summaryrefslogtreecommitdiffstats
path: root/sca-cpp/trunk/modules/http
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sca-cpp/trunk/modules/http/Makefile.am13
-rwxr-xr-xsca-cpp/trunk/modules/http/basic-auth-conf (renamed from sca-cpp/trunk/modules/http/httpd-auth-conf)10
-rwxr-xr-xsca-cpp/trunk/modules/http/form-auth-conf64
-rw-r--r--sca-cpp/trunk/modules/http/htdocs/login/index.html39
-rw-r--r--sca-cpp/trunk/modules/http/htdocs/logout/index.html33
-rw-r--r--sca-cpp/trunk/modules/http/http.hpp9
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf90
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf32
-rw-r--r--sca-cpp/trunk/modules/http/httpd.hpp29
-rw-r--r--sca-cpp/trunk/modules/http/mod-openauth.cpp325
-rwxr-xr-xsca-cpp/trunk/modules/http/open-auth-conf66
-rw-r--r--sca-cpp/trunk/modules/http/openauth.hpp (renamed from sca-cpp/trunk/modules/oauth/oauth.hpp)36
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-conf3
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-conf5
14 files changed, 666 insertions, 88 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 209c7358b7..08d7e1b49a 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
incl_HEADERS = *.hpp
incldir = $(prefix)/include/modules/http
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf httpd-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf
moddir=$(prefix)/modules/http
curl_test_SOURCES = curl-test.cpp
@@ -32,18 +32,23 @@ curl_get_LDFLAGS = -lxml2 -lcurl -lmozjs
curl_connect_SOURCES = curl-connect.cpp
curl_connect_LDFLAGS = -lxml2 -lcurl -lmozjs
-mod_LTLIBRARIES = libmod_tuscany_ssltunnel.la
-noinst_DATA = libmod_tuscany_ssltunnel.so
+mod_LTLIBRARIES = libmod_tuscany_ssltunnel.la libmod_tuscany_openauth.la
+noinst_DATA = libmod_tuscany_ssltunnel.so libmod_tuscany_openauth.so
libmod_tuscany_ssltunnel_la_SOURCES = mod-ssltunnel.cpp
libmod_tuscany_ssltunnel_la_LDFLAGS = -lxml2 -lcurl -lmozjs
libmod_tuscany_ssltunnel.so:
ln -s .libs/libmod_tuscany_ssltunnel.so
+libmod_tuscany_openauth_la_SOURCES = mod-openauth.cpp
+libmod_tuscany_openauth_la_LDFLAGS = -lxml2 -lcurl -lmozjs
+libmod_tuscany_openauth.so:
+ ln -s .libs/libmod_tuscany_openauth.so
+
mod_DATA = httpd.prefix httpd-apachectl.prefix httpd-modules.prefix curl.prefix
nobase_dist_mod_DATA = conf/*
-EXTRA_DIST = htdocs/index.html
+EXTRA_DIST = htdocs/index.html htdocs/login/index.html htdocs/logout/index.html
httpd.prefix: $(top_builddir)/config.status
echo ${HTTPD_PREFIX} >httpd.prefix
diff --git a/sca-cpp/trunk/modules/http/httpd-auth-conf b/sca-cpp/trunk/modules/http/basic-auth-conf
