diff options
Diffstat (limited to '')
18 files changed, 296 insertions, 200 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 08d7e1b49a..af8ab4d1c3 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE} incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http -dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf +dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf moddir=$(prefix)/modules/http curl_test_SOURCES = curl-test.cpp diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf new file mode 100755 index 0000000000..00494d99f2 --- /dev/null +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -0,0 +1,56 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD certificate-based authentication configuration +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` + +httpd_prefix=`cat $here/httpd.prefix` + +# Generate authentication configuration +cat >>$root/conf/auth.conf <<EOF +# Generated by: cert-auth-conf $* +# Require clients to present a valid client certificate +SSLVerifyClient require +SSLVerifyDepth 1 + +<Location /> +AuthType Basic +AuthName "$host" +AuthBasicProvider file +AuthUserFile "$root/conf/httpd.passwd" +Require valid-user +</Location> + +EOF + +# Create certificate-based users +touch $root/conf/httpd.passwd +cat >>$root/conf/httpd.passwd <<EOF +/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=$host/OU=proxy/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=$host/OU=tunnel/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=localhost/OU=server/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +/C=US/ST=CA/L=San Francisco/O=localhost/OU=tunnel/CN=localhost:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ +EOF + diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 79a85c0961..a77141af5f 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -47,54 +47,11 @@ cat >$root/conf/httpd.conf <<EOF ServerName http://$host:$pport PidFile $root/logs/httpd.pid -# Load a minimal set of modules, the load order is important -# (e.g. load mod_headers before mod_rewrite, so its hooks execute -# after mod_rewrite's hooks) -LoadModule alias_module ${modules_prefix}/modules/mod_alias.so -LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so -LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so -LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so -LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so -LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so -LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so -LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so -LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so -LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so -LoadModule request_module ${modules_prefix}/modules/mod_request.so -LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so -LoadModule filter_module ${modules_prefix}/modules/mod_filter.so -LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so -LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so -LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so -LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so -LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so -LoadModule headers_module ${modules_prefix}/modules/mod_headers.so -LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so -LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so -LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so -LoadModule mime_module ${modules_prefix}/modules/mod_mime.so -LoadModule status_module ${modules_prefix}/modules/mod_status.so -LoadModule asis_module ${modules_prefix}/modules/mod_asis.so -LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so -LoadModule dir_module ${modules_prefix}/modules/mod_dir.so -LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so -<IfModule !log_config_module> -LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so -</IfModule> -LoadModule logio_module ${modules_prefix}/modules/mod_logio.so -LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so -LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so -LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so -LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so -LoadModule session_module ${modules_prefix}/modules/mod_session.so -#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so -LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so -LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so -LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so -LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so +# Load configured MPM +Include conf/mpm.conf -LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so -LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so +# Load required modules +Include conf/modules.conf # Basic security precautions User $user @@ -179,22 +136,98 @@ RewriteCond %{HTTP_HOST} !