Add configuration and script to enable mod-security 2.6.0.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1135046 13f79535-47bb-0310-9956-ffa450edef68
2011-06-13 07:57:06 +00:00 · 2011-06-13 07:57:06 +00:00 · eb7ad1a024
commit eb7ad1a024
parent c53f08af43
13 changed files with 466 additions and 20 deletions
--- a/sca-cpp/trunk/configure.ac
+++ b/sca-cpp/trunk/configure.ac
@ -507,7 +507,7 @@ if test "${want_openid}" = "true"; then

  # Configure path to mod-auth-openid
  AC_MSG_CHECKING([for mod-auth-openid])
-  AC_ARG_WITH([mod-auth-openid], [AC_HELP_STRING([--with-mod-auth-openid=PATH], [path to installed mod-auth-openid [default=/usr]])], [
+  AC_ARG_WITH([mod-auth-openid], [AC_HELP_STRING([--with-mod-auth-openid=PATH], [path to installed mod-auth-openid [default=/usr/local]])], [
    MODAUTHOPENID_PREFIX="${withval}"
    AC_MSG_RESULT("${withval}")
  ], [
@ -561,6 +561,39 @@ else
  AM_CONDITIONAL([WANT_OAUTH], false)
 fi

+# Enable support for modsecurity.
+AC_MSG_CHECKING([whether to enable mod-security support])
+AC_ARG_ENABLE(mod-security, [AS_HELP_STRING([--enable-mod-security], [enable mod-security support [default=no]])],
+[ case "${enableval}" in
+  no)
+    AC_MSG_RESULT(no)
+    ;;
+  *)
+    AC_MSG_RESULT(yes)
+    want_modsecurity=true
+    ;;
+  esac ],
+[ AC_MSG_RESULT(no)])
+if test "${want_modsecurity}" = "true"; then
+
+  # Configure path to mod-security
+  AC_MSG_CHECKING([for mod-security])
+  AC_ARG_WITH([mod-security], [AC_HELP_STRING([--with-mod-security=PATH], [path to installed mod-security [default=/usr/local]])], [
+    MODSECURITY_PREFIX="${withval}"
+    AC_MSG_RESULT("${withval}")
+  ], [
+    MODSECURITY_PREFIX="/usr/local/"
+    AC_MSG_RESULT(/usr/local)
+  ])
+  AC_SUBST(MODSECURITY_PREFIX)
+
+  AM_CONDITIONAL([WANT_MODSECURITY], true)
+  AC_DEFINE([WANT_MODSECURITY], 1, [enable mod-security support])
+
+else
+  AM_CONDITIONAL([WANT_MODSECURITY], false)
+fi
+
 # Enable support for Google AppEngine.
 AC_MSG_CHECKING([whether to enable Google AppEngine support])
 AC_ARG_ENABLE(gae, [AS_HELP_STRING([--enable-gae], [enable Google AppEngine support [default=no]])],
--- a/sca-cpp/trunk/modules/edit/ssl-start
+++ b/sca-cpp/trunk/modules/edit/ssl-start
@ -38,6 +38,10 @@ jsprefix=`readlink -f $here/../js`
 ../../modules/http/open-auth-conf tmp
 ../../modules/http/passwd-auth-conf tmp john john
 ../../modules/http/passwd-auth-conf tmp jane jane
+../../modules/http/passwd-auth-conf tmp admin admin
+
+# Configure mod-security
+../../modules/http/mod-security-conf tmp

 # Configure Python component support
 ../../modules/server/server-conf tmp
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@ -21,7 +21,7 @@ incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http

 dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf
-moddir=$(prefix)/modules/http
+moddir = $(prefix)/modules/http

 curl_test_SOURCES = curl-test.cpp
 curl_test_LDFLAGS = -lxml2 -lcurl -lmozjs
@ -59,6 +59,17 @@ httpd-modules.prefix: $(top_builddir)/config.status
 curl.prefix: $(top_builddir)/config.status
 	echo ${CURL_PREFIX} >curl.prefix

