summaryrefslogtreecommitdiffstats
path: root/sca-cpp/trunk/modules/http
diff options
context:
space:
mode:
Diffstat (limited to 'sca-cpp/trunk/modules/http')
-rw-r--r--sca-cpp/trunk/modules/http/Makefile.am2
-rwxr-xr-xsca-cpp/trunk/modules/http/cert-auth-conf56
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-conf131
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-event-conf35
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-ssl-conf107
-rwxr-xr-xsca-cpp/trunk/modules/http/httpd-worker-conf35
-rw-r--r--sca-cpp/trunk/modules/http/mod-ssltunnel.cpp65
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-conf25
-rwxr-xr-xsca-cpp/trunk/modules/http/proxy-ssl-member-conf10
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-conf15
-rwxr-xr-xsca-cpp/trunk/modules/http/vhost-ssl-conf6
11 files changed, 297 insertions, 190 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index 08d7e1b49a..af8ab4d1c3 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE}
incl_HEADERS = *.hpp
incldir = $(prefix)/include/modules/http
-dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf
+dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf
moddir=$(prefix)/modules/http
curl_test_SOURCES = curl-test.cpp
diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf
new file mode 100755
index 0000000000..00494d99f2
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/cert-auth-conf
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Generate a minimal HTTPD certificate-based authentication configuration
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
+host=`echo $conf | awk '{ print $6 }'`
+
+httpd_prefix=`cat $here/httpd.prefix`
+
+# Generate authentication configuration
+cat >>$root/conf/auth.conf <<EOF
+# Generated by: cert-auth-conf $*
+# Require clients to present a valid client certificate
+SSLVerifyClient require
+SSLVerifyDepth 1
+
+<Location />
+AuthType Basic
+AuthName "$host"
+AuthBasicProvider file
+AuthUserFile "$root/conf/httpd.passwd"
+Require valid-user
+</Location>
+
+EOF
+
+# Create certificate-based users
+touch $root/conf/httpd.passwd
+cat >>$root/conf/httpd.passwd <<EOF
+/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=$host/OU=proxy/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=$host/OU=tunnel/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=localhost/OU=server/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+/C=US/ST=CA/L=San Francisco/O=localhost/OU=tunnel/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 79a85c0961..a77141af5f 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -47,54 +47,11 @@ cat >$root/conf/httpd.conf <<EOF
ServerName http://$host:$pport
PidFile $root/logs/httpd.pid
-# Load a minimal set of modules, the load order is important
-# (e.g. load mod_headers before mod_rewrite, so its hooks execute
-# after mod_rewrite's hooks)
-LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
-LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
-LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so
-LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so
-LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so
-LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so
-LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so
-LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so
-LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so
-LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so
-LoadModule request_module ${modules_prefix}/modules/mod_request.so
-LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so
-LoadModule filter_module ${modules_prefix}/modules/mod_filter.so
-LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
-LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
-LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
-LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
-LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so
-LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
-LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
-LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
-LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
-LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
-LoadModule status_module ${modules_prefix}/modules/mod_status.so
-LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
-LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
-LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
-LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
-<IfModule !log_config_module>
-LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
-</IfModule>
-LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
-LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
-LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
-LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
-LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
-LoadModule session_module ${modules_prefix}/modules/mod_session.so
-#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
-LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so
-LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so
-LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so
-LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so
+# Load configured MPM
+Include conf/mpm.conf
-LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so
-LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so
+# Load required modules
+Include conf/modules.conf
# Basic security precautions
User $user
@@ -179,22 +136,98 @@ RewriteCond %{HTTP_HOST} !^$host [NC]
RewriteRule .* http://$host:$pport%{REQUEST_URI} [R,L]
Include conf/svhost.conf
+
+# Allow access to document root
+<Directory "$htdocs">
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Directory>
+
+# Allow access to root location
+<Location />
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Location>
+
</VirtualHost>
EOF
+# Run with the prefork MPM
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-conf $*
+LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so
+
+EOF
+
+# Generate modules list
+cat >$root/conf/modules.conf <<EOF
+# Generated by: httpd-conf $*
+# Load a minimal set of modules, the load order is important
+# (e.g. load mod_headers before mod_rewrite, so its hooks execute
+# after mod_rewrite's hooks)
+LoadModule alias_module ${modules_prefix}/modules/mod_alias.so
+LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so
+LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so
+LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so
+LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so
+LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so
+LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so
+LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so
+LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so
+LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so
+LoadModule request_module ${modules_prefix}/modules/mod_request.so
+LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so
+LoadModule filter_module ${modules_prefix}/modules/mod_filter.so
+LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so
+LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so
+LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so
+LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so
+LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so
+LoadModule headers_module ${modules_prefix}/modules/mod_headers.so
+LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so
+LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
+LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
+LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
+LoadModule status_module ${modules_prefix}/modules/mod_status.so
+LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
+LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
+LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
+LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
+<IfModule !log_config_module>
+LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
+</IfModule>
+LoadModule logio_module ${modules_prefix}/modules/mod_logio.so
+LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so
+LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so
+LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so
+LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so
+LoadModule session_module ${modules_prefix}/modules/mod_session.so
+#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so
+LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so
+LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so
+LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so
+LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so
+
+LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so
+LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so
+
+EOF
+
# Generate auth configuration
cat >$root/conf/auth.conf <<EOF
# Generated by: httpd-conf $*
# Authentication configuration
-# Allow access to document root
+# Allow authorized access to document root
<Directory "$htdocs">
Options FollowSymLinks
Require all granted
</Directory>
-# Allow access to root location
+# Allow authorized access to root location
<Location />
Options FollowSymLinks
Require all granted
diff --git a/sca-cpp/trunk/modules/http/httpd-event-conf b/sca-cpp/trunk/modules/http/httpd-event-conf
new file mode 100755
index 0000000000..58923d9dd9
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/httpd-event-conf
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Configure HTTPD to run with the event MPM
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+
+mkdir -p $root
+mkdir -p $root/conf
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-event-conf $*
+# Use HTTPD event MPM
+LoadModule mpm_event_module ${modules_prefix}/modules/mod_mpm_event.so
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index 94352ca344..0a73809fa5 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport`
pport=`$here/httpd-addr pport $gport`
sslpport=`$here/httpd-addr pport $2`
-ssllisten=`$here/httpd-addr listen $2`
+sslport=`$here/httpd-addr listen $2`
sslvhost=`$here/httpd-addr vhost $2`
htdocs=`echo $conf | awk '{ print $8 }'`
@@ -56,7 +56,7 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
# Listen on HTTPS port
-Listen $ssllisten
+Listen $sslport
# HTTPS virtual host
<VirtualHost $sslvhost>
@@ -73,9 +73,6 @@ Require user admin
