summaryrefslogtreecommitdiffstats
path: root/sca-cpp
diff options
context:
space:
mode:
authorjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2011-12-18 20:19:11 +0000
committerjsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>2011-12-18 20:19:11 +0000
commit3ac8ca7868ade978a3d0fc74113f3276e5c183ec (patch)
treebcec824aaee082426af297c1ebc331b98c25824f /sca-cpp
parent0498e9dd768e270b74045acd96075306c29a9b4a (diff)
Add ability to configure an HTTPS proxy with load balancing over a set of HTTP backend servers and get OAuth authentication working with that topology.
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1220526 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'sca-cpp')
-rw-r--r--sca-cpp/trunk/modules/http/Makefile.am2
-rwxr-xr-xsca-cpp/trunk/modules/http/basic-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/cert-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/form-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/group-auth-conf8
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf103
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf15
-rw-r--r--sca-cpp/trunk/modules/http/httpd.hpp108
-rwxr-xr-xsca-cpp/trunk/modules/http/open-auth-conf7
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-conf5
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-member-conf9
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-conf5
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-member-conf19
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf40
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-conf8
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-ssl-conf8
-rw-r--r--sca-cpp/trunk/modules/oauth/mod-oauth1.cpp4
-rw-r--r--sca-cpp/trunk/modules/oauth/mod-oauth2.cpp4
-rwxr-xr-xsca-cpp/trunk/modules/oauth/oauth-conf15
-rwxr-xr-xsca-cpp/trunk/modules/openid/openid-conf11
-rwxr-xr-xsca-cpp/trunk/modules/openid/openid-step2-conf4
-rw-r--r--sca-cpp/trunk/modules/server/mod-eval.hpp22
-rw-r--r--sca-cpp/trunk/modules/server/mod-wiring.cpp23
-rwxr-xr-xsca-cpp/trunk/modules/server/server-conf4
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/server-conf1
-rwxr-xr-xsca-cpp/trunk/samples/store-cluster/server-ssl-conf1
-rwxr-xr-xsca-cpp/trunk/samples/store-vhost/ssl-start1
-rwxr-xr-xsca-cpp/trunk/samples/store-vhost/start1
-rwxr-xr-xsca-cpp/trunk/samples/store-vhost/uec2-start1
29 files changed, 306 insertions, 144 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 89b285ea35..846c8ac6cc 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
incl_HEADERS = *.hpp
incldir = $(prefix)/include/modules/http
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf proxy-ssl-nossl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf minify-html minify-js minify-css
moddir = $(prefix)/modules/http
curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/basic-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index d8c013d853..f376124da7 100755
--- a/sca-cpp/trunk/modules/http/basic-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: basic-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate basic authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: basic-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
index 788a6f6d9f..4959fab14a 100755
--- a/sca-cpp/trunk/modules/http/cert-auth-conf
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -25,6 +25,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: cert-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index 910f906078..defa1bf8b1 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
pw=`cat $root/cert/ca.key | head -2 | tail -1`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: form-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate form authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: form-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/group-auth-conf b/sca-cpp/trunk/modules/http/group-auth-conf
index c9cd7f6e2e..726c55982d 100755
--- a/sca-cpp/trunk/modules/http/group-auth-conf
+++ b/sca-cpp/trunk/modules/http/group-auth-conf
@@ -23,6 +23,13 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
user=$2
group="members"
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: group-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Add user to group
cat $root/conf/httpd.groups | awk " BEGIN { found = 0 } /$group: / { printf \"%s %s\n\", \$0, \"$user\"; found = 1 } !/$group: / { printf \"%s\n\", \$0 } END { if (found == 0) printf \"%s: %s\n\", \"$group\", \"$user\" } " >$root/conf/.httpd.groups.tmp 2>/dev/null
cp $root/conf/.httpd.groups.tmp $root/conf/httpd.groups
