From 14f1ada7b2bb66c6c3dae496d3963e9af3f0ab38 Mon Sep 17 00:00:00 2001 From: jsdelfino Date: Sun, 28 Nov 2010 07:17:11 +0000 Subject: Use different servers for cert-based and password-based auth and use event MPMs for tunnel and proxy servers. git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1039840 13f79535-47bb-0310-9956-ffa450edef68 --- sca-cpp/trunk/components/cache/memcached-ssl-test | 2 + sca-cpp/trunk/components/webservice/axis2-conf | 9 +- sca-cpp/trunk/modules/http/Makefile.am | 2 +- sca-cpp/trunk/modules/http/cert-auth-conf | 56 +++++++++ sca-cpp/trunk/modules/http/httpd-conf | 131 +++++++++++++-------- sca-cpp/trunk/modules/http/httpd-event-conf | 35 ++++++ sca-cpp/trunk/modules/http/httpd-ssl-conf | 107 ++--------------- sca-cpp/trunk/modules/http/httpd-worker-conf | 35 ++++++ sca-cpp/trunk/modules/http/mod-ssltunnel.cpp | 65 +++++----- sca-cpp/trunk/modules/http/proxy-ssl-conf | 25 +++- sca-cpp/trunk/modules/http/proxy-ssl-member-conf | 10 +- sca-cpp/trunk/modules/http/vhost-conf | 15 +++ sca-cpp/trunk/modules/http/vhost-ssl-conf | 6 +- sca-cpp/trunk/modules/java/java-conf | 2 +- sca-cpp/trunk/modules/oauth/oauth-conf | 6 +- sca-cpp/trunk/modules/openid/openid-conf | 6 +- sca-cpp/trunk/modules/python/python-conf | 2 +- sca-cpp/trunk/modules/server/cpp-conf | 2 +- sca-cpp/trunk/modules/server/scheme-conf | 2 +- sca-cpp/trunk/modules/server/server-conf | 6 +- sca-cpp/trunk/samples/store-cluster/proxy-conf | 1 + sca-cpp/trunk/samples/store-cluster/proxy-ssl-conf | 5 +- .../trunk/samples/store-cluster/server-ssl-conf | 6 +- sca-cpp/trunk/samples/store-cluster/server-test | 7 +- sca-cpp/trunk/samples/store-cluster/ssl-start | 42 +++---- sca-cpp/trunk/samples/store-cluster/start | 12 +- .../trunk/samples/store-cluster/tunnel-ssl-conf | 6 +- sca-cpp/trunk/samples/store-python/redirect | 23 ---- sca-cpp/trunk/samples/store-python/uec2-start | 2 +- sca-cpp/trunk/samples/store-vhost/uec2-start | 2 +- sca-cpp/trunk/ubuntu/ip-redirect | 6 +- sca-cpp/trunk/ubuntu/ip-redirect-all | 5 + sca-cpp/trunk/ubuntu/ubuntu-install-all | 2 +- 33 files changed, 380 insertions(+), 263 deletions(-) create mode 100755 sca-cpp/trunk/modules/http/cert-auth-conf create mode 100755 sca-cpp/trunk/modules/http/httpd-event-conf create mode 100755 sca-cpp/trunk/modules/http/httpd-worker-conf delete mode 100755 sca-cpp/trunk/samples/store-python/redirect (limited to 'sca-cpp/trunk') diff --git a/sca-cpp/trunk/components/cache/memcached-ssl-test b/sca-cpp/trunk/components/cache/memcached-ssl-test index 7e55cfdee6..88143490f8 100755 --- a/sca-cpp/trunk/components/cache/memcached-ssl-test +++ b/sca-cpp/trunk/components/cache/memcached-ssl-test @@ -27,6 +27,7 @@ ./memcached-start 11413 ../../modules/http/httpd-conf tmp/tunnel localhost 8089 htdocs +../../modules/http/httpd-event-conf tmp/tunnel tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel -x ../../modules/http/tunnel-ssl-conf tmp/tunnel 11211 localhost 8453 11411 ../../modules/http/tunnel-ssl-conf tmp/tunnel 11212 localhost 8453 11412 @@ -36,6 +37,7 @@ tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/tunnel ../../modules/http/httpd-conf tmp/server localhost 8090 htdocs tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C tmp/server -x ../../modules/http/httpd-ssl-conf tmp/server 8453 +../../modules/http/cert-auth-conf tmp/server ../../modules/http/httpd-start