index be117c008f..74f4a61959 100755
--- a/sca-cpp/trunk/modules/http/httpd-auth-conf
+++ b/sca-cpp/trunk/modules/http/basic-auth-conf
@@ -17,7 +17,7 @@
# specific language governing permissions and limitations
# under the License.
-# Generate a minimal HTTPD SSL configuration
+# Generate a minimal HTTPD basic authentication configuration
here=`readlink -f $0`; here=`dirname $here`
mkdir -p $1
root=`readlink -f $1`
@@ -28,13 +28,14 @@ host=`echo $conf | awk '{ print $6 }'`
httpd_prefix=`cat $here/httpd.prefix`
# Generate basic authentication configuration
-cat >>$root/conf/vhost-ssl.conf <<EOF
-# Generated by: httpd-auth-conf $*
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: basic-auth-conf $*
# Require clients to present a userid + password for HTTP
# basic authentication
<Location />
AuthType Basic
AuthName "$host"
+AuthBasicProvider file
AuthUserFile "$root/conf/httpd.passwd"
Require valid-user
</Location>
@@ -42,7 +43,8 @@ Require valid-user
EOF
# Create test users
-$httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null
+touch $root/conf/httpd.passwd
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd test test 2>/dev/null
$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
new file mode 100755
index 0000000000..a58a800058
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Generate a minimal HTTPD form authentication configuration
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate form authentication configuration
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: form-auth-conf $*
+# Require clients to present a userid + password through form-based
+# authentication
+<Location />
+AuthType Form
+AuthName "$host"
+AuthFormProvider file
+AuthUserFile "$root/conf/httpd.passwd"
+AuthFormLoginRequiredLocation /login
+AuthFormLogoutLocation /
+Session On
+SessionCookieName TuscanyFormAuth path=/;secure=TRUE
+#SessionCryptoPassphrase secret
+Require valid-user
+</Location>
+
+<Location /login/dologin>
+SetHandler form-login-handler
+</Location>
+
+<Location /logout/dologout>
+SetHandler form-logout-handler
+</Location>
+
+EOF
+
+# Create test users
+touch $root/conf/httpd.passwd
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd test test 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
+
diff --git a/sca-cpp/trunk/modules/http/htdocs/login/index.html b/sca-cpp/trunk/modules/http/htdocs/login/index.html
new file mode 100644
index 0000000000..f3542f1524
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/htdocs/login/index.html
@@ -0,0 +1,39 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<html><body><h1>Sign in</h1>
+
+<script type="text/javascript">
+function submitFormSignin() {
+ document.formSignin.httpd_location.value = '/';
+ document.formSignin.submit();
+}
+</script>
+
+<form name="formSignin" method="POST" action="/login/dologin">
+<table border="0">
+<tr><td>Username:</td><td><input type="text" name="httpd_username" value=""/></td></tr>
+<tr><td>Password:</td><td><input type="password" name="httpd_password" value=""/></td></tr>
+<tr><td><input type="button" onclick="submitFormSignin()" value="Sign in"/></td><td></td></tr>
+</table>
+<input type="hidden" name="httpd_location" value="/"/>
+</form>
+
+</body>
+</html>
diff --git a/sca-cpp/trunk/modules/http/htdocs/logout/index.html b/sca-cpp/trunk/modules/http/htdocs/logout/index.html
new file mode 100644
index 0000000000..1ac6e39a1c
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/htdocs/logout/index.html
@@ -0,0 +1,33 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<html><body>
+<h1>Sign out</h1>
+
+<form name="signout" action="/login" method="GET">
+<script type="text/javascript">
+function submitSignout() {
+ document.cookie = 'TuscanyFormAuth=;expires=' + new Date(1970,01,01).toGMTString() + ';path=/;secure=TRUE';
+ document.signout.submit();
+ return true;
+}
+</script>
+<input type="button" onclick="submitSignout()" value="Sign out"/>
+</form>
+</body></html>
diff --git a/sca-cpp/trunk/modules/http/http.hpp b/sca-cpp/trunk/modules/http/http.hpp
index db860aeee2..56331d7ee2 100644
--- a/sca-cpp/trunk/modules/http/http.hpp
+++ b/sca-cpp/trunk/modules/http/http.hpp
@@ -159,19 +159,19 @@ const failable<CURL*> setup(const string& url, const CURLSession& cs) {
// Setup SSL options
if (cs.ca != "") {
- debug(cs.ca, "http::apply::ca");
+ debug(cs.ca, "http::setup::ca");
curl_easy_setopt(ch, CURLOPT_CAINFO, c_str(cs.ca));
curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, true);
curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 2);
} else
curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, false);
if (cs.cert != "") {
- debug(cs.cert, "http::apply::cert");
+ debug(cs.cert, "http::setup::cert");
curl_easy_setopt(ch, CURLOPT_SSLCERT, c_str(cs.cert));
curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM");
}
if (cs.key != "") {
- debug(cs.key, "http::apply::key");
+ debug(cs.key, "http::setup::key");
curl_easy_setopt(ch, CURLOPT_SSLKEY, c_str(cs.key));
curl_easy_setopt(ch, CURLOPT_SSLKEYTYPE, "PEM");
}
@@ -238,6 +238,8 @@ curl_slist* headers(curl_slist* cl, const list<string>& h) {
}
template<typename R> const failable<list<R> > apply(const list<list<string> >& hdr, const lambda<R(const string&, const R)>& reduce, const R& initial, const string& url, const string& verb, const CURLSession& cs) {
+ debug(url, "http::apply::url");
+ debug(verb, "http::apply::verb");
// Setup the CURL session
const failable<CURL*> fch = setup(url, cs);
@@ -523,6 +525,7 @@ apr_pollfd_t* pollfd(apr_socket_t* s, const int e, const gc_pool& p) {
* Connect to a URL.
