summaryrefslogtreecommitdiffstats
path: root/sca-cpp/trunk/modules/http/httpd-ssl-conf
diff options
context:
space:
mode:
Diffstat (limited to 'sca-cpp/trunk/modules/http/httpd-ssl-conf')
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf107
1 files changed, 7 insertions, 100 deletions
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index 94352ca344..0a73809fa5 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport`
pport=`$here/httpd-addr pport $gport`
sslpport=`$here/httpd-addr pport $2`
-ssllisten=`$here/httpd-addr listen $2`
+sslport=`$here/httpd-addr listen $2`
sslvhost=`$here/httpd-addr vhost $2`
htdocs=`echo $conf | awk '{ print $8 }'`
@@ -56,7 +56,7 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
# Listen on HTTPS port
-Listen $ssllisten
+Listen $sslport
# HTTPS virtual host
<VirtualHost $sslvhost>
@@ -73,9 +73,6 @@ Require user admin
</VirtualHost>
-# Report extended server status
-ExtendedStatus On
-
EOF
# Generate HTTP vhost configuration
@@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
-# Verify client certificates
-SSLVerifyClient optional
-SSLVerifyDepth 1
-
-# Enable SSL proxy engine
-SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# Verify server certificates
-SSLProxyVerify require
-SSLProxyVerifyDepth 1
+# Require clients to use SSL and authenticate
+<Location />
+SSLRequireSSL
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+</Location>
# Log SSL requests
# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
@@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined
EOF
-# Generate HTTPS authentication requirement
-cat >>$root/conf/vhost-ssl.conf <<EOF
-<Location />
-# Require clients to use SSL and authenticate
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-EOF
-
-proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
-if [ "$proxyconf" != "" ]; then
- cat >>$root/conf/vhost-ssl.conf <<EOF
-# Forward received SSL client certificate info in proxied requests
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !=""
-RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !=""
-RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}]
-RequestHeader unset X-Forwarded-SSL-Protocol
-RequestHeader unset X-Forwarded-SSL-Cipher
-RequestHeader unset X-Forwarded-SSL-Issuer-DN
-RequestHeader unset X-Forwarded-SSL-Client-DN
-RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
-RequestHeader unset X-Forwarded-SSL-Client-DN-OU
-RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
-RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
-RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
-RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
-RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
-RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
-
-EOF
-else
- cat >>$root/conf/vhost-ssl.conf <<EOF
-
-# Record received SSL client certificate info in environment vars
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-
-# Store the client certificate DN in the SSL_REMOTE_USER var,
-# that's similar to the SSLUserName directive but more flexible as
-# it can pick a client certificate DN forwarded by a proxy
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
-RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
-RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}]
-
-EOF
-fi
-
-cat >>$root/conf/vhost-ssl.conf <<EOF
-</Location>
-
-EOF
-
proxycert="server"
if [ "$proxyconf" != "" ]; then
proxycert="proxy"
@@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt"
SSLCertificateFile "$root/cert/server.crt"
SSLCertificateKeyFile "$root/cert/server.key"
-# Declare proxy SSL client certificates
-SSLProxyCACertificateFile "$root/cert/ca.crt"
-SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
-
EOF
cat >$root/conf/dvhost-ssl.conf <<EOF
@@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
EOF
-# Configure user for HTTP fake basic auth
-cat >$root/conf/httpd.passwd <<EOF
-/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
-EOF
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 09:00:23 +0000