#!/bin/sh # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # Generate a minimal HTTPD SSL configuration here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here` mkdir -p $1 root=`echo "import os; print os.path.realpath('$1')" | python` conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` host=`echo $conf | awk '{ print $6 }'` gport=`echo $conf | awk '{ print $7 }'` port=`$here/httpd-addr port $gport` pport=`$here/httpd-addr pport $gport` sslpport=`$here/httpd-addr pport $2` sslport=`$here/httpd-addr listen $2` sslvhost=`$here/httpd-addr vhost $2` if [ "$sslpport" = "443" ]; then sslpportsuffix="" else sslpportsuffix=":$sslpport" fi htdocs=`echo $conf | awk '{ print $8 }'` mkdir -p $htdocs htdocs=`echo "import os; print os.path.realpath('$htdocs')" | python` # Extract organization name from our CA certificate org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'` # Generate HTTPD configuration cat >>$root/conf/httpd.conf < ServerName https://$host$sslpportsuffix RewriteEngine on RewriteCond %{HTTP_HOST} !^$host [NC] RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R] Include conf/svhost-ssl.conf EOF # Generate HTTP vhost configuration cat >>$root/conf/svhost.conf < RewriteEngine on RewriteCond %{SERVER_PORT} ^$port$ [OR] RewriteCond %{SERVER_PORT} ^$pport$ RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R] EOF cat >>$root/conf/dvhost.conf < RewriteEngine on RewriteCond %{SERVER_PORT} ^$port$ [OR] RewriteCond %{SERVER_PORT} ^$pport$ RewriteRule .* https://%{SERVER_NAME}$sslpportsuffix%{REQUEST_URI} [R] EOF # Generate HTTPS vhost configuration cat >$root/conf/vhost-ssl.conf < SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 # Log SSL requests # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol # SSL-cipher "request-line" status response-size "referrer" "user-agent" # "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host # response-time bytes-received bytes-sent LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined Include conf/log-ssl.conf # Enable HTTPS reverse proxy ProxyRequests Off ProxyPreserveHost On ProxyStatus On SSLProxyEngine on SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Verify server certificates SSLProxyVerify require SSLProxyVerifyDepth 1 SSLProxyCheckPeerCN Off EOF # Configure logging cat >$root/conf/log-ssl.conf <$root/conf/svhost-ssl.conf <$root/conf/dvhost-ssl.conf <