*/
const failable<bool> connect(const string& url, CURLSession& cs) {
+ debug(url, "http::connect::url");
// Setup the CURL session
const failable<CURL*> fch = setup(url, cs);
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 8a6928d823..79a85c0961 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -52,19 +52,25 @@ PidFile $root/logs/httpd.pid
# after mod_rewrite's hooks)
LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
-LoadModule authn_default_module ${modules_prefix}/modules/mod_authn_default.so
+LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so
LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so
LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so
LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so
-LoadModule authz_default_module ${modules_prefix}/modules/mod_authz_default.so
+LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so
LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so
+LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so
+LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so
+LoadModule request_module ${modules_prefix}/modules/mod_request.so
+LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so
LoadModule filter_module ${modules_prefix}/modules/mod_filter.so
LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
+LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so
LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
+LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
LoadModule status_module ${modules_prefix}/modules/mod_status.so
@@ -79,8 +85,16 @@ LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
+LoadModule session_module ${modules_prefix}/modules/mod_session.so
+#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
+LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so
+LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so
+LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so
+LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so
LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so
+LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so
# Basic security precautions
User $user
@@ -103,7 +117,6 @@ CookieTracking on
CookieName TuscanyVisitorId
# Configure Mime types
-DefaultType text/plain
TypesConfig $here/conf/mime.types
# Set default document root
@@ -114,26 +127,44 @@ DirectoryIndex index.html
<Directory />
Options None
AllowOverride None
-Order deny,allow
-Deny from all
+Require all denied
</Directory>
-<FilesMatch "^\.ht">
-Order deny,allow
-Deny from all
-Satisfy Any
-</FilesMatch>
-# Allow access to document root
-<Directory "$htdocs">
-Options FollowSymLinks
-Allow from all
-</Directory>
+# Configure authentication
+Include conf/auth.conf
-# Allow access to root location
-<Location />
-Options FollowSymLinks
-Order deny,allow
-Allow from all
+# Allow access to public locations
+<Location /login>
+AuthType None
+Require all granted
+</Location>
+<Location /logout>
+AuthType None
+Require all granted
+</Location>
+<Location /public>
+AuthType None
+Require all granted
+</Location>
+<Location /openid>
+AuthType None
+Require all granted
+</Location>
+<Location /ui>
+AuthType None
+Require all granted
+</Location>
+<Location /wiring>
+AuthType None
+Require all granted
+</Location>
+<Location /.well-known/host-meta>
+AuthType None
+Require all granted
+</Location>
+<Location /favicon.ico>
+AuthType None
+Require all granted
</Location>
# Listen on HTTP port
@@ -152,6 +183,25 @@ Include conf/svhost.conf
EOF
+# Generate auth configuration
+cat >$root/conf/auth.conf <<EOF
+# Generated by: httpd-conf $*
+# Authentication configuration
+
+# Allow access to document root
+<Directory "$htdocs">
+Options FollowSymLinks
+Require all granted
+</Directory>
+
+# Allow access to root location
+<Location />
+Options FollowSymLinks
+Require all granted
+</Location>
+
+EOF
+
# Generate vhost configuration
cat >$root/conf/vhost.conf <<EOF
# Generated by: httpd-conf $*
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index 5f1058ea75..94352ca344 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -51,7 +51,7 @@ AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
-SSLMutex "file:$root/logs/ssl_mutex"
+Mutex "file:$root/logs" ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
@@ -68,7 +68,6 @@ Include conf/svhost-ssl.conf
<Location /server-status>
SetHandler server-status
HostnameLookups on
-Allow from all
Require user admin
</Location>
@@ -114,10 +113,10 @@ UseCanonicalName Off
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
-SSLOptions -StrictRequire +OptRenegotiate
+SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
# Verify client certificates
-SSLVerifyClient none
+SSLVerifyClient optional
SSLVerifyDepth 1
# Enable SSL proxy engine
@@ -143,19 +142,13 @@ cat >>$root/conf/vhost-ssl.conf <<EOF
<Location />
# Require clients to use SSL and authenticate
SSLRequireSSL
-
-# Also accept other forms of authentication (e.g. HTTP basic
-# authentication, or OpenID authentication)
-Satisfy Any
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
EOF
proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
if [ "$proxyconf" != "" ]; then
cat >>$root/conf/vhost-ssl.conf <<EOF
-# In an proxy, only require a 128+ cipher key