tmp/server sleep 1 diff --git a/sca-cpp/trunk/components/webservice/axis2-conf b/sca-cpp/trunk/components/webservice/axis2-conf index c11e6c50d5..af5d189b24 100755 --- a/sca-cpp/trunk/components/webservice/axis2-conf +++ b/sca-cpp/trunk/components/webservice/axis2-conf @@ -42,11 +42,17 @@ ln -f -s $here/services.xml $root/axis2c/services/tuscany/services.xml cp $here/axis2.xml $root/axis2c/axis2.xml # Configure HTTPD Axis2 module +cat >>$root/conf/modules.conf <>$root/conf/httpd.conf < EOF + diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 08d7e1b49a..af8ab4d1c3 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -20,7 +20,7 @@ INCLUDES = -I${HTTPD_INCLUDE} incl_HEADERS = *.hpp incldir = $(prefix)/include/modules/http -dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf +dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf moddir=$(prefix)/modules/http curl_test_SOURCES = curl-test.cpp diff --git a/sca-cpp/trunk/modules/http/cert-auth-conf b/sca-cpp/trunk/modules/http/cert-auth-conf new file mode 100755 index 0000000000..00494d99f2 --- /dev/null +++ b/sca-cpp/trunk/modules/http/cert-auth-conf @@ -0,0 +1,56 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal HTTPD certificate-based authentication configuration +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` +host=`echo $conf | awk '{ print $6 }'` + +httpd_prefix=`cat $here/httpd.prefix` + +# Generate authentication configuration +cat >>$root/conf/auth.conf < +AuthType Basic +AuthName "$host" +AuthBasicProvider file +AuthUserFile "$root/conf/httpd.passwd" +Require valid-user + + +EOF + +# Create certificate-based users +touch $root/conf/httpd.passwd +cat >>$root/conf/httpd.passwd <$root/conf/httpd.conf < -LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so - -LoadModule logio_module ${modules_prefix}/modules/mod_logio.so -LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so -LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so -LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so -LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so -LoadModule session_module ${modules_prefix}/modules/mod_session.so -#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so -LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so -LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so -LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so -LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so +# Load configured MPM +Include conf/mpm.conf -LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so -LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so +# Load required modules +Include conf/modules.conf # Basic security precautions User $user @@ -179,22 +136,98 @@ RewriteCond %{HTTP_HOST} !^$host [NC] RewriteRule .* http://$host:$pport%{REQUEST_URI} [R,L] Include conf/svhost.conf + +# Allow access to document root + +Options FollowSymLinks +AuthType None +Require all granted + + +# Allow access to root location + +Options FollowSymLinks +AuthType None +Require all granted + + EOF +# Run with the prefork MPM +cat >$root/conf/mpm.conf <$root/conf/modules.conf < +LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so + +LoadModule logio_module ${modules_prefix}/modules/mod_logio.so +LoadModule usertrack_module ${modules_prefix}/modules/mod_usertrack.so +LoadModule vhost_alias_module ${modules_prefix}/modules/mod_vhost_alias.so +LoadModule cgi_module ${modules_prefix}/modules/mod_cgi.so +LoadModule unixd_module ${modules_prefix}/modules/mod_unixd.so +LoadModule session_module ${modules_prefix}/modules/mod_session.so +#LoadModule session_crypto_module ${modules_prefix}/modules/mod_session_crypto.so +LoadModule session_cookie_module ${modules_prefix}/modules/mod_session_cookie.so +LoadModule slotmem_shm_module ${modules_prefix}/modules/mod_slotmem_shm.so +LoadModule ratelimit_module ${modules_prefix}/modules/mod_ratelimit.so +LoadModule reqtimeout_module ${modules_prefix}/modules/mod_reqtimeout.so + +LoadModule mod_tuscany_ssltunnel $here/libmod_tuscany_ssltunnel.so +LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth.so + +EOF + # Generate auth configuration cat >$root/conf/auth.conf < Options FollowSymLinks Require all granted -# Allow access to root location +# Allow authorized access to root location Options FollowSymLinks Require all granted diff --git a/sca-cpp/trunk/modules/http/httpd-event-conf b/sca-cpp/trunk/modules/http/httpd-event-conf new file mode 100755 index 0000000000..58923d9dd9 --- /dev/null +++ b/sca-cpp/trunk/modules/http/httpd-event-conf @@ -0,0 +1,35 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Configure HTTPD to run with the event MPM +here=`readlink -f $0`; here=`dirname $here` +mkdir -p $1 +root=`readlink -f $1` + +modules_prefix=`cat $here/httpd-modules.prefix` + +mkdir -p $root +mkdir -p $root/conf +cat >$root/conf/mpm.conf < @@ -73,9 +73,6 @@ Require user admin -# Report extended server status -ExtendedStatus On - EOF # Generate HTTP vhost configuration @@ -115,17 +112,11 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth -# Verify client certificates -SSLVerifyClient optional -SSLVerifyDepth 1 - -# Enable SSL proxy engine -SSLProxyEngine on -SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Verify server certificates -SSLProxyVerify require -SSLProxyVerifyDepth 1 +# Require clients to use SSL and authenticate + +SSLRequireSSL +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + # Log SSL requests # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol @@ -137,81 +128,6 @@ CustomLog $root/logs/ssl_access_log sslcombined EOF -# Generate HTTPS authentication requirement -cat >>$root/conf/vhost-ssl.conf < -# Require clients to use SSL and authenticate -SSLRequireSSL -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -EOF - -proxyconf=`cat $root/conf/vhost.conf | grep "# Generated by: proxy-conf"` -if [ "$proxyconf" != "" ]; then - cat >>$root/conf/vhost-ssl.conf <>$root/conf/vhost-ssl.conf <>$root/conf/vhost-ssl.conf < - -EOF - proxycert="server" if [ "$proxyconf" != "" ]; then proxycert="proxy" @@ -228,10 +144,6 @@ SSLCertificateChainFile "$root/cert/ca.crt" SSLCertificateFile "$root/cert/server.crt" SSLCertificateKeyFile "$root/cert/server.key" -# Declare proxy SSL client certificates -SSLProxyCACertificateFile "$root/cert/ca.crt" -SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" - EOF cat >$root/conf/dvhost-ssl.conf <$root/conf/httpd.passwd <$root/conf/mpm.conf <aborted = 1; return OK; } /** * Abort a connection. */ -const int abort(unused conn_rec* conn, const string& reason) { +const int abort(conn_rec* conn, apr_socket_t* csock, const string& reason) { debug("modssltunnel::abort"); + apr_socket_close(csock); + conn->aborted = 1; return