^$host [NC] RewriteRule .* http://$host:$pport%{REQUEST_URI} [R,L] Include conf/svhost.conf + +# Allow access to document root +<Directory "$htdocs"> +Options FollowSymLinks +AuthType None +Require all granted +</Directory> + +# Allow access to root location +<Location /> +Options FollowSymLinks +AuthType None +Require all granted +</Location> + </VirtualHost> EOF +# Run with the prefork MPM +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-conf $* +LoadModule mpm_prefork_module ${modules_prefix}/modules/mod_mpm_prefork.so + +EOF + +# Generate modules list +cat >$root/conf/modules.conf <<EOF +# Generated by: httpd-conf $* +# Load a minimal set of modules, the load order is important +# (e.g. load mod_headers before mod_rewrite, so its hooks execute +# after mod_rewrite's hooks) +LoadModule alias_module ${modules_prefix}/modules/mod_alias.so +LoadModule authn_file_module ${modules_prefix}/modules/mod_authn_file.so +LoadModule authn_core_module ${modules_prefix}/modules/mod_authn_core.so +LoadModule authz_host_module ${modules_prefix}/modules/mod_authz_host.so +LoadModule authz_groupfile_module ${modules_prefix}/modules/mod_authz_groupfile.so +LoadModule authz_user_module ${modules_prefix}/modules/mod_authz_user.so +LoadModule authz_core_module ${modules_prefix}/modules/mod_authz_core.so +LoadModule auth_basic_module ${modules_prefix}/modules/mod_auth_basic.so +LoadModule auth_digest_module ${modules_prefix}/modules/mod_auth_digest.so +LoadModule auth_form_module ${modules_prefix}/modules/mod_auth_form.so +LoadModule request_module ${modules_prefix}/modules/mod_request.so +LoadModule deflate_module ${modules_prefix}/modules/mod_deflate.so +LoadModule filter_module ${modules_prefix}/modules/mod_filter.so +LoadModule proxy_module ${modules_prefix}/modules/mod_proxy.so +LoadModule proxy_connect_module ${modules_prefix}/modules/mod_proxy_connect.so +LoadModule proxy_http_module ${modules_prefix}/modules/mod_proxy_http.so +LoadModule proxy_balancer_module ${modules_prefix}/modules/mod_proxy_balancer.so +LoadModule lbmethod_byrequests_module ${modules_prefix}/modules/mod_lbmethod_byrequests.so +LoadModule headers_module ${modules_prefix}/modules/mod_headers.so +LoadModule ssl_module ${modules_prefix}/modules/mod_ssl.so +LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so +LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so +LoadModule mime_module ${modules_prefix}/modules/mod_mime.so +LoadModule status_module ${modules_prefix}/modules/mod_status.so +LoadModule asis_module ${modules_prefix}/modules/mod_asis.so +LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so +LoadModule dir_module ${modules_prefix}/modules/mod_dir.so +LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so +<IfModule !log_config_module> +LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so +</IfModule> +LoadModule logio_module ${modules_prefix}/modules/mod_logio.so +LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so +LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so +LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so +LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so +LoadModule session_module ${modules_prefix}/modules/mod_session.so +#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so +LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so +LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so +LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so +LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so + +LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so +LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so + +EOF + # Generate auth configuration cat >$root/conf/auth.conf <<EOF # Generated by: httpd-conf $* # Authentication configuration -# Allow access to document root +# Allow authorized access to document root <Directory "$htdocs"> Options FollowSymLinks Require all granted </Directory> -# Allow access to root location +# Allow authorized access to root location <Location /> Options FollowSymLinks Require all granted diff --git a/sca-cpp/trunk/samples/store-python/redirect b/sca-cpp/trunk/modules/http/httpd-event-conf index f73b342bf8..58923d9dd9 100755 --- a/sca-cpp/trunk/samples/store-python/redirect +++ b/sca-cpp/trunk/modules/http/httpd-event-conf @@ -17,7 +17,19 @@ # specific language governing permissions and