@@ -35,7 +42,6 @@ if [ "$conf" = "" ]; then
# Generated by: group-auth-conf $1
# Allow group member access to root location
<Location />
-AuthGroupFile "$root/conf/httpd.groups"
Require group members
</Location>
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 5d4e9f5485..e7f191ba48 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -114,29 +114,9 @@ Require all denied
</Directory>
# Configure authentication
+Include conf/noauth.conf
Include conf/auth.conf
-
-# Allow access to public locations
-<Location /login>
-AuthType None
-Require all granted
-</Location>
-<Location /logout>
-AuthType None
-Require all granted
-</Location>
-<Location /public>
-AuthType None
-Require all granted
-</Location>
-<Location /favicon.ico>
-AuthType None
-Require all granted
-</Location>
-<Location /robots.txt>
-AuthType None
-Require all granted
-</Location>
+Include conf/pubauth.conf
# Configure output filters to enable compression and rate limiting
<Location />
@@ -165,21 +145,6 @@ RewriteRule .* http://$host$pportsuffix%{REQUEST_URI} [R]
</Location>
Include conf/svhost.conf
-
-# Allow access to document root
-<Directory "$htdocs">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
-# Allow access to root location
-<Location />
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Location>
-
</VirtualHost>
EOF
@@ -245,6 +210,7 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule actions_module ${modules_prefix}/modules/mod_actions.so
LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
LoadModule session_module ${modules_prefix}/modules/mod_session.so
LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
@@ -261,7 +227,7 @@ EOF
# Generate auth configuration
cat >$root/conf/auth.conf <<EOF
# Generated by: httpd-conf $*
-# Authentication configuration
+# Authentication and authorization configuration
# Allow authorized access to document root
<Directory "$htdocs">
@@ -273,13 +239,50 @@ Require all granted
<Location />
Options FollowSymLinks
AuthUserFile "$root/conf/httpd.passwd"
+AuthGroupFile "$root/conf/httpd.groups"
Require all granted
</Location>
-# Mark login page with a header
+EOF
+
+cat >$root/conf/pubauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow everyone to access public locations
<Location /login>
+AuthType None
+Require all granted
+# Mark login page with a header
Header set X-Login open-auth
</Location>
+<Location /logout>
+AuthType None
+Require all granted
+</Location>
+<Location /public>
+AuthType None
+Require all granted
+</Location>
+<Location /favicon.ico>
+AuthType None
+Require all granted
+</Location>
+<Location /robots.txt>
+AuthType None
+Require all granted
+</Location>
+
+# Allow the server admin to view the server status and info
+<Location /server-status>
+SetHandler server-status
+HostnameLookups on
+Require user admin
+</Location>
+
+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
EOF
@@ -292,6 +295,26 @@ cat >$root/conf/httpd.groups <<EOF
# Generated by: httpd-conf $*
EOF
+
+# Allow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: httpd-conf $*
+# Allow public access to server resources
+
+# Allow access to document root
+<Directory "$htdocs">
+AuthType None
+Require all granted
+</Directory>
+
+# Allow everyone to access root location
+<Location />
+AuthType None
+Require all granted
+</Location>
+
+EOF
+
# Generate vhost configuration
cat >$root/conf/vhost.conf <<EOF
# Generated by: httpd-conf $*
@@ -300,7 +323,7 @@ UseCanonicalName Off
# Enable HTTP reverse proxy
ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
ProxyStatus On
EOF
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index dc3b71bcac..f397c2f7de 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -72,19 +72,6 @@ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
</Location>
Include conf/svhost-ssl.conf
-
-# Allow the server admin to view the server status
-<Location /server-status>
-SetHandler server-status
-HostnameLookups on
-Require user admin
-</Location>
-
-<Location /server-info>
-SetHandler server-info
-HostnameLookups on
-Require user admin
-</Location>
</VirtualHost>
EOF
@@ -142,7 +129,7 @@ Include conf/log-ssl.conf
# Enable HTTPS reverse proxy
ProxyRequests Off
-ProxyPreserveHost Off
+ProxyPreserveHost On
ProxyStatus On
SSLProxyEngine on
SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 5f8b867c9b..06d53e28c2 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -79,6 +79,7 @@
#include "list.hpp"
#include "value.hpp"
#include "monad.hpp"
+#include "http.hpp"
namespace tuscany {
@@ -119,31 +120,6 @@ template<typename C> C& dirConf(const void* c) {
}
/**
- * Return the name of a server.