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
# Forward received SSL client certificate info in proxied requests
RewriteEngine on
RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
@@ -184,18 +177,6 @@ RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
EOF
else
cat >>$root/conf/vhost-ssl.conf <<EOF
-# In a server, require a 128+ cipher key and one of the following
-# - another server's certificate issued by our certificate authority
-# - a proxy certificate + forwarded info on the client request certificate,
-# both signed by our certificate authority
-# - OpenID authentication (set by mod_auth_openid in the auth_type)
-# - another valid form of authentication as per the Satisfy directive
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and ( \
-( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "server" ) or \
-( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "tunnel" ) or \
-( %{SSL_CLIENT_I_DN_O} == "$org" and %{SSL_CLIENT_S_DN_OU} == "proxy" and \
- %{HTTP:X-Forwarded-SSL-Issuer-DN-O} == "$org" and %{HTTP:X-Forwarded-SSL-Client-DN-OU} == "server" ) or \
-%{REQUEST_URI} =~ m/^.(login|logout|openid|public|ui).*$/ )
# Record received SSL client certificate info in environment vars
RewriteEngine on
@@ -270,3 +251,8 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
EOF
+# Configure user for HTTP fake basic auth
+cat >$root/conf/httpd.passwd <<EOF
+/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index 528404b8fc..02c9904ac3 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -31,14 +31,23 @@
#include <apr_lib.h>
#define APR_WANT_STRFUNC
#include <apr_want.h>
+#include <apr_base64.h>
#include <httpd.h>
+// Hack to workaround compile error with HTTPD 2.3.8
+#define new new_
#include <http_config.h>
+#undef new
#include <http_core.h>
#include <http_connection.h>
#include <http_request.h>
#include <http_protocol.h>
+// Hack to workaround compile error with HTTPD 2.3.8
+#define aplog_module_index aplog_module_index = 0
#include <http_log.h>
+#undef aplog_module_index
+#undef APLOG_MODULE_INDEX
+#define APLOG_MODULE_INDEX (aplog_module_index ? *aplog_module_index : APLOG_NO_MODULE)
#include <http_main.h>
#include <util_script.h>
#include <util_md5.h>
@@ -46,6 +55,8 @@
#include <http_log.h>
#include <ap_mpm.h>
#include <mod_core.h>
+#include <ap_provider.h>
+#include <mod_auth.h>
#include "string.hpp"
#include "stream.hpp"
@@ -358,6 +369,7 @@ const failable<int> writeResult(const failable<list<string> >& ls, const string&
* Report a request execution status.
*/
const int reportStatus(const failable<int>& rc) {
+ debug(rc, "httpd::reportStatus::rc");
if (!hasContent(rc))
return HTTP_INTERNAL_SERVER_ERROR;
return content(rc);
@@ -575,10 +587,11 @@ const failable<request_rec*, int> internalSubRequest(const string& nr_uri, reque
* Return an HTTP external redirect request.
*/
const int externalRedirect(const string& uri, request_rec* r) {
+ debug(uri, "httpd::externalRedirect");
r->status = HTTP_MOVED_TEMPORARILY;
apr_table_setn(r->headers_out, "Location", apr_pstrdup(r->pool, c_str(uri)));
r->filename = apr_pstrdup(r->pool, c_str(string("/redirect:/") + uri));
- return OK;
+ return HTTP_MOVED_TEMPORARILY;
}
/**
@@ -642,6 +655,12 @@ int debugNote(unused void* r, const char* key, const char* value) {
*/
const bool debugRequest(request_rec* r, const string& msg) {
cdebug << msg << ":" << endl;
+ cdebug << " unparsed uri: " << debugOptional(r->unparsed_uri) << endl;
+ cdebug << " uri: " << debugOptional(r->uri) << endl;
+ cdebug << " path info: " << debugOptional(r->path_info) << endl;
+ cdebug << " filename: " << debugOptional(r->filename) << endl;
+ cdebug << " uri tokens: " << pathTokens(r->uri) << endl;
+ cdebug << " args: " << debugOptional(r->args) << endl;
cdebug << " server: " << debugOptional(r->server->server_hostname) << endl;
cdebug << " protocol: " << debugOptional(r->protocol) << endl;
cdebug << " method: " << debugOptional(r->method) << endl;
@@ -649,16 +668,10 @@ const bool debugRequest(request_rec* r, const string& msg) {
cdebug << " content type: " << contentType(r) << endl;
cdebug << " content encoding: " << debugOptional(r->content_encoding) << endl;
apr_table_do(debugHeader, r, r->headers_in, NULL);
- cdebug << " unparsed uri: " << debugOptional(r->unparsed_uri) << endl;
- cdebug << " uri: " << debugOptional(r->uri) << endl;
- cdebug << " path info: " << debugOptional(r->path_info) << endl;
- cdebug << " filename: " << debugOptional(r->filename) << endl;
- cdebug << " uri tokens: " << pathTokens(r->uri) << endl;
- cdebug << " args: " << debugOptional(r->args) << endl;
cdebug << " user: " << debugOptional(r->user) << endl;
cdebug << " auth type: " << debugOptional(r->ap_auth_type) << endl;
apr_table_do(debugEnv, r, r->subprocess_env, NULL);
- apr_table_do(debugEnv, r, r->notes, NULL);
+ apr_table_do(debugNote, r, r->notes, NULL);
return true;
}
diff --git a/sca-cpp/trunk/modules/http/mod-openauth.cpp b/sca-cpp/trunk/modules/http/mod-openauth.cpp
new file mode 100644
index 0000000000..b43624f08d
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/mod-openauth.cpp
@@ -0,0 +1,325 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/* $Rev$ $Date$ */
+
+/**
+ * HTTPD module for Tuscany Open authentication.