httpd::reportStatus(mkfailure(reason)); } /** * Tunnel traffic from a client connection to a target URL. */ -int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { +int tunnel(conn_rec* conn, const string& ca, const string& cert, const string& key, const string& url, const string& preamble, const gc_pool& p, unused ap_filter_t* ifilter, ap_filter_t* ofilter) { + + // Create input/output bucket brigades + apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); + apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); // Get client connection socket apr_socket_t* csock = (apr_socket_t*)ap_get_module_config(conn->conn_config, &core_module); // Open connection to target + http::CURLSession cs(ca, cert, key); const failable crc = http::connect(url, cs); if (!hasContent(crc)) - return abort(conn, reason(crc)); + return abort(conn, csock, reason(crc)); apr_socket_t* tsock = http::sock(cs); - // Send preamble string + // Send preamble if (length(preamble) != 0) { - debug(preamble, "modssltunnel::tunnel::sendToTarget"); + debug(preamble, "modssltunnel::tunnel::sendPreambleToTarget"); const failable src = http::send(c_str(preamble), length(preamble), cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } - // Create input/output bucket brigades - apr_bucket_brigade* ib = apr_brigade_create(pool(p), conn->bucket_alloc); - apr_bucket_brigade* ob = apr_brigade_create(pool(p), conn->bucket_alloc); - // Create a pollset for the client and target sockets apr_pollset_t* pollset; apr_status_t cprc = apr_pollset_create(&pollset, 2, pool(p), 0); if (cprc != APR_SUCCESS) - return abort(conn, http::apreason(cprc)); + return abort(conn, csock, http::apreason(cprc)); const apr_pollfd_t* cpollfd = http::pollfd(csock, APR_POLLIN, p); apr_pollset_add(pollset, cpollfd); const apr_pollfd_t* tpollfd = http::pollfd(tsock, APR_POLLIN, p); @@ -176,7 +176,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Receive buckets from client const apr_status_t getrc = ap_get_brigade(conn->input_filters, ib, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); if (getrc != APR_SUCCESS) - return OK; + return abort(conn, csock, string("Couldn't receive from client")); for (apr_bucket* bucket = APR_BRIGADE_FIRST(ib); bucket != APR_BRIGADE_SENTINEL(ib); bucket = APR_BUCKET_NEXT(bucket)) { if (APR_BUCKET_IS_FLUSH(bucket)) @@ -184,7 +184,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Client connection closed if (APR_BUCKET_IS_EOS(bucket)) - return close(conn); + return close(conn, csock); const char *data; apr_size_t rl; @@ -195,7 +195,7 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Send to target const failable src = http::send(data, rl, cs); if (!hasContent(src)) - return abort(conn, string("Couldn't send to target: ") + reason(src)); + return abort(conn, csock, string("Couldn't send to target: ") + reason(src)); } } apr_brigade_cleanup(ib); @@ -205,18 +205,19 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin char data[8192]; const failable frl = http::recv(data, sizeof(data), cs); if (!hasContent(frl)) - return abort(conn, string("Couldn't receive from target") + reason(frl)); + return abort(conn, csock, string("Couldn't receive from target") + reason(frl)); const size_t rl = content(frl); // Target connection closed if (rl == 0) - return close(conn); + return close(conn, csock); // Send bucket to client + debug(string(data, rl), "modssltunnel::tunnel::sendToClient"); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_transient_create(data, rl, conn->bucket_alloc)); APR_BRIGADE_INSERT_TAIL(ob, apr_bucket_flush_create(conn->bucket_alloc)); if (ap_pass_brigade(ofilter, ob) != APR_SUCCESS) - return abort(conn, "Couldn't send data bucket to client"); + return abort(conn, csock, "Couldn't send data bucket to client"); apr_brigade_cleanup(ob); } } @@ -224,9 +225,9 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin // Error if (pollfds->rtnevents & (APR_POLLERR | APR_POLLHUP | APR_POLLNVAL)) { if (pollfds->desc.s == csock) - return abort(conn, "Couldn't receive from client"); + return abort(conn, csock, "Couldn't receive from client"); else - return abort(conn, "Couldn't receive from target"); + return abort(conn, csock, "Couldn't receive from target"); } } @@ -234,12 +235,12 @@ int tunnel(conn_rec* conn, http::CURLSession& cs, const string& url, const strin debug("modssltunnel::tunnel::poll"); apr_status_t pollrc = apr_pollset_poll(pollset, -1, &pollcount, &pollfds); if (pollrc != APR_SUCCESS) - return abort(conn, "Couldn't poll sockets"); + return abort(conn, csock, "Couldn't poll sockets"); debug(pollcount, "modssltunnel::tunnel::pollfds"); } // Close client connection - return close(conn); + return close(conn, csock); } /** @@ -269,13 +270,10 @@ int processConnection(conn_rec *conn) { return DECLINED; debug(sc.pass, "modssltunnel::processConnection::pass"); - // Create the target connection - http::CURLSession cs(sc.ca, sc.cert, sc.key); - // Run the tunnel const string preamble = string("SSLTUNNEL ") + sc.path + string(" HTTP/1.1\r\nHost: ") + sc.host + string("\r\n\r\n"); debug(preamble, "modssltunnel::processConnection::preamble"); - return tunnel(conn, cs, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); + return tunnel(conn, sc.ca, sc.cert, sc.key, sc.pass, preamble, gc_pool(conn->pool), connectionFilter(conn->input_filters), connectionFilter(conn->output_filters)); } /** @@ -295,11 +293,8 @@ int handler(request_rec* r) { const string url = string(cadr(path)) + ":" + caddr(path); debug(url, "modssltunnel::handler::target"); - // Create the target connection - http::CURLSession cs("", "", ""); - // Run the tunnel - return tunnel(r->connection, cs, url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); + return tunnel(r->connection, "", "", "", url, "", gc_pool(r->pool), connectionFilter(r->proto_input_filters), connectionFilter(r->proto_output_filters)); } /** diff --git a/sca-cpp/trunk/modules/http/proxy-ssl-conf b/sca-cpp/trunk/modules/http/proxy-ssl-conf index 12340f9921..f5e2bfc4a4 100755 --- a/sca-cpp/trunk/modules/http/proxy-ssl-conf +++ b/sca-cpp/trunk/modules/http/proxy-ssl-conf @@ -24,10 +24,16 @@ root=`readlink -f $1` cat >>$root/conf/vhost-ssl.conf <>$root/conf/svhost-ssl.conf <>$root/conf/dvhost-ssl.conf <>$root/conf/vhost-ssl.conf <>$root/conf/svhost-ssl.conf <>$root/conf/dvhost-ssl.conf < +Options FollowSymLinks +AuthType None +Require all granted + + +# Allow access to root location + +Options FollowSymLinks +AuthType None +Require all granted + + EOF diff --git a/sca-cpp/trunk/modules/http/vhost-ssl-conf b/sca-cpp/trunk/modules/http/vhost-ssl-conf index 17434b9782..36b2a15412 100755 --- a/sca-cpp/trunk/modules/http/vhost-ssl-conf +++ b/sca-cpp/trunk/modules/http/vhost-ssl-conf @@ -38,16 +38,16 @@ htdocs=`readlink -f $htdocs` cat >>$root/conf/httpd.conf < ServerName https://vhost.