- */
-const string serverName(const server_rec* s, const string& def = "localhost") {
- ostringstream n;
- n << (s->server_scheme != NULL? s->server_scheme : "http") << "://"
- << (s->server_hostname != NULL? s->server_hostname : def) << ":"
- << (s->port != 0? s->port : 80)
- << (s->path != NULL? string(s->path, s->pathlen) : "");
- return str(n);
-}
-
-/**
- * Determine the name of a server from an HTTP request.
- */
-const string serverName(request_rec* r, const string& def = "localhost") {
- ostringstream n;
- const char* hn = ap_get_server_name(r);
- n << (r->server->server_scheme != NULL? r->server->server_scheme : "http") << "://"
- << (hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def)) << ":"
- << (r->server->port != 0? r->server->port : 80)
- << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
- return str(n);
-}
-
-/**
* Return the host name for a server.
*/
const string hostName(const server_rec* s, const string& def = "localhost") {
@@ -154,15 +130,11 @@ const string hostName(const server_rec* s, const string& def = "localhost") {
* Return the host name from an HTTP request.
*/
const string hostName(request_rec* r, const string& def = "localhost") {
- const char* hn = ap_get_server_name(r);
- return hn != NULL? hn : (r->server->server_hostname != NULL? r->server->server_hostname : def);
-}
-
-/**
- * Return true if a request is targeting a virtual host.
- */
-const bool isVirtualHostRequest(const server_rec* s, request_rec* r) {
- return hostName(r) != hostName(s);
+ const char* fh = apr_table_get(r->headers_in, "X-Forwarded-Server");
+ if (fh != NULL)
+ return fh;
+ const char* h = ap_get_server_name(r);
+ return h != NULL? h : (r->server->server_hostname != NULL? r->server->server_hostname : def);
}
/**
@@ -176,6 +148,9 @@ const string scheme(const server_rec* s, const string& def = "http") {
* Return the protocol scheme from an HTTP request.
*/
const string scheme(request_rec* r, const string& def = "http") {
+ const char* fs = apr_table_get(r->headers_in, "X-Forwarded-HTTPS");
+ if (fs != NULL)
+ return !strcmp(fs, "on")? "https" : "http";
return r->server->server_scheme != NULL? r->server->server_scheme : def;
}
@@ -190,7 +165,49 @@ const int port(const server_rec* s, const int def = 80) {
* Return the port number from an HTTP request.
*/
const int port(request_rec* r, const int def = 80) {
- return r->server->port != 0? r->server->port : def;
+ const char* fp = apr_table_get(r->headers_in, "X-Forwarded-Port");
+ if (fp != NULL)
+ return atoi(fp);
+ const int p = ap_get_server_port(r);
+ return p != 0? p : def;
+}
+
+/**
+ * Return the name of a server.
+ */
+const string serverName(const server_rec* s, const string& def = "localhost") {
+ ostringstream n;
+ const string sc = scheme(s);
+ const string h = hostName(s, def);
+ const int p = port(s, sc == "https"? 443 : 80);
+ n << sc << "://" << h;
+ if (!((sc == "http" && p == 80) || (sc == "https" && p == 443)))
+ n << ":" << p;
+ n << (s->path != NULL? string(s->path, s->pathlen) : "");
+ return str(n);
+}
+
+/**
+ * Determine the name of a server from an HTTP request.
+ */
+const string serverName(request_rec* r, const string& def = "localhost") {
+ ostringstream n;
+ const string s = scheme(r);
+ const string h = hostName(r, def);
+ const int p = port(r, s == "https"? 443 : 80);
+ n << s << "://" << h;
+ if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+ n << ":" << p;
+ n << (r->server->path != NULL? string(r->server->path, r->server->pathlen) : "");
+ return str(n);
+}
+
+/**
+ * Return true if a request is targeting a virtual host.