+ *
+ * This module allows multiple authentication mechanisms to co-exist in a
+ * single Web site:
+ * - OAuth1 using Tuscany's mod-tuscany-oauth1
+ * - OAuth2 using Tuscany's mod-tuscany-oauth2
+ * - OpenID using mod_auth_openid
+ * - Form-based using HTTPD's mod_auth_form
+ * - SSL certificate using SSLFakeBasicAuth and mod_auth_basic
+ */
+
+#include <sys/stat.h>
+
+#include "string.hpp"
+#include "stream.hpp"
+#include "list.hpp"
+#include "tree.hpp"
+#include "value.hpp"
+#include "monad.hpp"
+#include "httpd.hpp"
+#include "http.hpp"
+#include "openauth.hpp"
+
+extern "C" {
+extern module AP_MODULE_DECLARE_DATA mod_tuscany_openauth;
+}
+
+namespace tuscany {
+namespace openauth {
+
+/**
+ * Server configuration.
+ */
+class ServerConf {
+public:
+ ServerConf(apr_pool_t* p, server_rec* s) : p(p), server(s) {
+ }
+
+ const gc_pool p;
+ server_rec* server;
+};
+
+/**
+ * Directory configuration.
+ */
+class DirConf {
+public:
+ DirConf(apr_pool_t* p, char* d) : p(p), dir(d), enabled(false), login("") {
+ }
+
+ const gc_pool p;
+ const char* dir;
+ bool enabled;
+ string login;
+};
+
+/**
+ * Return the user info from a form auth session cookie.
+ */
+const failable<value> userInfo(const value& sid, const string& realm) {
+ const list<list<value>> info = httpd::queryArgs(sid);
+ debug(info, "modopenauth::userInfo::info");
+ const list<value> user = assoc<value>(realm + "-user", info);
+ if (isNil(user))
+ return mkfailure<value>("Couldn't retrieve user id");
+ const list<value> pw = assoc<value>(realm + "-pw", info);
+ if (isNil(pw))
+ return mkfailure<value>("Couldn't retrieve password");
+ return value(mklist<value>(mklist<value>("realm", realm), mklist<value>("id", cadr(user)), mklist<value>("password", cadr(pw))));
+}
+
+/**
+ * Return the user info from a basic auth header.
+ */
+const failable<value> userInfo(const char* header, const string& realm, request_rec* r) {
+ debug(header, "modopenauth::userInfo::header");
+ if (strcasecmp(ap_getword(r->pool, &header, ' '), "Basic"))
+ return mkfailure<value>("Wrong authentication scheme");
+
+ while (apr_isspace(*header))
+ header++;
+ char *decoded_line = (char*)apr_palloc(r->pool, apr_base64_decode_len(header) + 1);
+ int length = apr_base64_decode(decoded_line, header);
+ decoded_line[length] = '\0';
+
+ const string user(ap_getword_nulls(r->pool, const_cast<const char**>(&decoded_line), ':'));
+ const string pw(decoded_line);
+
+ return value(mklist<value>(mklist<value>("realm", realm), mklist<value>("id", user), mklist<value>("password", pw)));
+}
+
+/**
+ * Handle an authenticated request.
