#!/bin/sh # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # Generate a minimal HTTPD SSL configuration here=`readlink -f $0`; here=`dirname $here` root=`readlink -f $1` host=$2 sslport=`echo $3 | awk -F "/" '{ print $1 }'` sslpport=`echo $3 | awk -F "/" '{ print $2 }'` if [ "$sslpport" = "" ]; then sslpport=$sslport fi htdocs=`readlink -f $4` httpd_prefix=`cat $here/httpd.prefix` vhost=$5 # Extract organization name from our CA certificate org=`openssl x509 -noout -subject -nameopt multiline -in $root/conf/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'` # Generate HTTPD configuration cat >>$root/conf/httpd.conf < RewriteEngine on RewriteCond %{SERVER_PORT} !^$sslpport$ RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L] # Setup SSL support AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:$root/logs/ssl_mutex" SSLRandomSeed startup builtin SSLRandomSeed connect builtin # Setup HTTPS virtual hosts Listen $sslport SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/server.crt" SSLCertificateKeyFile "$root/conf/server.key" ServerName https://$host:$sslpport UseCanonicalName Off # Enable SSL Include conf/ssl-vhost.conf # Allow the server admin to view the server status SetHandler server-status HostnameLookups on Deny from All Allow from localhost Allow from $host Require user admin # Report extended server status ExtendedStatus On # Route all wiring through HTTPS SCAWiringServerName https://$host:$sslpport EOF # Generate VirtualHost SSL configuration cat >$root/conf/ssl-vhost.conf <s %b \"%{Referer}i\" \"%{User-agent}i\"" sslcombined CustomLog $root/logs/ssl_access_log sslcombined LogLevel warn # Require clients to present either: # a certificate signed with our certification authority certificate # or a userid + password for HTTP basic authentication Satisfy Any SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +FakeBasicAuth SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{SSL_CLIENT_I_DN_O} == "$org" AuthType Basic AuthName "$host" AuthUserFile "$root/conf/httpd.passwd" Require valid-user EOF # Generate mass dynamic virtual hosting configuration if [ "$vhost" = "vhost" ]; then cat >>$root/conf/httpd.conf < ServerName https://vhost.$host:$sslpport ServerAlias *.$host UseCanonicalName Off VirtualDocumentRoot $htdocs/domains/%1/ # Enable SSL SSLCACertificateFile "$root/conf/ca.crt" SSLCertificateFile "$root/conf/vhost.crt" SSLCertificateKeyFile "$root/conf/vhost.key" Include conf/ssl-vhost.conf EOF fi # Create test users for HTTP basic authentication $httpd_prefix/bin/htpasswd -bc $root/conf/httpd.passwd test test 2>/dev/null $httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd admin admin 2>/dev/null $httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd foo foo 2>/dev/null $httpd_prefix/bin/htpasswd -b $root/conf/httpd.passwd bar bar 2>/dev/null