allow public access to /openid location <Location /openid> AuthType None Require all granted diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf index 9a32da498e..e9144b873a 100755 --- a/sca-cpp/trunk/modules/openid/openid-step2-conf +++ b/sca-cpp/trunk/modules/openid/openid-step2-conf @@ -42,8 +42,8 @@ ForceType text/plain EOF -cat >>$root/conf/httpd.conf <<EOF -# Generated by: openid-conf $* +cat >>$root/conf/pubauth.conf <<EOF +# Generated by: openid-step2-conf $* # Allow access to /.well-known/host-meta location <Location /.well-known/host-meta> AuthType None diff --git a/sca-cpp/trunk/modules/server/mod-eval.hpp b/sca-cpp/trunk/modules/server/mod-eval.hpp index 4c305fccbf..31e850d18c 100644 --- a/sca-cpp/trunk/modules/server/mod-eval.hpp +++ b/sca-cpp/trunk/modules/server/mod-eval.hpp @@ -56,10 +56,10 @@ namespace modeval { */ class ServerConf { public: - ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") { + ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") { } - ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) { + ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) { } const gc_pool p; @@ -67,6 +67,7 @@ public: lambda<value(const list<value>&)> lifecycle; string contributionPath; string compositeName; + string virtualHostDomain; string virtualHostContributionPath; string virtualHostCompositeName; string ca; @@ -84,6 +85,13 @@ const bool hasCompositeConf(const ServerConf& sc) { } /** + * Return true if a server contains a virtual host domain configuration. + */ +const bool hasVirtualDomainConf(const ServerConf& sc) { + return sc.virtualHostDomain != ""; +} + +/** * Return true if a server contains a virtual host composite configuration. */ const bool hasVirtualCompositeConf(const ServerConf& sc) { @@ -812,7 +820,7 @@ const int handleRequest(const ServerConf& sc, const list<value>& rpath, request_ // Handle a request targeting a virtual host or virtual app if (hasVirtualCompositeConf(sc)) { - if (httpd::isVirtualHostRequest(sc.server, r)) { + if (hasVirtualDomainConf(sc) && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) { ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r))); if (!hasContent(virtualHostConfig(vsc, sc, r))) return HTTP_INTERNAL_SERVER_ERROR; @@ -916,6 +924,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) { sc.lifecycle = mainsc.lifecycle; sc.contributionPath = mainsc.contributionPath; sc.compositeName = mainsc.compositeName; + sc.virtualHostDomain = mainsc.virtualHostDomain; sc.virtualHostContributionPath = mainsc.virtualHostContributionPath; sc.virtualHostCompositeName = mainsc.virtualHostCompositeName; if (sc.ca == "") sc.ca = mainsc.ca; @@ -1026,6 +1035,12 @@ const char* confComposite(cmd_parms *cmd, unused void *c, const char *arg) { sc.compositeName = arg; return NULL; } +const char* confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) { + gc_scoped_pool pool(cmd->pool); + ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval); + sc.virtualHostDomain = arg; + return NULL; +} const char* confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) { gc_scoped_pool pool(cmd->pool); ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval); @@ -1068,6 +1083,7 @@ const char* confEnv(unused cmd_parms *cmd, unused void *c, const char *name, con const command_rec commands[] = { AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"), AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"), + AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"), AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"), AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual composite location"), AP_INIT_TAKE12("SCASetEnv", (const char*(*)())confEnv, NULL, OR_FILEINFO, "Environment variable name and optional value"), diff --git a/sca-cpp/trunk/modules/server/mod-wiring.cpp b/sca-cpp/trunk/modules/server/mod-wiring.cpp index 39e43c0420..c61e90a6a1 100644 --- a/sca-cpp/trunk/modules/server/mod-wiring.cpp +++ b/sca-cpp/trunk/modules/server/mod-wiring.cpp @@ -54,16 +54,17 @@ const bool useModProxy = true; */ class ServerConf { public: - ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName("") { + ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") { } - ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName("") { + ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") { } const gc_pool p; server_rec* server; string contributionPath; string compositeName; + string virtualHostDomain; string virtualHostContributionPath; string virtualHostCompositeName; list<value> references; @@ -78,6 +79,13 @@ const bool hasCompositeConf(const ServerConf& sc) { } /** + * Return true if a server contains a virtual host domain configuration. + */ +const bool hasVirtualDomainConf(const ServerConf& sc) { + return sc.virtualHostDomain != ""; +} + +/** * Return true if a server contains a virtual host composite configuration. */ const bool hasVirtualCompositeConf(const