+ */
+const failable<int> authenticated(const list<list<value> >& info, request_rec* r) {
+ debug(info, "modopenauth::authenticated::info");
+
+ // Store user info in the request
+ const list<value> realm = assoc<value>("realm", info);
+ if (isNil(realm) || isNil(cdr(realm)))
+ return mkfailure<int>("Couldn't retrieve realm");
+ apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "REALM"), apr_pstrdup(r->pool, c_str(cadr(realm))));
+
+ const list<value> id = assoc<value>("id", info);
+ if (isNil(id) || isNil(cdr(id)))
+ return mkfailure<int>("Couldn't retrieve user id");
+ r->user = apr_pstrdup(r->pool, c_str(cadr(id)));
+
+ apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "NICKNAME"), apr_pstrdup(r->pool, c_str(cadr(id))));
+ return OK;
+}
+
+/**
+ * Run the authnz hooks to try to authenticate a request.
+ */
+const failable<int> checkAuthnz(const string& user, const string& pw, request_rec* r) {
+ const authn_provider* provider = (const authn_provider*)ap_lookup_provider(AUTHN_PROVIDER_GROUP, AUTHN_DEFAULT_PROVIDER, AUTHN_PROVIDER_VERSION);
+ if (!provider || !provider->check_password)
+ return mkfailure<int>("No Authn provider configured");
+ apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER);
+ const authn_status auth_result = provider->check_password(r, c_str(user), c_str(pw));
+ apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);
+ if (auth_result != AUTH_GRANTED)
+ return mkfailure<int>("Authentication failure for: " + user);
+ return OK;
+}
+
+/**
+ * Check user authentication.
+ */
+static int checkAuthn(request_rec *r) {
+ // Decline if we're not enabled or AuthType is not set to Open
+ const DirConf& dc = httpd::dirConf<DirConf>(r, &mod_tuscany_openauth);
+ if (!dc.enabled)
+ return DECLINED;
+ const char* atype = ap_auth_type(r);
+ if (atype == NULL || strcasecmp(atype, "Open"))
+ return DECLINED;
+
+ gc_scoped_pool pool(r->pool);
+ httpdDebugRequest(r, "modopenauth::checkAuthn::input");
+
+ // Get session id from the request
+ const maybe<string> sid = sessionID(r);
+ if (hasContent(sid)) {
+ // Decline if the session id was not created by this module
+ const string stype = substr(content(sid), 0, 7);
+ if (stype == "OAuth2_" || stype == "OAuth1_" || stype == "OpenID_")
+ return DECLINED;
+
+ // Retrieve the auth realm
+ const char* aname = ap_auth_name(r);
+ if (aname == NULL)
+ return httpd::reportStatus(mkfailure<int>("Missing AuthName"));
+
+ // Extract user info from the session id
+ const failable<value> info = userInfo(content(sid), aname);
+ if (hasContent(info)) {
+
+ // Try to authenticate the request
+ const value cinfo = content(info);
+ const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", cinfo)), cadr(assoc<value>("password", cinfo)), r);
+ if (!hasContent(authz)) {
+
+ // Authentication failed, redirect to login page
+ r->ap_auth_type = const_cast<char*>(atype);
+ return httpd::reportStatus(login(dc.login, r));
+ }
+
+ // Successfully authenticated, store the user info in the request
+ r->ap_auth_type = const_cast<char*>(atype);
+ return httpd::reportStatus(authenticated(cinfo, r));
+ }
+ }
+
+ // Get basic auth header from the request
+ const char* header = apr_table_get(r->headers_in, (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization" : "Authorization");
+ if (header != NULL) {
+
+ // Retrieve the auth realm
+ const char* aname = ap_auth_name(r);
+ if (aname == NULL)
+ return httpd::reportStatus(mkfailure<int>("Missing AuthName"));
+
+ // Extract user info from the session id
+ const failable<value> info = userInfo(header, aname, r);
+ if (hasContent(info)) {
+
+ // Try to authenticate the request
+ const value cinfo = content(info);
+ const failable<int> authz = checkAuthnz(cadr(assoc<value>("id", cinfo)), cadr(assoc<value>("password", cinfo)), r);
+ if (!hasContent(authz)) {
+
+ // Authentication failed, redirect to login page
+ r->ap_auth_type = const_cast<char*>(atype);
+ return httpd::reportStatus(login(dc.login, r));
+ }
+
+ // Successfully authenticated, store the user info in the request
+ r->ap_auth_type = const_cast<char*>(atype);
+ return httpd::reportStatus(authenticated(cinfo, r));
+ }
+ }
+
+ // Get the request args
+ const list<list<value> > args = httpd::queryArgs(r);
+
+ // Decline if the request is for another authentication provider
+ if (!isNil(assoc<value>("openid_identifier", args)))
+ return DECLINED;
+ if (!isNil(assoc<value>("mod_oauth1_step", args)))
+ return DECLINED;
+ if (!isNil(assoc<value>("mod_oauth2_step", args)))
+ return DECLINED;
+
+ // Redirect to the login page
+ r->ap_auth_type = const_cast<char*>(atype);
+ return httpd::reportStatus(login(dc.login, r));
+}
+
+/**
+ * Process the module configuration.