</VirtualHost>
-# Report extended server status
-ExtendedStatus On
-
EOF
# Generate HTTP vhost configuration
@@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
-# Verify client certificates
-SSLVerifyClient optional
-SSLVerifyDepth 1
-
-# Enable SSL proxy engine
-SSLProxyEngine on
-SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# Verify server certificates
-SSLProxyVerify require
-SSLProxyVerifyDepth 1
+# Require clients to use SSL and authenticate
+<Location />
+SSLRequireSSL
+SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+</Location>
# Log SSL requests
# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
@@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined
EOF
-# Generate HTTPS authentication requirement
-cat >>$root/conf/vhost-ssl.conf <<EOF
-<Location />
-# Require clients to use SSL and authenticate
-SSLRequireSSL
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-EOF
-
-proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"`
-if [ "$proxyconf" != "" ]; then
- cat >>$root/conf/vhost-ssl.conf <<EOF
-# Forward received SSL client certificate info in proxied requests
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !=""
-RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !=""
-RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}]
-RequestHeader unset X-Forwarded-SSL-Protocol
-RequestHeader unset X-Forwarded-SSL-Cipher
-RequestHeader unset X-Forwarded-SSL-Issuer-DN
-RequestHeader unset X-Forwarded-SSL-Client-DN
-RequestHeader unset X-Forwarded-SSL-Issuer-DN-O
-RequestHeader unset X-Forwarded-SSL-Client-DN-OU
-RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL
-RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER
-RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN
-RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN
-RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O
-RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU
-
-EOF
-else
- cat >>$root/conf/vhost-ssl.conf <<EOF
-
-# Record received SSL client certificate info in environment vars
-RewriteEngine on
-RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}]
-RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}]
-RewriteCond %{SSL:SSL_CLIENT_I_DN} !=""
-RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}]
-RewriteCond %{SSL:SSL_CLIENT_S_DN} !=""
-RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}]
-
-# Store the client certificate DN in the SSL_REMOTE_USER var,
-# that's similar to the SSLUserName directive but more flexible as
-# it can pick a client certificate DN forwarded by a proxy
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}]
-
-RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org"
-RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy"
-RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org"
-RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server"
-RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}]
-
-EOF
-fi
-
-cat >>$root/conf/vhost-ssl.conf <<EOF
-</Location>
-
-EOF
-
proxycert="server"
if [ "$proxyconf" != "" ]; then
proxycert="proxy"
@@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt"
SSLCertificateFile "$root/cert/server.crt"
SSLCertificateKeyFile "$root/cert/server.key"
-# Declare proxy SSL client certificates
-SSLProxyCACertificateFile "$root/cert/ca.crt"
-SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
-
EOF
cat >$root/conf/dvhost-ssl.conf <<EOF
@@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
EOF
-# Configure user for HTTP fake basic auth
-cat >$root/conf/httpd.passwd <<EOF
-/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/
-EOF
-
diff --git a/sca-cpp/trunk/modules/http/httpd-worker-conf b/sca-cpp/trunk/modules/http/httpd-worker-conf
new file mode 100755
index 0000000000..bb6bca4562
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/httpd-worker-conf
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Configure HTTPD to run with the worker MPM
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+
+mkdir -p $root
+mkdir -p $root/conf
+cat >$root/conf/mpm.conf <<EOF
+# Generated by: httpd-worker-conf $*
+# Use HTTPD worker MPM
+LoadModule mpm_worker_module ${modules_prefix}/modules/mod_mpm_worker.so
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
index f5539ce785..d2c53b462e 100644
--- a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
+++ b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp
@@ -111,55 +111,55 @@ int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp,
/**
* Close a connection.
*/
-extern "C" {
- AP_DECLARE(void) ap_lingering_close(conn_rec *c);
-}
-
-const int close(conn_rec* conn) {
+const int close(conn_rec* conn, apr_socket_t* csock) {
debug("modssltunnel::close");
- ap_lingering_close(conn);
+ apr_socket_close(csock);
+ conn->aborted = 1;
return OK;
}
/**
* Abort a connection.
*/
-const int abort(unused conn_rec* conn, const string& reason) {
+const int abort(conn_rec* conn, apr_socket_t* csock, const string& reason) {
debug("modssltunnel::abort");
+ apr_socket_close(csock);
+ conn->aborted = 1;
return httpd::reportStatus(mkfailure<int>(reason));
}
/**
* Tunnel traffic from a client connection to a target URL.