$host:$sslpport ServerAlias *.$host VirtualDocumentRoot $htdocs/domains/%1/ Include conf/dvhost-ssl.conf - -EOF + diff --git a/sca-cpp/trunk/modules/java/java-conf b/sca-cpp/trunk/modules/java/java-conf index 0290c864e5..cf5faddb84 100755 --- a/sca-cpp/trunk/modules/java/java-conf +++ b/sca-cpp/trunk/modules/java/java-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <>$root/conf/modules.conf <>$root/conf/auth.conf <>$root/conf/modules.conf <>$root/conf/auth.conf < AuthType Open diff --git a/sca-cpp/trunk/modules/openid/openid-conf b/sca-cpp/trunk/modules/openid/openid-conf index 1d208784de..1a5739b5aa 100755 --- a/sca-cpp/trunk/modules/openid/openid-conf +++ b/sca-cpp/trunk/modules/openid/openid-conf @@ -27,11 +27,15 @@ host=`echo $conf | awk '{ print $6 }'` openid_prefix=`cat $here/openid.prefix` # Configure OpenID authentication -cat >>$root/conf/auth.conf <>$root/conf/modules.conf <>$root/conf/auth.conf < AuthType Open diff --git a/sca-cpp/trunk/modules/python/python-conf b/sca-cpp/trunk/modules/python/python-conf index 4c0cf8b4ca..a5b45357fc 100755 --- a/sca-cpp/trunk/modules/python/python-conf +++ b/sca-cpp/trunk/modules/python/python-conf @@ -22,7 +22,7 @@ here=`readlink -f $0`; here=`dirname $here` mkdir -p $1 root=`readlink -f $1` -cat >>$root/conf/httpd.conf <>$root/conf/modules.conf <>$root/conf/httpd.conf <>$root/conf/modules.conf <>$root/conf/httpd.conf <>$root/conf/modules.conf <>$root/conf/httpd.conf <>$root/conf/modules.conf <>$root/conf/httpd.conf </dev/null >tmp/index.html diff tmp/index.html htdocs/domains/joe/index.html diff --git a/sca-cpp/trunk/samples/store-cluster/ssl-start b/sca-cpp/trunk/samples/store-cluster/ssl-start index 13a462bd49..f80bb075d6 100755 --- a/sca-cpp/trunk/samples/store-cluster/ssl-start +++ b/sca-cpp/trunk/samples/store-cluster/ssl-start @@ -19,15 +19,29 @@ set -x +# Redirect traffic from ports 80, 443 and 444 to proxy1 +sudo ../../ubuntu/ip-redirect-all 80 8090 +sudo ../../ubuntu/ip-redirect-all 443 8091 +sudo ../../ubuntu/ip-redirect-all 444 8092 + +# Redirect traffic from ports 80, 443 and 444 to proxy2 +#sudo ../../ubuntu/ip-redirect-all 80 8093 +#sudo ../../ubuntu/ip-redirect-all 443 8094 +#sudo ../../ubuntu/ip-redirect-all 444 8095 + +# Redirect traffic from ports 119 and 563 to tunnel +sudo ../../ubuntu/ip-redirect-all 119 8119 +sudo ../../ubuntu/ip-redirect-all 563 8563 + # Generate SSL certificates ../../modules/http/ssl-ca-conf tmp/ssl sca-store.com -../../modules/http/ssl-cert-conf tmp/ssl sca-store.com server +../../modules/http/ssl-cert-conf tmp/ssl localhost server ../../modules/http/ssl-cert-conf tmp/ssl *.sca-store.com vhost ../../modules/http/ssl-cert-conf tmp/ssl sca-store.com proxy -../../modules/http/ssl-cert-conf tmp/ssl sca-store.com tunnel +../../modules/http/ssl-cert-conf tmp/ssl localhost tunnel # Start an SSL tunnel -./tunnel-ssl-conf tmp/tunnel 8119 8563 +./tunnel-ssl-conf tmp/tunnel 8119/119 8563/563 ../../modules/http/httpd-start tmp/tunnel sleep 1 @@ -74,20 +88,20 @@ sleep 1 ../../modules/http/httpd-start tmp/sqldb3 # Start three app servers -./server-ssl-conf tmp/server1 8101 8441 +./server-ssl-conf tmp/server1 8101/80 8441/443 ../../modules/http/httpd-start tmp/server1 sleep 1 -./server-ssl-conf tmp/server2 