+ */
+int postConfigMerge(ServerConf& mainsc, server_rec* s) {
+ if (s == NULL)
+ return OK;
+ debug(httpd::serverName(s), "modopenauth::postConfigMerge::serverName");
+
+ return postConfigMerge(mainsc, s->next);
+}
+
+int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp, server_rec* s) {
+ gc_scoped_pool pool(p);
+ ServerConf& sc = httpd::serverConf<ServerConf>(s, &mod_tuscany_openauth);
+ debug(httpd::serverName(s), "modopenauth::postConfig::serverName");
+
+ // Merge server configurations
+ return postConfigMerge(sc, s);
+}
+
+/**
+ * Child process initialization.
+ */
+void childInit(apr_pool_t* p, server_rec* s) {
+ gc_scoped_pool pool(p);
+ ServerConf* psc = (ServerConf*)ap_get_module_config(s->module_config, &mod_tuscany_openauth);
+ if(psc == NULL) {
+ cfailure << "[Tuscany] Due to one or more errors mod_tuscany_openauth loading failed. Causing apache to stop loading." << endl;
+ exit(APEXIT_CHILDFATAL);
+ }
+ ServerConf& sc = *psc;
+
+ // Merge the updated configuration into the virtual hosts
+ postConfigMerge(sc, s->next);
+}
+
+/**
+ * Configuration commands.
+ */
+const char* confEnabled(cmd_parms *cmd, void *c, const int arg) {
+ gc_scoped_pool pool(cmd->pool);
+ DirConf& dc = httpd::dirConf<DirConf>(c);
+ dc.enabled = (bool)arg;
+ return NULL;
+}
+const char* confLogin(cmd_parms *cmd, void *c, const char* arg) {
+ gc_scoped_pool pool(cmd->pool);
+ DirConf& dc = httpd::dirConf<DirConf>(c);
+ dc.login = arg;
+ return NULL;
+}
+
+/**
+ * HTTP server module declaration.
+ */
+const command_rec commands[] = {
+ AP_INIT_FLAG("AuthOpenAuth", (const char*(*)())confEnabled, NULL, OR_AUTHCFG, "Tuscany Open Auth authentication On | Off"),
+ AP_INIT_TAKE1("AuthOpenAuthLoginPage", (const char*(*)())confLogin, NULL, OR_AUTHCFG, "Tuscany Open Auth login page"),
+ {NULL, NULL, NULL, 0, NO_ARGS, NULL}
+};
+
+void registerHooks(unused apr_pool_t *p) {
+ ap_hook_post_config(postConfig, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_child_init(childInit, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_check_authn(checkAuthn, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF);
+}
+
+}
+}
+
+extern "C" {
+
+module AP_MODULE_DECLARE_DATA mod_tuscany_openauth = {
+ STANDARD20_MODULE_STUFF,
+ // dir config and merger
+ tuscany::httpd::makeDirConf<tuscany::openauth::DirConf>, NULL,
+ // server config and merger
+ tuscany::httpd::makeServerConf<tuscany::openauth::ServerConf>, NULL,
+ // commands and hooks
+ tuscany::openauth::commands, tuscany::openauth::registerHooks
+};
+
+}
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
new file mode 100755
index 0000000000..f2304a0b86
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Generate a minimal HTTPD form authentication configuration
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate form authentication configuration
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: open-auth-conf $*
+# Enable Tuscany open authentication
+<Location />
+AuthType Open
+AuthName "$host"
+AuthOpenAuth On
+AuthOpenAuthLoginPage /login
+AuthUserFile "$root/conf/httpd.passwd"
+Require valid-user
+</Location>
+
+# Use HTTPD form-based authentication
+<Location /login/dologin>
+AuthType Form
+AuthName "$host"
+AuthFormProvider file
+AuthUserFile "$root/conf/httpd.passwd"
+AuthFormLoginRequiredLocation /login
+AuthFormLogoutLocation /
+Session On
+SessionCookieName TuscanyOpenAuth path=/;secure=TRUE
+#SessionCryptoPassphrase secret
+Require valid-user
+SetHandler form-login-handler
+</Location>
+
+EOF
+
+# Create test users
+touch $root/conf/httpd.passwd
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd test test 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null
+$httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null
+
diff --git a/sca-cpp/trunk/modules/oauth/oauth.hpp b/sca-cpp/trunk/modules/http/openauth.hpp
index cea16e035f..53250b4732 100644
--- a/sca-cpp/trunk/modules/oauth/oauth.hpp
+++ b/sca-cpp/trunk/modules/http/openauth.hpp
@@ -19,11 +19,11 @@
/* $Rev$ $Date$ */
-#ifndef tuscany_oauth_hpp
-#define tuscany_oauth_hpp
+#ifndef tuscany_openauth_hpp
+#define tuscany_openauth_hpp
/**
- * OAuth support utility functions.