ServerConf& sc) { @@ -304,8 +312,9 @@ const int translateRequest(const ServerConf& sc, request_rec *r, const list<valu // If the request is targeting a virtual host, use the corresponding // virtual host configuration + const bool vdc = hasVirtualDomainConf(sc); const bool vcc = hasVirtualCompositeConf(sc); - if (vcc && httpd::isVirtualHostRequest(sc.server, r)) { + if (vdc && vcc && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) { ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r))); if (!hasContent(virtualHostConfig(vsc, sc, r))) return HTTP_INTERNAL_SERVER_ERROR; @@ -409,6 +418,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) { ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_wiring); sc.contributionPath = mainsc.contributionPath; sc.compositeName = mainsc.compositeName; + sc.virtualHostDomain = mainsc.virtualHostDomain; sc.virtualHostContributionPath = mainsc.virtualHostContributionPath; sc.virtualHostCompositeName = mainsc.virtualHostCompositeName; sc.references = mainsc.references; @@ -462,6 +472,12 @@ const char *confComposite(cmd_parms *cmd, unused void *c, const char *arg) { sc.compositeName = arg; return NULL; } +const char *confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) { + gc_scoped_pool pool(cmd->pool); + ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring); + sc.virtualHostDomain = arg; + return NULL; +} const char *confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) { gc_scoped_pool pool(cmd->pool); ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring); @@ -481,6 +497,7 @@ const char *confVirtualComposite(cmd_parms *cmd, unused void *c, const char *arg const command_rec commands[] = { AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"), AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"), + AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"), AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"), AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual host composite location"), {NULL, NULL, NULL, 0, NO_ARGS, NULL} diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf index 5b3024abbc..47934f973e 100755 --- a/sca-cpp/trunk/modules/server/server-conf +++ b/sca-cpp/trunk/modules/server/server-conf @@ -54,6 +54,10 @@ Alias /scdl.js $jsprefix/htdocs/scdl.js Alias /all.js $jsprefix/htdocs/all.js Alias /all-min.js $jsprefix/htdocs/all-min.js +EOF + +cat >>$root/conf/pubauth.conf <<EOF +# Generated by: server-conf $* <Location /component.js> AuthType None Require all granted diff --git a/sca-cpp/trunk/samples/store-cluster/server-conf b/sca-cpp/trunk/samples/store-cluster/server-conf index f65ba37d3a..5113bc36f4 100755 --- a/sca-cpp/trunk/samples/store-cluster/server-conf +++ b/sca-cpp/trunk/samples/store-cluster/server-conf @@ -34,6 +34,7 @@ SCAContribution `pwd`/shared/ SCAComposite shared.composite # Configure SCA Composite for mass dynamic virtual hosting +SCAVirtualDomain sca-store.com SCAVirtualContribution `pwd`/domains/ SCAVirtualComposite store.composite diff --git a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf index 83628bbacd..a7813b2a01 100755 --- a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf +++ b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf @@ -52,6 +52,7 @@ SCAContribution `pwd`/shared/ SCAComposite shared.composite # Configure SCA Composite for mass dynamic virtual hosting +SCAVirtualDomain sca-store.com SCAVirtualContribution `pwd`/domains/ SCAVirtualComposite store.composite diff --git a/sca-cpp/trunk/samples/store-vhost/ssl-start b/sca-cpp/trunk/samples/store-vhost/ssl-start index 3a6bb82bd8..a556d48dfc 100755 --- a/sca-cpp/trunk/samples/store-vhost/ssl-start +++ b/sca-cpp/trunk/samples/store-vhost/ssl-start @@ -38,6 +38,7 @@ SCAContribution `pwd`/shared/ SCAComposite shared.composite # Configure SCA Composite for mass dynamic virtual Hosting +SCAVirtualDomain sca-store.com SCAVirtualContribution `pwd`/domains/ SCAVirtualComposite store.composite diff --git a/sca-cpp/trunk/samples/store-vhost/start b/sca-cpp/trunk/samples/store-vhost/start index 38661e711c..ee6f613bad 100755 --- a/sca-cpp/trunk/samples/store-vhost/start +++ b/sca-cpp/trunk/samples/store-vhost/start @@ -28,6 +28,7 @@ SCAContribution `pwd`/shared/ SCAComposite shared.composite # Configure SCA Composite for mass dynamic virtual hosting +SCAVirtualDomain sca-store.com SCAVirtualContribution `pwd`/domains/ SCAVirtualComposite store.composite diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start index f7208b7403..70de35efa1 100755 --- a/sca-cpp/trunk/samples/store-vhost/uec2-start +++ b/sca-cpp/trunk/samples/store-vhost/uec2-start @@ -41,6 +41,7 @@ sudo ../../ubuntu/ip-redirect-all 443 8453 ../../modules/python/python-conf tmp cat >>tmp/conf/httpd.conf <<EOF # Configure SCA Composite for mass dynamic virtual Hosting +SCAVirtualDomain $host SCAVirtualContribution `pwd`/domains/ SCAVirtualComposite store.composite |