*/
-int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) {
+int tunnel(conn_rec* conn, const string& ca, const string& cert, const string& key, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) {
+
+ // Create input/output bucket brigades
+ apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc);
+ apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc);
// Get client connection socket
apr_socket_t* csock = (apr_socket_t*)ap_get_module_config(conn->conn_config, &core_module);
// Open connection to target
+ http::CURLSession cs(ca, cert, key);
const failable<bool> crc = http::connect(url, cs);
if (!hasContent(crc))
- return abort(conn, reason(crc));
+ return abort(conn, csock, reason(crc));
apr_socket_t* tsock = http::sock(cs);
- // Send preamble string
+ // Send preamble
if (length(preamble) != 0) {
- debug(preamble, "modssltunnel::tunnel::sendToTarget");
+ debug(preamble, "modssltunnel::tunnel::sendPreambleToTarget");
const failable<bool> src = http::send(c_str(preamble), length(preamble), cs);
if (!hasContent(src))
- return abort(conn, string("Couldn't send to target: ") + reason(src));
+ return abort(conn, csock, string("Couldn't send to target: ") + reason(src));
}
- // Create input/output bucket brigades
- apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc);
- apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc);
-
// Create a pollset for the client and target sockets
apr_pollset_t* pollset;
apr_status_t cprc = apr_pollset_create(&pollset, 2, pool(p), 0);
if (cprc != APR_SUCCESS)
- return abort(conn, http::apreason(cprc));
+ return abort(conn, csock, http::apreason(cprc));
const apr_pollfd_t* cpollfd = http::pollfd(csock, APR_POLLIN, p);
apr_pollset_add(pollset, cpollfd);
const apr_pollfd_t* tpollfd = http::pollfd(tsock, APR_POLLIN, p);
@@ -176,7 +176,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Receive buckets from client
const apr_status_t getrc = ap_get_brigade(conn->input_filters, ib, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN);
if (getrc != APR_SUCCESS)
- return OK;
+ return abort(conn, csock, string("Couldn't receive from client"));
for (apr_bucket* bucket = APR_BRIGADE_FIRST(ib); bucket != APR_BRIGADE_SENTINEL(ib); bucket = APR_BUCKET_NEXT(bucket)) {
if (APR_BUCKET_IS_FLUSH(bucket))
@@ -184,7 +184,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Client connection closed
if (APR_BUCKET_IS_EOS(bucket))
- return close(conn);
+ return close(conn, csock);
const char *data;
apr_size_t rl;
@@ -195,7 +195,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Send to target
const failable<bool> src = http::send(data, rl, cs);
if (!hasContent(src))
- return abort(conn, string("Couldn't send to target: ") + reason(src));
+ return abort(conn, csock, string("Couldn't send to target: ") + reason(src));
}
}
apr_brigade_cleanup(ib);
@@ -205,18 +205,19 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
char data[8192];
const failable<size_t> frl = http::recv(data, sizeof(data), cs);
if (!hasContent(frl))
- return abort(conn, string("Couldn't receive from target") + reason(frl));
+ return abort(conn, csock, string("Couldn't receive from target") + reason(frl));
const size_t rl = content(frl);
// Target connection closed
if (rl == 0)
- return close(conn);
+ return close(conn, csock);
// Send bucket to client
+ debug(string(data, rl), "modssltunnel::tunnel::sendToClient");
APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_transient_create(data, rl, conn->bucket_alloc));
APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_flush_create(conn->bucket_alloc));
if (ap_pass_brigade(ofilter, ob) != APR_SUCCESS)
- return abort(conn, "Couldn't send data bucket to client");
+ return abort(conn, csock, "Couldn't send data bucket to client");
apr_brigade_cleanup(ob);
}
}
@@ -224,9 +225,9 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
// Error
if (pollfds->rtnevents & (APR_POLLERR | APR_POLLHUP | APR_POLLNVAL)) {
if (pollfds->desc.s == csock)
- return abort(conn, "Couldn't receive from client");
+ return abort(conn, csock, "Couldn't receive from client");
else
- return abort(conn, "Couldn't receive from target");
+ return abort(conn, csock, "Couldn't receive from target");
}
}
@@ -234,12 +235,12 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin
debug("modssltunnel::tunnel::poll");
apr_status_t pollrc = apr_pollset_poll(pollset, -1, &pollcount, &pollfds);