+ * Tuscany Open auth support utility functions.
*/
#include "string.hpp"
@@ -35,10 +35,9 @@
#include "../json/json.hpp"
#include "../http/httpd.hpp"
#include "../http/http.hpp"
-#include "../../components/cache/memcache.hpp"
namespace tuscany {
-namespace oauth {
+namespace openauth {
/**
* Return the session id from a request.
@@ -51,30 +50,27 @@ const char* cookieName(const char* cs) {
const maybe<string> sessionID(const list<string> c) {
if (isNil(c))
return maybe<string>();
- const list<string> kv = tokenize("=", cookieName(c_str(car(c))));
- if (!isNil(kv) && !isNil(cdr(kv))) {
- if (car(kv) == "TuscanyOpenAuth")
- return cadr(kv);
+ const string cn = cookieName(c_str(car(c)));
+ const int i = find(cn, "=");
+ if (i < length(cn)) {
+ const list<string> kv = mklist<string>(substr(cn, 0, i), substr(cn, i+1));
+ if (!isNil(kv) && !isNil(cdr(kv))) {
+ if (car(kv) == "TuscanyOpenAuth")
+ return cadr(kv);
+ }
}
return sessionID(cdr(c));
}
const maybe<string> sessionID(const request_rec* r) {
const char* c = apr_table_get(r->headers_in, "Cookie");
- debug(c, "oauth::sessionid::cookies");
+ debug(c, "openauth::sessionid::cookies");
if (c == NULL)
return maybe<string>();
return sessionID(tokenize(";", c));
}
/**
- * Return the user info for a session.
- */
-const failable<value> userInfo(const value& sid, const memcache::MemCached& mc) {
- return memcache::get(mklist<value>("tuscanyOpenAuth", sid), mc);
-}
-
-/**
* Convert a session id to a cookie string.
*/
const string cookie(const string& sid) {
@@ -82,7 +78,7 @@ const string cookie(const string& sid) {
char exp[32];
strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t));
const string c = string("TuscanyOpenAuth=") + sid + string(";path=/;expires=" + string(exp)) + ";secure=TRUE";
- debug(c, "oauth::cookie");
+ debug(c, "openauth::cookie");
return c;
}
@@ -92,11 +88,11 @@ const string cookie(const string& sid) {
const failable<int> login(const string& page, request_rec* r) {
const list<list<value> > largs = mklist<list<value> >(mklist<value>("openauth_referrer", httpd::escape(httpd::url(r->uri, r))));
const string loc = httpd::url(page, r) + string("?") + httpd::queryString(largs);
- debug(loc, "oauth::login::uri");
+ debug(loc, "openauth::login::uri");
return httpd::externalRedirect(loc, r);
}
}
}
-#endif /* tuscany_oauth_hpp */
+#endif /* tuscany_openauth_hpp */
diff --git a/sca-cpp/trunk/modules/http/proxy-conf b/sca-cpp/trunk/modules/http/proxy-conf
index ff312041f5..e9abe8435f 100755
--- a/sca-cpp/trunk/modules/http/proxy-conf
+++ b/sca-cpp/trunk/modules/http/proxy-conf
@@ -33,8 +33,7 @@ ProxyStatus On
ProxyPass / balancer://cluster/
<Proxy balancer://cluster>
-Order deny,allow
-Allow from all
+Require all granted
ProxySet lbmethod=byrequests
</Proxy>
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 8f8d51c7a4..12340f9921 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -34,8 +34,7 @@ ProxyPass /balancer-manager !
ProxyPass / balancer://sslcluster/
<Proxy balancer://sslcluster>
-Order deny,allow
-Allow from all
+Require all granted
ProxySet lbmethod=byrequests
</Proxy>
@@ -43,8 +42,6 @@ ProxySet lbmethod=byrequests
<Location /balancer-manager>
SetHandler balancer-manager
HostnameLookups on
-Deny from all
-Allow from all
Require user admin
</Location>