+ */
+const bool isVirtualHostRequest(const server_rec* s, const string& d, request_rec* r) {
+ const string rh = hostName(r);
+ return rh != hostName(s) && http::topDomain(rh) == d;
}
/**
@@ -223,18 +240,25 @@ const list<value> pathInfo(const list<value>& uri, const list<value>& path) {
}
/**
- * Convert a URI and a path to an absolute URL.
+ * Convert a URI to an absolute URL.
*/
-const string url(const string& uri, const list<value>& p, request_rec* r) {
- const string u = uri + path(p);
- return ap_construct_url(r->pool, c_str(u), r);
+const string url(const string& uri, request_rec* r) {
+ ostringstream n;
+ const string s = scheme(r);
+ const string h = hostName(r, "localhost");
+ const int p = port(r, s == "https"? 443 : 80);
+ n << s << "://" << h;
+ if (!((s == "http" && p == 80) || (s == "https" && p == 443)))
+ n << ":" << p;
+ n << uri;
+ return str(n);
}
/**
- * Convert a URI to an absolute URL.
+ * Convert a URI and a path to an absolute URL.
*/
-const string url(const string& uri, request_rec* r) {
- return ap_construct_url(r->pool, c_str(uri), r);
+const string url(const string& uri, const list<value>& p, request_rec* r) {
+ return url(uri + path(p), r);
}
/**
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index 66d36242e2..cb702596ef 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -27,6 +27,13 @@ host=`echo $conf | awk '{ print $6 }'`
pw=`cat $root/cert/ca.key | head -2 | tail -1`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: open-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Generate form authentication configuration
cat >>$root/conf/auth.conf <<EOF
# Generated by: open-auth-conf $*
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index 9094996b4b..76e5b2f3dd 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -32,5 +32,10 @@ Require all granted
ProxySet lbmethod=byrequests
</Proxy>
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-member-conf b/sca-cpp/trunk/modules/http/proxy-member-conf
index 2e279e87c7..83c43df49f 100755
--- a/sca-cpp/trunk/modules/http/proxy-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-member-conf
@@ -24,12 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
host=$2
port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+ portsuffix=""
+else
+ portsuffix=":$port"
+fi
cat >>$root/conf/vhost.conf <<EOF
# Generated by: proxy-member-conf $*
# Add proxy balancer member
-BalancerMember balancer://cluster http://$host:$port
-ProxyPassReverse / http://$host:$port/
+BalancerMember balancer://cluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 6897a0ff47..7e8003d283 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -40,6 +40,11 @@ HostnameLookups on
Require user admin
</Location>
+<Location />
+RequestHeader set X-Forwarded-HTTPS %{HTTPS}s
+RequestHeader set X-Forwarded-Port %{SERVER_PORT}s
+</Location>
+
EOF
cat >>$root/conf/svhost-ssl.conf <<EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 0ae98af482..cb42a1e9db 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -24,20 +24,17 @@ root=`echo "import os; print os.path.realpath('$1')" | python`
host=$2
sslport=`$here/httpd-addr port $3`
+if [ "$sslport" = "443" ]; then
+ sslportsuffix=""
+else
+ sslportsuffix=":$sslport"
+fi
-cat >>$root/conf/svhost-ssl.conf <<EOF
+cat >>$root/conf/vhost-ssl.conf <<EOF
# Generated by: proxy-ssl-member-conf $*
# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
-
-EOF
-
-cat >>$root/conf/dvhost-ssl.conf <<EOF
-# Generated by: proxy-ssl-member-conf $*
-# Add proxy balancer member
-BalancerMember balancer://sslcluster https://$host:$sslport
-ProxyPassReverse / https://$host:$sslport/
+BalancerMember balancer://sslcluster https://$host$sslportsuffix
+ProxyPassReverse / https://$host$sslportsuffix/
EOF
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