limitations # under the License. -# Redirect ports 80 and 443 -../../ubuntu/ip-redirect-all 80 8090 -../../ubuntu/ip-redirect-all 443 8453 +# Configure HTTPD to run with the event MPM +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` + +mkdir -p $root +mkdir -p $root/conf +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-event-conf $* +# Use HTTPD event MPM +LoadModule mpm_event_module ${modules_prefix}/modules/mod_mpm_event.so + +EOF diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf index 94352ca344..0a73809fa5 100755 --- a/sca-cpp/trunk/modules/http/httpd-ssl-conf +++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf @@ -29,7 +29,7 @@ port=`$here/httpd-addr port $gport` pport=`$here/httpd-addr pport $gport` sslpport=`$here/httpd-addr pport $2` -ssllisten=`$here/httpd-addr listen $2` +sslport=`$here/httpd-addr listen $2` sslvhost=`$here/httpd-addr vhost $2` htdocs=`echo $conf | awk '{ print $8 }'` @@ -56,7 +56,7 @@ SSLRandomSeed startup builtin SSLRandomSeed connect builtin # Listen on HTTPS port -Listen $ssllisten +Listen $sslport # HTTPS virtual host <VirtualHost $sslvhost> @@ -73,9 +73,6 @@ Require user admin </VirtualHost> -# Report extended server status -ExtendedStatus On - EOF # Generate HTTP vhost configuration @@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth -# Verify client certificates -SSLVerifyClient optional -SSLVerifyDepth 1 - -# Enable SSL proxy engine -SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Verify server certificates -SSLProxyVerify require -SSLProxyVerifyDepth 1 +# Require clients to use SSL and authenticate +<Location /> +SSLRequireSSL +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 +</Location> # Log SSL requests # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol @@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined EOF -# Generate HTTPS authentication requirement -cat >>$root/conf/vhost-ssl.conf <<EOF -<Location /> -# Require clients to use SSL and authenticate -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -EOF - -proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` -if [ "$proxyconf" != "" ]; then - cat >>$root/conf/vhost-ssl.conf <<EOF -# Forward received SSL client certificate info in proxied requests -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} !="" -RewriteRule .* - [E=SSL_I_DN_O:%{SSL:SSL_CLIENT_I_DN_O}] -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} !="" -RewriteRule .* - [E=SSL_S_DN_OU:%{SSL:SSL_CLIENT_S_DN_OU}] -RequestHeader unset X-Forwarded-SSL-Protocol -RequestHeader unset X-Forwarded-SSL-Cipher -RequestHeader unset X-Forwarded-SSL-Issuer-DN -RequestHeader unset X-Forwarded-SSL-Client-DN -RequestHeader unset X-Forwarded-SSL-Issuer-DN-O -RequestHeader unset X-Forwarded-SSL-Client-DN-OU -RequestHeader set X-Forwarded-SSL-Protocol %{SSL_PROTOCOL}e env=SSL_PROTOCOL -RequestHeader set X-Forwarded-SSL-Cipher %{SSL_CIPHER}e env=SSL_CIPHER -RequestHeader set X-Forwarded-SSL-Issuer-DN %{SSL_I_DN}e env=SSL_I_DN -RequestHeader set X-Forwarded-SSL-Client-DN %{SSL_S_DN}e env=SSL_S_DN -RequestHeader set X-Forwarded-SSL-Issuer-DN-O %{SSL_I_DN_O}e env=SSL_I_DN_O -RequestHeader set X-Forwarded-SSL-Client-DN-OU %{SSL_S_DN_OU}e env=SSL_S_DN_OU - -EOF -else - cat >>$root/conf/vhost-ssl.conf <<EOF - -# Record received SSL client certificate info in environment vars -RewriteEngine on -RewriteRule .* - [E=SSL_PROTOCOL:%{SSL:SSL_PROTOCOL}] -RewriteRule .* - [E=SSL_CIPHER:%{SSL:SSL_CIPHER}] -RewriteCond %{SSL:SSL_CLIENT_I_DN} !="" -RewriteRule .* - [E=SSL_I_DN:%{SSL:SSL_CLIENT_I_DN}] -RewriteCond %{SSL:SSL_CLIENT_S_DN} !="" -RewriteRule .* - [E=SSL_S_DN:%{SSL:SSL_CLIENT_S_DN}] - -# Store the client certificate DN in the SSL_REMOTE_USER var, -# that's similar to the SSLUserName directive but more flexible as -# it can pick a client certificate DN forwarded by a proxy -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "tunnel" -RewriteRule .* - [E=SSL_REMOTE_USER:%{SSL:SSL_CLIENT_S_DN}] - -RewriteCond %{SSL:SSL_CLIENT_I_DN_O} "$org" -RewriteCond %{SSL:SSL_CLIENT_S_DN_OU} "proxy" -RewriteCond %{HTTP:X-Forwarded-SSL-Issuer-DN-O} "$org" -RewriteCond %{HTTP:X-Forwarded-SSL-Client-DN-OU} "server" -RewriteRule .* - [E=SSL_REMOTE_USER:%{HTTP:X-Forwarded-SSL-Client-DN}] - -EOF -fi - -cat >>$root/conf/vhost-ssl.conf <<EOF -</Location> - -EOF - proxycert="server" if [ "$proxyconf" != "" ]; then proxycert="proxy" @@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/server.crt" SSLCertificateKeyFile "$root/cert/server.