if (pollrc != APR_SUCCESS)
- return abort(conn, "Couldn't poll sockets");
+ return abort(conn, csock, "Couldn't poll sockets");
debug(pollcount, "modssltunnel::tunnel::pollfds");
}
// Close client connection
- return close(conn);
+ return close(conn, csock);
}
/**
@@ -269,13 +270,10 @@ int processConnection(conn_rec *conn) {
return DECLINED;
debug(sc.pass, "modssltunnel::processConnection::pass");
- // Create the target connection
- http::CURLSession cs(sc.ca, sc.cert, sc.key);
-
// Run the tunnel
const string preamble = string("SSLTUNNEL ") + sc.path + string(" HTTP/1.1\r\nHost: ") + sc.host + string("\r\n\r\n");
debug(preamble, "modssltunnel::processConnection::preamble");
- return tunnel(conn, cs, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters));
+ return tunnel(conn, sc.ca, sc.cert, sc.key, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters));
}
/**
@@ -295,11 +293,8 @@ int handler(request_rec* r) {
const string url = string(cadr(path)) + ":" + caddr(path);
debug(url, "modssltunnel::handler::target");
- // Create the target connection
- http::CURLSession cs("", "", "");
-
// Run the tunnel
- return tunnel(r->connection, cs, url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters));
+ return tunnel(r->connection, "", "", "", url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters));
}
/**
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf
index 12340f9921..f5e2bfc4a4 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf
@@ -24,10 +24,16 @@ root=`readlink -f $1`
cat >>$root/conf/vhost-ssl.conf <<EOF
# Generated by: proxy-ssl-conf $*
-# Enable HTTPS proxy
+# Enable HTTPS reverse proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
+SSLProxyEngine on
+SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+# Verify server certificates
+SSLProxyVerify require
+SSLProxyVerifyDepth 1
# Enable load balancing
ProxyPass /balancer-manager !
@@ -47,3 +53,20 @@ Require user admin
EOF
+cat >>$root/conf/svhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-conf $*
+# Declare proxy SSL client certificates
+SSLProxyCACertificateFile "$root/cert/ca.crt"
+SSLProxyMachineCertificateFile "$root/cert/proxy.pem"
+
+EOF
+
+cat >>$root/conf/dvhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-conf $*
+
+# Declare proxy SSL client certificates
+SSLProxyCACertificateFile "$root/cert/ca.crt"
+SSLProxyMachineCertificateFile "$root/cert/proxy.pem"
+
+EOF
+
diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
index 3cc231a0a1..b6bf055ad8 100755
--- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
+++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf
@@ -25,7 +25,15 @@ root=`readlink -f $1`
host=$2
sslport=`$here/httpd-addr port $3`
-cat >>$root/conf/vhost-ssl.conf <<EOF
+cat >>$root/conf/svhost-ssl.conf <<EOF
+# Generated by: proxy-ssl-member-conf $*
+# Add proxy balancer member
+BalancerMember balancer://sslcluster https://$host:$sslport
+ProxyPassReverse / https://$host:$sslport/
+
+EOF
+
+cat >>$root/conf/dvhost-ssl.conf <<EOF
# Generated by: proxy-ssl-member-conf $*
# Add proxy balancer member
BalancerMember balancer://sslcluster https://$host:$sslport
diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf
index a6d54fa32a..f45d448906 100755
--- a/sca-cpp/trunk/modules/http/vhost-conf
+++ b/sca-cpp/trunk/modules/http/vhost-conf
@@ -44,6 +44,21 @@ ServerAlias *.$host
VirtualDocumentRoot $htdocs/domains/%1/
Include conf/dvhost.conf
+
+# Allow access to document root
+<Directory "$htdocs">
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Directory>
+
+# Allow access to root location
+<Location />
+Options FollowSymLinks
+AuthType None
+Require all granted
+</Location>
+
</VirtualHost>
EOF
diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf
index 17434b9782..36b2a15412 100755
--- a/sca-cpp/trunk/modules/http/vhost-ssl-conf
+++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf
@@ -38,16 +38,16 @@ htdocs=`readlink -f $htdocs`
cat >>$root/conf/httpd.conf <<EOF
# Generated by: vhost-ssl-conf $*
# Enable mass dynamic virtual hosting over HTTPS
-NameVirtualHost $sslvhost
SSLStrictSNIVHostCheck Off
+# HTTPS dynamic virtual host
+NameVirtualHost $sslvhost
<VirtualHost $sslvhost>
ServerName https://vhost.$host:$sslpport
ServerAlias *.$host
VirtualDocumentRoot $htdocs/domains/%1/
Include conf/dvhost-ssl.conf
-</VirtualHost>
-EOF
+</VirtualHost>