new file mode 100755
index 0000000000..17b766d986
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-nossl-member-conf
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Add a proxy balancer member
+here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
+mkdir -p $1
+root=`echo "import os; print os.path.realpath('$1')" | python`
+
+host=$2
+port=`$here/httpd-addr port $3`
+if [ "$port" = "80" ]; then
+ portsuffix=""
+else
+ portsuffix=":$port"
+fi
+
+cat >>$root/conf/vhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-nossl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster http://$host$portsuffix
+ProxyPassReverse / http://$host$portsuffix/
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index 150d57f115..2bcc158f48 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -47,14 +47,6 @@ ServerAlias *.$host
VirtualDocumentRoot $vroot/%1/$vhtdocs/
Include conf/dvhost.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
</VirtualHost>
EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 7ddbee08e0..28e9eefe76 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -52,13 +52,5 @@ ServerAlias *.$host
VirtualDocumentRoot $vroot/%1/$vhtdocs/
Include conf/dvhost-ssl.conf
-
-# Allow access to document root
-<Directory "$vroot">
-Options FollowSymLinks
-AuthType None
-Require all granted
-</Directory>
-
</VirtualHost>
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
index 2381b16810..94e9698d70 100644
--- a/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
+++ b/sca-cpp/trunk/modules/oauth/mod-oauth1.cpp
@@ -376,8 +376,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r,
return mkfailure<int>(reason(prc));
// Send session ID to the client in a cookie
- debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth1::access_token::setcookie");
- apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server))));
+ debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth1::access_token::setcookie");
+ apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r))));
return httpd::externalRedirect(httpd::url(r->uri, r), r);
}
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
index 3d567040ac..0c49be879e 100644
--- a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
+++ b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
@@ -231,8 +231,8 @@ const failable<int> access_token(const list<list<value> >& args, request_rec* r,
return mkfailure<int>(reason(prc));
// Send session ID to the client in a cookie
- debug(c_str(openauth::cookie(sid, httpd::hostName(sc.server))), "modoauth2::access_token::setcookie");
- apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(sc.server))));
+ debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth2::access_token::setcookie");
+ apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r))));
return httpd::externalRedirect(httpd::url(r->uri, r), r);
}
diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf
index 21fc51cac8..23ec52b35f 100755
--- a/sca-cpp/trunk/modules/oauth/oauth-conf
+++ b/sca-cpp/trunk/modules/oauth/oauth-conf
@@ -41,12 +41,14 @@ LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2$libsuffix
EOF
-cat >$root/cert/oauth-keys.conf <<EOF
-# Generated by: oauth-conf $*
-# OAuth App keys
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: oauth-auth-conf $*
+# Disallow public access to server resources
EOF
+# Configure OAuth authentication
cat >>$root/conf/auth.conf <<EOF
# Generated by: oauth-conf $*
# Enable OAuth authentication
@@ -77,6 +79,13 @@ Include $root/cert/oauth-keys.conf
EOF
+mkdir -p $root/cert
+cat >$root/cert/oauth-keys.conf <<EOF
+# Generated by: oauth-conf $*
+# OAuth App keys
+
+EOF
+
if [ -d "$HOME/.oauth" ]; then
cat >>$root/conf/auth.conf <<EOF
# Configure OAuth App keys
diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf
index c6e63c128d..c9e2d85586 100755
--- a/sca-cpp/trunk/modules/openid/openid-conf
+++ b/sca-cpp/trunk/modules/openid/openid-conf
@@ -26,6 +26,13 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
openid_prefix=`cat $here/openid.prefix`
+# Disallow public access to server resources
+cat >$root/conf/noauth.conf <<EOF
+# Generated by: openid-auth-conf $*
+# Disallow public access to server resources
+
+EOF
+
# Configure OpenID authentication
cat >>$root/conf/modules.conf <<EOF
# Generated by: openid-conf $*
@@ -55,9 +62,9 @@ AuthOpenIDAXAdd LASTNAME http://axschema.org/namePerson/last
EOF
-cat >>$root/conf/httpd.conf <<EOF
+cat >>$root/conf/pubauth.conf <<EOF
# Generated by: openid-conf $*
-# Allow access to /openid location
+# Allow public access to /openid location
<Location /openid>
AuthType None
Require all granted
diff --git a/sca-cpp/trunk/modules/openid/openid-step2-conf b/sca-cpp/trunk/modules/openid/openid-step2-conf
index 9a32da498e..e9144b873a 100755
--- a/sca-cpp/trunk/modules/openid/openid-step2-conf
+++ b/sca-cpp/trunk/modules/openid/openid-step2-conf
@@ -42,8 +42,8 @@ ForceType text/plain
EOF
-cat >>$root/conf/httpd.conf <<EOF
-# Generated by: openid-conf $*
+cat >>$root/conf/pubauth.conf <<EOF
+# Generated by: openid-step2-conf $*
# Allow access to /.well-known/host-meta location
<Location /.well-known/host-meta>
AuthType None
diff --git a/sca-cpp/trunk/modules/server/mod-eval.hpp b/sca-cpp/trunk/modules/server/mod-eval.hpp
index 4c305fccbf..31e850d18c 100644
--- a/sca-cpp/trunk/modules/server/mod-eval.hpp
+++ b/sca-cpp/trunk/modules/server/mod-eval.hpp
@@ -56,10 +56,10 @@ namespace modeval {
*/
class ServerConf {
public:
- ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") {
+ ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(""), cert(""), key("") {
}
- ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) {
+ ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), lifecycle(ssc.lifecycle), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName(""), ca(ssc.ca), cert(ssc.cert), key(ssc.key) {
}
const gc_pool p;
@@ -67,6 +67,7 @@ public:
lambda<value(const list<value>&)> lifecycle;
string contributionPath;
string compositeName;
+ string virtualHostDomain;
string virtualHostContributionPath;
string virtualHostCompositeName;
string ca;
@@ -84,6 +85,13 @@ const bool hasCompositeConf(const ServerConf& sc) {
}
/**
+ * Return true if a server contains a virtual host domain configuration.
+ */
+const bool hasVirtualDomainConf(const ServerConf& sc) {
+ return sc.virtualHostDomain != "";
+}
+
+/**
* Return true if a server contains a virtual host composite configuration.
*/
const bool hasVirtualCompositeConf(const ServerConf& sc) {
@@ -812,7 +820,7 @@ const int handleRequest(const ServerConf& sc, const list<value>& rpath, request_
// Handle a request targeting a virtual host or virtual app
if (hasVirtualCompositeConf(sc)) {
- if (httpd::isVirtualHostRequest(sc.server, r)) {
+ if (hasVirtualDomainConf(sc) && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) {
ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r)));
if (!hasContent(virtualHostConfig(vsc, sc, r)))
return HTTP_INTERNAL_SERVER_ERROR;
@@ -916,6 +924,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) {
sc.lifecycle = mainsc.lifecycle;
sc.contributionPath = mainsc.contributionPath;
sc.compositeName = mainsc.compositeName;
+ sc.virtualHostDomain = mainsc.virtualHostDomain;
sc.virtualHostContributionPath = mainsc.virtualHostContributionPath;
sc.virtualHostCompositeName = mainsc.virtualHostCompositeName;
if (sc.ca == "") sc.ca = mainsc.ca;
@@ -1026,6 +1035,12 @@ const char* confComposite(cmd_parms *cmd, unused void *c, const char *arg) {
sc.compositeName = arg;
return NULL;
}
+const char* confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) {