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF cat >$root/conf/dvhost-ssl.conf <<EOF @@ -251,8 +163,3 @@ SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" EOF -# Configure user for HTTP fake basic auth -cat >$root/conf/httpd.passwd <<EOF -/C=US/ST=CA/L=San Francisco/O=$host/OU=server/CN=$host:\$1\$OXLyS...\$Owx8s2/m9/gfkcRVXzgoE/ -EOF - diff --git a/sca-cpp/trunk/modules/http/httpd-worker-conf b/sca-cpp/trunk/modules/http/httpd-worker-conf new file mode 100755 index 0000000000..bb6bca4562 --- /dev/null +++ b/sca-cpp/trunk/modules/http/httpd-worker-conf @@ -0,0 +1,35 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Configure HTTPD to run with the worker MPM +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` + +mkdir -p $root +mkdir -p $root/conf +cat >$root/conf/mpm.conf <<EOF +# Generated by: httpd-worker-conf $* +# Use HTTPD worker MPM +LoadModule mpm_worker_module ${modules_prefix}/modules/mod_mpm_worker.so + +EOF + diff --git a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp index f5539ce785..d2c53b462e 100644 --- a/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp +++ b/sca-cpp/trunk/modules/http/mod-ssltunnel.cpp @@ -111,55 +111,55 @@ int postConfig(apr_pool_t* p, unused apr_pool_t* plog, unused apr_pool_t* ptemp, /** * Close a connection. */ -extern "C" { - AP_DECLARE(void) ap_lingering_close(conn_rec *c); -} - -const int close(conn_rec* conn) { +const int close(conn_rec* conn, apr_socket_t* csock) { debug("modssltunnel::close"); - ap_lingering_close(conn); + apr_socket_close(csock); + conn->aborted = 1; return OK; } /** * Abort a connection. */ -const int abort(unused conn_rec* conn, const string& reason) { +const int abort(conn_rec* conn, apr_socket_t* csock, const string& reason) { debug("modssltunnel::abort"); + apr_socket_close(csock); + conn->aborted = 1; return httpd::reportStatus(mkfailure<int>(reason)); } /** * Tunnel traffic from a client connection to a target URL. */ -int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { +int tunnel(conn_rec* conn, const string& ca, const string& cert, const string& key, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { + + // Create input/output bucket brigades + apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); + apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); // Get client connection socket apr_socket_t* csock = (apr_socket_t*)ap_get_module_config(conn->conn_config, &core_module); // Open connection to target + http::CURLSession cs(ca, cert, key); const failable<bool> crc = http::connect(url, cs); if (!hasContent(crc)) - return abort(conn, reason(crc)); + return abort(conn, csock, reason(crc)); apr_socket_t* tsock = http::sock(cs); - // Send preamble string + // Send preamble if (length(preamble) != 0) { - debug(preamble, "modssltunnel::tunnel::sendToTarget"); + debug(preamble, "modssltunnel::tunnel::sendPreambleToTarget"); const failable<bool> src = http::send(c_str(preamble), length(preamble), cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } - // Create input/output bucket brigades - apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); - apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); - // Create a pollset for the client and target sockets apr_pollset_t* pollset; apr_status_t cprc = apr_pollset_create(&pollset, 2, pool(p), 0); if (cprc != APR_SUCCESS) - return abort(conn, http::apreason(cprc)); + return abort(conn, csock, http::apreason(cprc)); const apr_pollfd_t* cpollfd = http::pollfd(csock, APR_POLLIN, p); apr_pollset_add(pollset, cpollfd); const apr_pollfd_t* tpollfd = http::pollfd(tsock, APR_POLLIN, p); @@ -176,7 +176,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Receive buckets from client const apr_status_t getrc = ap_get_brigade(conn->input_filters, ib, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); if (getrc != APR_SUCCESS) - return OK; + return abort(conn, csock, string("Couldn't receive from client")); for (apr_bucket* bucket = APR_BRIGADE_FIRST(ib); bucket != APR_BRIGADE_SENTINEL(ib); bucket = APR_BUCKET_NEXT(bucket)) { if (APR_BUCKET_IS_FLUSH(bucket)) @@ -184,7 +184,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Client connection closed if (APR_BUCKET_IS_EOS(bucket)) - return close(conn); + return close(conn, csock); const char *data; apr_size_t rl; @@ -195,7 +195,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Send to target const failable<bool> src = http::send(data, rl, cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } } apr_brigade_cleanup(ib); @@ -205,18 +205,19 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin char data[8192]; const failable<size_t> frl = http::recv(data, sizeof(data), cs); if (!hasContent(frl)) - return abort(conn, string("Couldn't receive from target") + reason(frl)); + return abort(conn, csock, string("Couldn't receive from target") + reason(frl)); const size_t rl = content(frl); // Target connection closed if (rl == 0) - return close(conn); + return close(conn, csock); // Send bucket to client + debug(string(data, rl), "modssltunnel::tunnel::sendToClient"); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_transient_create(data, rl, conn->bucket_alloc)); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_flush_create(conn->bucket_alloc)); if (ap_pass_brigade(ofilter, ob) != APR_SUCCESS) - return abort(conn, "Couldn't send data bucket to client"); + return abort(conn, csock, "Couldn't send data bucket to client"); apr_brigade_cleanup(ob); } } @@ -224,9 +225,9 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Error if (pollfds->rtnevents & (APR_POLLERR | APR_POLLHUP | APR_POLLNVAL)) { if (pollfds->desc.s == csock) - return abort(conn, "Couldn't receive from client"); + return abort(conn, csock, "Couldn't receive from client"); else - return abort(conn, "Couldn't receive from target"); + return abort(conn, csock, "Couldn't receive from target"); } } @@ -234,12 +235,12 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin debug("modssltunnel::tunnel::poll"); apr_status_t pollrc = apr_pollset_poll(pollset, -1, &pollcount, &pollfds); if (pollrc != APR_SUCCESS) - return abort(conn, "Couldn't poll sockets"); + return abort(conn, csock, "Couldn't poll sockets"); debug(pollcount, "modssltunnel::tunnel::pollfds"); } // Close client connection - return close(conn); + return close(conn, csock); } /** @@ -269,13 +270,10 @@ int processConnection(conn_rec *conn) { return DECLINED; debug(sc.pass, "modssltunnel::processConnection::pass"); - // Create the target connection - http::CURLSession cs(sc.ca, sc.cert, sc.key); - // Run the tunnel const string preamble = string("SSLTUNNEL ") + sc.path + string(" HTTP/1.1\r\nHost: ") + sc.host + string("\r\n\r\n"); debug(preamble, "modssltunnel::processConnection::preamble"); - return tunnel(conn, cs, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); + return tunnel(conn, sc.ca, sc.cert, sc.key, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); } /** @@ -295,11 +293,8 @@ int handler(request_rec* r) { const string url = string(cadr(path)) + ":" + caddr(path); debug(url, "modssltunnel::handler::target"); - // Create the target connection - http::CURLSession cs("", "", ""); - // Run the tunnel - return tunnel(r->connection, cs, url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); + return tunnel(r->connection, "", "", "", url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); } /** diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf index 12340f9921..f5e2bfc4a4 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf @@ -24,10 +24,16 @@ root=`readlink -f $1` cat >>$root/conf/vhost-ssl.conf <<EOF # Generated by: proxy-ssl-conf $* -# Enable HTTPS proxy +# Enable HTTPS reverse proxy ProxyRequests Off ProxyPreserveHost On ProxyStatus On +SSLProxyEngine on +SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + +# Verify server certificates +SSLProxyVerify require +SSLProxyVerifyDepth 1 # Enable load balancing ProxyPass /balancer-manager ! @@ -47,3 +53,20 @@ Require user admin EOF +cat >>$root/conf/svhost-ssl.conf <<EOF +# Generated by: proxy-ssl-conf $* +# Declare proxy SSL client certificates +SSLProxyCACertificateFile "$root/cert/ca.crt" +SSLProxyMachineCertificateFile "$root/cert/proxy.pem" + +EOF + +cat >>$root/conf/dvhost-ssl.conf <<EOF +# Generated by: proxy-ssl-conf $* + +# Declare proxy SSL client certificates +SSLProxyCACertificateFile "$root/cert/ca.crt" +SSLProxyMachineCertificateFile "$root/cert/proxy.pem" + +EOF + diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf index 3cc231a0a1..b6bf055ad8 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-member-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-member-conf @@ -25,7 +25,15 @@ root=`readlink -f $1` host=$2 sslport=`$here/httpd-addr port $3` -cat >>$root/conf/vhost-ssl.conf <<EOF +cat >>$root/conf/svhost-ssl.conf <<EOF +# Generated by: proxy-ssl-member-conf $* +# Add proxy balancer member +BalancerMember balancer://sslcluster https://$host:$sslport +ProxyPassReverse / https://$host:$sslport/ + +EOF + +cat >>$root/conf/dvhost-ssl.conf <<EOF # Generated by: proxy-ssl-member-conf $* # Add proxy balancer member BalancerMember balancer://sslcluster https://$host:$sslport diff --git a/sca-cpp/trunk/modules/http/vhost-conf