8102 8442 +./server-ssl-conf tmp/server2 8102/80 8442/443 ../../modules/http/httpd-start tmp/server2 sleep 1 -./server-ssl-conf tmp/server3 8103 8443 +./server-ssl-conf tmp/server3 8103/80 8443/443 ../../modules/http/httpd-start tmp/server3 sleep 1 # Start two proxy balancers -./proxy-ssl-conf tmp/proxy1 8091 8093 +./proxy-ssl-conf tmp/proxy1 8090/80 8091/443 ../../modules/http/proxy-member-conf tmp/proxy1 localhost 8101 ../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8441 ../../modules/http/proxy-member-conf tmp/proxy1 localhost 8102 @@ -96,7 +110,7 @@ sleep 1 ../../modules/http/proxy-ssl-member-conf tmp/proxy1 localhost 8443 ../../modules/http/httpd-start tmp/proxy1 -./proxy-ssl-conf tmp/proxy2 8092 8094 +./proxy-ssl-conf tmp/proxy2 8093/80 8094/443 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8101 ../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8441 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8102 @@ -105,15 +119,3 @@ sleep 1 ../../modules/http/proxy-ssl-member-conf tmp/proxy2 localhost 8443 ../../modules/http/httpd-start tmp/proxy2 -# Redirect traffic from ports 80 and 443 to proxy1 -#sudo ../../ubuntu/ip-redirect-all 80 8091 -#sudo ../../ubuntu/ip-redirect-all 443 8093 - -# Redirect traffic from ports 80 and 443 to proxy2 -#sudo ../../ubuntu/ip-redirect-all 80 8092 -#sudo ../../ubuntu/ip-redirect-all 443 8094 - -# Redirect traffic from ports 119 and 563 to tunnel -#sudo ../../ubuntu/ip-redirect-all 119 8119 -#sudo ../../ubuntu/ip-redirect-all 563 8563 - diff --git a/sca-cpp/trunk/samples/store-cluster/start b/sca-cpp/trunk/samples/store-cluster/start index 98293d3f98..67434d6a0e 100755 --- a/sca-cpp/trunk/samples/store-cluster/start +++ b/sca-cpp/trunk/samples/store-cluster/start @@ -19,6 +19,12 @@ set -x +# Redirect traffic from port 80 to proxy1 +sudo ../../ubuntu/ip-redirect-all 80 8090 + +# Redirect traffic from port 80 to proxy2 +#sudo ../../ubuntu/ip-redirect-all 80 8091 + # Start scribe logging ../../components/log/scribed-central-conf tmp/monitor ../../components/log/scribed-client-conf tmp/monitor localhost @@ -71,9 +77,3 @@ sleep 1 ../../modules/http/proxy-member-conf tmp/proxy2 localhost 8103 ../../modules/http/httpd-start tmp/proxy2 -# Redirect traffic from port 80 to proxy1 -#sudo ../../ubuntu/ip-redirect-all 80 8090 - -# Redirect traffic from port 80 to proxy2 -#sudo ../../ubuntu/ip-redirect-all 80 8091 - diff --git a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf index ef3074691a..7a9a8ad305 100755 --- a/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf +++ b/sca-cpp/trunk/samples/store-cluster/tunnel-ssl-conf @@ -24,7 +24,9 @@ sslport=$3 set -x # Configure an SSL-enabled tunnel server -../../modules/http/httpd-conf $root sca-store.com $port/119 $root/htdocs +../../modules/http/httpd-conf $root sca-store.com $port $root/htdocs +../../modules/http/httpd-event-conf $root tar -C tmp/ssl -c `../../modules/http/ssl-cert-find tmp/ssl` | tar -C $root -x -../../modules/http/httpd-ssl-conf $root $sslport/563 +../../modules/http/httpd-ssl-conf $root $sslport +../../modules/http/cert-auth-conf $root diff --git a/sca-cpp/trunk/samples/store-python/redirect b/sca-cpp/trunk/samples/store-python/redirect deleted file mode 100755 index f73b342bf8..0000000000 --- a/sca-cpp/trunk/samples/store-python/redirect +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -# Redirect