+ gc_scoped_pool pool(cmd->pool);
+ ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval);
+ sc.virtualHostDomain = arg;
+ return NULL;
+}
const char* confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) {
gc_scoped_pool pool(cmd->pool);
ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_eval);
@@ -1068,6 +1083,7 @@ const char* confEnv(unused cmd_parms *cmd, unused void *c, const char *name, con
const command_rec commands[] = {
AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"),
AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"),
+ AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"),
AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"),
AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual composite location"),
AP_INIT_TAKE12("SCASetEnv", (const char*(*)())confEnv, NULL, OR_FILEINFO, "Environment variable name and optional value"),
diff --git a/sca-cpp/trunk/modules/server/mod-wiring.cpp b/sca-cpp/trunk/modules/server/mod-wiring.cpp
index 39e43c0420..c61e90a6a1 100644
--- a/sca-cpp/trunk/modules/server/mod-wiring.cpp
+++ b/sca-cpp/trunk/modules/server/mod-wiring.cpp
@@ -54,16 +54,17 @@ const bool useModProxy = true;
*/
class ServerConf {
public:
- ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
+ ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s), contributionPath(""), compositeName(""), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
}
- ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostContributionPath(""), virtualHostCompositeName("") {
+ ServerConf(apr_pool_t* p, const ServerConf& ssc, const string& name) : p(p), server(ssc.server), contributionPath(ssc.virtualHostContributionPath + name + "/"), compositeName(ssc.virtualHostCompositeName), virtualHostDomain(""), virtualHostContributionPath(""), virtualHostCompositeName("") {
}
const gc_pool p;
server_rec* server;
string contributionPath;
string compositeName;
+ string virtualHostDomain;
string virtualHostContributionPath;
string virtualHostCompositeName;
list<value> references;
@@ -78,6 +79,13 @@ const bool hasCompositeConf(const ServerConf& sc) {
}
/**
+ * Return true if a server contains a virtual host domain configuration.
+ */
+const bool hasVirtualDomainConf(const ServerConf& sc) {
+ return sc.virtualHostDomain != "";
+}
+
+/**
* Return true if a server contains a virtual host composite configuration.
*/
const bool hasVirtualCompositeConf(const ServerConf& sc) {
@@ -304,8 +312,9 @@ const int translateRequest(const ServerConf& sc, request_rec *r, const list<valu
// If the request is targeting a virtual host, use the corresponding
// virtual host configuration
+ const bool vdc = hasVirtualDomainConf(sc);
const bool vcc = hasVirtualCompositeConf(sc);
- if (vcc && httpd::isVirtualHostRequest(sc.server, r)) {
+ if (vdc && vcc && httpd::isVirtualHostRequest(sc.server, sc.virtualHostDomain, r)) {
ServerConf vsc(r->pool, sc, http::subDomain(httpd::hostName(r)));
if (!hasContent(virtualHostConfig(vsc, sc, r)))
return HTTP_INTERNAL_SERVER_ERROR;
@@ -409,6 +418,7 @@ const int postConfigMerge(const ServerConf& mainsc, server_rec* s) {
ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_wiring);
sc.contributionPath = mainsc.contributionPath;
sc.compositeName = mainsc.compositeName;
+ sc.virtualHostDomain = mainsc.virtualHostDomain;
sc.virtualHostContributionPath = mainsc.virtualHostContributionPath;
sc.virtualHostCompositeName = mainsc.virtualHostCompositeName;
sc.references = mainsc.references;
@@ -462,6 +472,12 @@ const char *confComposite(cmd_parms *cmd, unused void *c, const char *arg) {
sc.compositeName = arg;
return NULL;
}
+const char *confVirtualDomain(cmd_parms *cmd, unused void *c, const char *arg) {
+ gc_scoped_pool pool(cmd->pool);
+ ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring);
+ sc.virtualHostDomain = arg;