b/sca-cpp/trunk/modules/http/vhost-conf index a6d54fa32a..f45d448906 100755 --- a/sca-cpp/trunk/modules/http/vhost-conf +++ b/sca-cpp/trunk/modules/http/vhost-conf @@ -44,6 +44,21 @@ ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ Include conf/dvhost.conf + +# Allow access to document root +<Directory "$htdocs"> +Options FollowSymLinks +AuthType None +Require all granted +</Directory> + +# Allow access to root location +<Location /> +Options FollowSymLinks +AuthType None +Require all granted +</Location> + </VirtualHost> EOF diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 17434b9782..36b2a15412 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -38,16 +38,16 @@ htdocs=`readlink -f $htdocs` cat >>$root/conf/httpd.conf <<EOF # Generated by: vhost-ssl-conf $* # Enable mass dynamic virtual hosting over HTTPS -NameVirtualHost $sslvhost SSLStrictSNIVHostCheck Off +# HTTPS dynamic virtual host +NameVirtualHost $sslvhost <VirtualHost $sslvhost> ServerName https://vhost.$host:$sslpport ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ Include conf/dvhost-ssl.conf -</VirtualHost> -EOF +</VirtualHost> diff --git a/sca-cpp/trunk/modules/java/java-conf b/sca-cpp/trunk/modules/java/java-conf index 0290c864e5..cf5faddb84 100755 --- a/sca-cpp/trunk/modules/java/java-conf +++ b/sca-cpp/trunk/modules/java/java-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: java-conf $* # Support for Java SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_java.so diff --git a/sca-cpp/trunk/modules/oauth/oauth-conf b/sca-cpp/trunk/modules/oauth/oauth-conf index 4ac231a55b..dc3a6ebc9d 100755 --- a/sca-cpp/trunk/modules/oauth/oauth-conf +++ b/sca-cpp/trunk/modules/oauth/oauth-conf @@ -26,12 +26,16 @@ conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` # Configure HTTPD mod_tuscany_oauth module -cat >>$root/conf/auth.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: oauth-conf $* # Load support for OAuth authentication LoadModule mod_tuscany_oauth1 $here/libmod_tuscany_oauth1.so LoadModule mod_tuscany_oauth2 $here/libmod_tuscany_oauth2.so +EOF + +cat >>$root/conf/auth.conf <<EOF +# Generated by: oauth-conf $* # Enable OAuth authentication <Location /> AuthType Open diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index 1d208784de..1a5739b5aa 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -27,11 +27,15 @@ host=`echo $conf | awk '{ print $6 }'` openid_prefix=`cat $here/openid.prefix` # Configure OpenID authentication -cat >>$root/conf/auth.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: openid-conf $* # Load support for OpenID authentication LoadModule authopenid_module $openid_prefix/modules/mod_auth_openid.so +EOF + +cat >>$root/conf/auth.conf <<EOF +# Generated by: openid-conf $* # Enable OpenID authentication <Location /> AuthType Open diff --git a/sca-cpp/trunk/modules/python/python-conf b/sca-cpp/trunk/modules/python/python-conf index 4c0cf8b4ca..a5b45357fc 100755 --- a/sca-cpp/trunk/modules/python/python-conf +++ b/sca-cpp/trunk/modules/python/python-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: python-conf $* # Support for Python SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_python.so diff --git a/sca-cpp/trunk/modules/server/cpp-conf b/sca-cpp/trunk/modules/server/cpp-conf index 62339bd4bc..086bb49d38 100755 --- a/sca-cpp/trunk/modules/server/cpp-conf +++ b/sca-cpp/trunk/modules/server/cpp-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: cpp-conf $* # Support for C++ SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so diff --git a/sca-cpp/trunk/modules/server/scheme-conf b/sca-cpp/trunk/modules/server/scheme-conf index 454cab424b..cd3c82b280 100755 --- a/sca-cpp/trunk/modules/server/scheme-conf +++ b/sca-cpp/trunk/modules/server/scheme-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: scheme-conf $* # Support for Scheme SCA components LoadModule mod_tuscany_eval $here/libmod_tuscany_eval.so diff --git a/sca-cpp/trunk/modules/server/server-conf b/sca-cpp/trunk/modules/server/server-conf index e790a147e0..5a77125463 100755 --- a/sca-cpp/trunk/modules/server/server-conf +++ b/sca-cpp/trunk/modules/server/server-conf @@ -41,11 +41,15 @@ if [ "$sslconf" != "" ]; then servername="https://$host:$sslpport" fi -cat >>$root/conf/httpd.conf <<EOF +cat >>$root/conf/modules.conf <<EOF # Generated by: server-conf $* # Support for SCA component wiring LoadModule mod_tuscany_wiring $here/libmod_tuscany_wiring.so +EOF + +cat >>$root/conf/httpd.conf <<EOF +# Generated by: server-conf $* # Route all wiring through the configured server name SCAWiringServerName $servername |