ports 80 and 443 -../../ubuntu/ip-redirect-all 80 8090 -../../ubuntu/ip-redirect-all 443 8453 - diff --git a/sca-cpp/trunk/samples/store-python/uec2-start b/sca-cpp/trunk/samples/store-python/uec2-start index af98e1ac7f..84c170e596 100755 --- a/sca-cpp/trunk/samples/store-python/uec2-start +++ b/sca-cpp/trunk/samples/store-python/uec2-start @@ -24,7 +24,7 @@ else host="localhost" fi -# Ports 80, 443, 8090, 8453 need to be open +# Ports 80, 443, 444, 8090, 8453, 8454 need to be open sudo ../../ubuntu/ip-redirect-all 80 8090 sudo ../../ubuntu/ip-redirect-all 443 8453 diff --git a/sca-cpp/trunk/samples/store-vhost/uec2-start b/sca-cpp/trunk/samples/store-vhost/uec2-start index c4720cafd5..b8a267d617 100755 --- a/sca-cpp/trunk/samples/store-vhost/uec2-start +++ b/sca-cpp/trunk/samples/store-vhost/uec2-start @@ -25,7 +25,7 @@ else host="sca-store.com" fi -# Ports 80, 443, 8090, 8453 need to be open +# Ports 80, 443, 444, 8090, 8453, 8454 need to be open sudo ../../ubuntu/ip-redirect-all 80 8090 sudo ../../ubuntu/ip-redirect-all 443 8453 diff --git a/sca-cpp/trunk/ubuntu/ip-redirect b/sca-cpp/trunk/ubuntu/ip-redirect index 93c60ccfb7..e78c63935b 100755 --- a/sca-cpp/trunk/ubuntu/ip-redirect +++ b/sca-cpp/trunk/ubuntu/ip-redirect @@ -26,8 +26,10 @@ tport=$2 dest=$3 # Redirect external incoming traffic -sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport +sudo /sbin/iptables -t nat -S PREROUTING | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -A PREROUTING --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport # Redirect local traffic as well -sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-port $tport +sudo /sbin/iptables -t nat -S OUTPUT | grep "\-d $dest/" | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -A OUTPUT --destination $dest -p tcp --dport $sport -j REDIRECT --to-ports $tport diff --git a/sca-cpp/trunk/ubuntu/ip-redirect-all b/sca-cpp/trunk/ubuntu/ip-redirect-all index aba5bc15ae..f796b0589e 100755 --- a/sca-cpp/trunk/ubuntu/ip-redirect-all +++ b/sca-cpp/trunk/ubuntu/ip-redirect-all @@ -22,5 +22,10 @@ here=`readlink -f $0`; here=`dirname $here` sport=$1 tport=$2 +# Cleanup existing rules +sudo /sbin/iptables -t nat -S PREROUTING | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh +sudo /sbin/iptables -t nat -S OUTPUT | grep "\-p tcp" | grep "\-\-dport $sport" | grep "\-j REDIRECT" | sed "s/^-A/-D/" | awk -F "\t" '{ printf "sudo /sbin/iptables -t nat %s\n", $1 }' | /bin/sh + +# Redirect traffic /sbin/ifconfig | grep "inet addr:" | awk -F ":" '{ print $2 }' | awk '{ print $1 }' | xargs -i $here/ip-redirect $sport $tport {} diff --git a/sca-cpp/trunk/ubuntu/ubuntu-install-all b/sca-cpp/trunk/ubuntu/ubuntu-install-all index ab9244b30e..3cc582bc89 100755 --- a/sca-cpp/trunk/ubuntu/ubuntu-install-all +++ b/sca-cpp/trunk/ubuntu/ubuntu-install-all @@ -54,7 +54,7 @@ tar xzf httpd-2.3.8.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.3.8-deps.tar.gz tar xzf httpd-2.3.8-deps.tar.gz cd httpd-2.3.8 -./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin +./configure --enable-ssl --enable-proxy --enable-usertrack --enable-mods-shared=most --enable-mpms-shared="prefork worker event" --with-included-apr --with-expat=$build/expat-2.0.1-bin --with-mpm=prefork --prefix=$build/httpd-2.3.8-bin make make install if [ "$?" != "0" ]; then -- cgit v1.2.3