+ return NULL;
+}
const char *confVirtualContribution(cmd_parms *cmd, unused void *c, const char *arg) {
gc_scoped_pool pool(cmd->pool);
ServerConf& sc = httpd::serverConf<ServerConf>(cmd, &mod_tuscany_wiring);
@@ -481,6 +497,7 @@ const char *confVirtualComposite(cmd_parms *cmd, unused void *c, const char *arg
const command_rec commands[] = {
AP_INIT_TAKE1("SCAContribution", (const char*(*)())confContribution, NULL, RSRC_CONF, "SCA contribution location"),
AP_INIT_TAKE1("SCAComposite", (const char*(*)())confComposite, NULL, RSRC_CONF, "SCA composite location"),
+ AP_INIT_TAKE1("SCAVirtualDomain", (const char*(*)())confVirtualDomain, NULL, RSRC_CONF, "SCA virtual host domain"),
AP_INIT_TAKE1("SCAVirtualContribution", (const char*(*)())confVirtualContribution, NULL, RSRC_CONF, "SCA virtual host contribution location"),
AP_INIT_TAKE1("SCAVirtualComposite", (const char*(*)())confVirtualComposite, NULL, RSRC_CONF, "SCA virtual host composite location"),
{NULL, NULL, NULL, 0, NO_ARGS, NULL}
diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf
index 5b3024abbc..47934f973e 100755
--- a/sca-cpp/trunk/modules/server/server-conf
+++ b/sca-cpp/trunk/modules/server/server-conf
@@ -54,6 +54,10 @@ Alias /scdl.js $jsprefix/htdocs/scdl.js
Alias /all.js $jsprefix/htdocs/all.js
Alias /all-min.js $jsprefix/htdocs/all-min.js
+EOF
+
+cat >>$root/conf/pubauth.conf <<EOF
+# Generated by: server-conf $*
<Location /component.js>
AuthType None
Require all granted
diff --git a/sca-cpp/trunk/samples/store-cluster/server-conf b/sca-cpp/trunk/samples/store-cluster/server-conf
index f65ba37d3a..5113bc36f4 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-conf
+++ b/sca-cpp/trunk/samples/store-cluster/server-conf
@@ -34,6 +34,7 @@ SCAContribution `pwd`/shared/
SCAComposite shared.composite
# Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
SCAVirtualContribution `pwd`/domains/
SCAVirtualComposite store.composite
diff --git a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
index 83628bbacd..a7813b2a01 100755
--- a/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
+++ b/sca-cpp/trunk/samples/store-cluster/server-ssl-conf
@@ -52,6 +52,7 @@ SCAContribution `pwd`/shared/
SCAComposite shared.composite
# Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
SCAVirtualContribution `pwd`/domains/
SCAVirtualComposite store.composite
diff --git a/sca-cpp/trunk/samples/store-vhost/ssl-start b/sca-cpp/trunk/samples/store-vhost/ssl-start
index 3a6bb82bd8..a556d48dfc 100755
--- a/sca-cpp/trunk/samples/store-vhost/ssl-start
+++ b/sca-cpp/trunk/samples/store-vhost/ssl-start
@@ -38,6 +38,7 @@ SCAContribution `pwd`/shared/
SCAComposite shared.composite
# Configure SCA Composite for mass dynamic virtual Hosting
+SCAVirtualDomain sca-store.com
SCAVirtualContribution `pwd`/domains/
SCAVirtualComposite store.composite
diff --git a/sca-cpp/trunk/samples/store-vhost/start b/sca-cpp/trunk/samples/store-vhost/start
index 38661e711c..ee6f613bad 100755
--- a/sca-cpp/trunk/samples/store-vhost/start
+++ b/sca-cpp/trunk/samples/store-vhost/start
@@ -28,6 +28,7 @@ SCAContribution `pwd`/shared/
SCAComposite shared.composite
# Configure SCA Composite for mass dynamic virtual hosting
+SCAVirtualDomain sca-store.com
SCAVirtualContribution `pwd`/domains/
SCAVirtualComposite store.composite
diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start
index f7208b7403..70de35efa1 100755
--- a/sca-cpp/trunk/samples/store-vhost/uec2-start
+++ b/sca-cpp/trunk/samples/store-vhost/uec2-start
@@ -41,6 +41,7 @@ sudo ../../ubuntu/ip-redirect-all 443 8453
../../modules/python/python-conf tmp
cat >>tmp/conf/httpd.conf <<EOF
# Configure SCA Composite for mass dynamic virtual Hosting
+SCAVirtualDomain $host
SCAVirtualContribution `pwd`/domains/
SCAVirtualComposite store.composite