diff options
Diffstat (limited to 'sandbox/sebastien/cpp/apr-2/modules/http/httpd-ssl-conf')
| -rwxr-xr-x | sandbox/sebastien/cpp/apr-2/modules/http/httpd-ssl-conf | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/sandbox/sebastien/cpp/apr-2/modules/http/httpd-ssl-conf b/sandbox/sebastien/cpp/apr-2/modules/http/httpd-ssl-conf new file mode 100755 index 0000000000..5882a18cb4 --- /dev/null +++ b/sandbox/sebastien/cpp/apr-2/modules/http/httpd-ssl-conf @@ -0,0 +1,163 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD SSL configuration +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` +gport=`echo $conf | awk '{ print $7 }'` +port=`$here/httpd-addr port $gport` +pport=`$here/httpd-addr pport $gport` + +sslpport=`$here/httpd-addr pport $2` +sslport=`$here/httpd-addr listen $2` +sslvhost=`$here/httpd-addr vhost $2` + +htdocs=`echo $conf | awk '{ print $8 }'` +mkdir -p $htdocs +htdocs=`readlink -f $htdocs` + +# Extract organization name from our CA certificate +org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'` + +# Generate HTTPD configuration +cat >>$root/conf/httpd.conf <<EOF +# Generated by: httpd-ssl-conf $* + +# Configure SSL support +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl +SSLPassPhraseDialog builtin +SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)" +SSLSessionCacheTimeout 300 +Mutex "file:$root/logs" ssl-cache +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + +# Listen on HTTPS port +Listen $sslport + +# HTTPS virtual host +<VirtualHost $sslvhost> +ServerName https://$host:$sslpport + +Include conf/svhost-ssl.conf + +# Allow the server admin to view the server status +<Location /server-status> +SetHandler server-status +HostnameLookups on +Require user admin +</Location> + +</VirtualHost> + +EOF + +# Generate HTTP vhost configuration +cat >>$root/conf/svhost.conf <<EOF +# Generated by: httpd-ssl-conf $* +# Redirect HTTP traffic to HTTPS +<Location /> +RewriteEngine on +RewriteCond %{SERVER_PORT} ^$port$ [OR] +RewriteCond %{SERVER_PORT} ^$pport$ +RewriteRule .* https://$host:$sslpport%{REQUEST_URI} [R,L] +</Location> + +EOF + +cat >>$root/conf/dvhost.conf <<EOF +# Generated by: httpd-ssl-conf $* +# Redirect HTTP traffic to HTTPS +<Location /> +RewriteEngine on +RewriteCond %{SERVER_PORT} ^$port$ [OR] +RewriteCond %{SERVER_PORT} ^$pport$ +RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L] +</Location> + +EOF + +# Generate HTTPS vhost configuration +cat >$root/conf/vhost-ssl.conf <<EOF +# Generated by: httpd-ssl-conf $* +# Virtual host configuration +UseCanonicalName Off + +# Enable SSL +SSLEngine on +SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 +SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth + +# Require clients to use SSL and authenticate +<Location /> +SSLRequireSSL +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 +</Location> + +# Log SSL requests +# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol +# SSL-cipher "request-line" status response-size "referrer" "user-agent" +# "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host +# response-time bytes-received bytes-sent +LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined +CustomLog $root/logs/ssl_access_log sslcombined + +EOF + +proxycert="server" +if [ "$proxyconf" != "" ]; then + proxycert="proxy" +fi + +cat >$root/conf/svhost-ssl.conf <<EOF +# Generated by: httpd-ssl-conf $* +# Static virtual host configuration +Include conf/vhost-ssl.conf + +# Declare SSL certificates used in this virtual host +SSLCACertificateFile "$root/cert/ca.crt" +SSLCertificateChainFile "$root/cert/ca.crt" +SSLCertificateFile "$root/cert/server.crt" +SSLCertificateKeyFile "$root/cert/server.key" + +EOF + +cat >$root/conf/dvhost-ssl.conf <<EOF +# Mass dynamic virtual host configuration +# Generated by: httpd-ssl-conf $* +Include conf/vhost-ssl.conf + +# Declare wildcard SSL certificates used in this virtual host +SSLCACertificateFile "$root/cert/ca.crt" +SSLCertificateChainFile "$root/cert/ca.crt" +SSLCertificateFile "$root/cert/vhost.crt" +SSLCertificateKeyFile "$root/cert/vhost.key" + +# Declare proxy SSL client certificates +SSLProxyCACertificateFile "$root/cert/ca.crt" +SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" + +EOF + |