+if WANT_MODSECURITY
+
+modsecurity.prefix: $(top_builddir)/config.status
+	echo ${MODSECURITY_PREFIX} >modsecurity.prefix
+
+dist_modsecurity_SCRIPTS = mod-security-conf
+modsecurity_DATA = modsecurity.prefix
+modsecuritydir = $(prefix)/modules/http
+
+endif
+
 dist_noinst_SCRIPTS = httpd-test http-test proxy-test
 noinst_PROGRAMS = curl-test curl-get curl-connect
 TESTS = httpd-test http-test proxy-test
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@ -61,6 +61,7 @@ Group $group
 ServerSignature Off
 ServerTokens Prod
 Timeout 45
+RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
 LimitRequestBody 1048576
 HostNameLookups Off

@ -132,6 +133,12 @@ SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
 Header append Vary User-Agent env=!dont-vary
 </Location>

+# Enable per client bandwidth rate limt
+<Location />
+SetOutputFilter RATE_LIMIT
+SetEnv rate-limit 400 
+</Location>
+
 # Listen on HTTP port
 Listen $listen

@ -200,10 +207,12 @@ LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
 LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
 LoadModule status_module ${modules_prefix}/modules/mod_status.so
+LoadModule info_module ${modules_prefix}/modules/mod_info.so
 LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
 LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
 LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
 LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
+LoadModule env_module ${modules_prefix}/modules/mod_env.so
 <IfModule !log_config_module>
 LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
 </IfModule>
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@ -69,6 +69,11 @@ HostnameLookups on
 Require user admin
 </Location>

+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
 </VirtualHost>

 EOF
--- a/sca-cpp/trunk/modules/http/mod-security-conf
+++ b/sca-cpp/trunk/modules/http/mod-security-conf
@ -0,0 +1,190 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Generate a minimal mod-security configuration.
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+modsecurity_prefix=`cat $here/modsecurity.prefix`
+
+mkdir -p $root/tmp
+
+cat >>$root/conf/modules.conf <<EOF
+# Generated by: mod-security-conf $*
+# Load support for mod-security
+LoadModule unique_id_module ${modules_prefix}/modules/mod_unique_id.so
+LoadModule security2_module $modsecurity_prefix/lib/mod_security2.so
+
+EOF
+
+cat >>$root/conf/httpd.conf <<EOF
+# Generated by: mod-security-conf $*
+# Enable mod-security
+Include conf/mod-security.conf
+
+EOF
+
+cat >$root/conf/mod-security.conf <<EOF
+# Generated by: mod-security-conf $*
+# Enable mod-security rules
+SecRuleEngine On
+SecDefaultAction "phase:2,pass,log"
+
+#SecDebugLog $root/logs//modsec_debug_log
+#SecDebugLogLevel 3
+
+# Allow mod-security to access request bodies
+SecRequestBodyAccess On
+SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+SecRule REQUEST_HEADERS:Content-Type "application/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+SecRequestBodyInMemoryLimit 131072
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body
+SecRule REQBODY_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in multipart/form-data request body
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_SEMICOLON_MISSING}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# Avoid a potential RegEx DoS condition
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+SecRule TX:/^MSC_/ "!@streq 0" "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+# Detect slow DoS attacks
+SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
+SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
+SecWriteStateLimit 50
+
+# Allow mod-security to access response bodies
+SecResponseBodyAccess On
+SecResponseBodyMimeType text/plain text/html text/xml application/xml
+SecResponseBodyLimit 524288
+SecResponseBodyLimitAction ProcessPartial
+
+# The location where mod-security stores temporary files
+SecTmpDir $root/tmp/
+SecDataDir $root/tmp/
+
+# Enable mod-security audit
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditLogParts ABIJDEFHKZ
+SecAuditLogType Serial
+SecAuditLog $root/logs/modsec_audit_log
+
+# Use & as application/x-www-form-urlencoded parameter separator
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies.
+SecCookieFormat 0
+
+# Enable anomaly scoring
+SecAction "phase:1,id:'981206',t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
+SecAction "phase:1,id:'981207',t:none,nolog,pass, \
+setvar:tx.critical_anomaly_score=5, \
+setvar:tx.error_anomaly_score=4, \
+setvar:tx.warning_anomaly_score=3, \
+setvar:tx.notice_anomaly_score=2"
+SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
+SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
+
+# Paranoid mode
+SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0"
+
+# HTTP policy settings
+SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
+SecAction "phase:1,id:'981212',t:none,nolog,pass, \
+setvar:'tx.allowed_methods=GET HEAD POST PUT OPTIONS DELETE CONNECT', \
+setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/json application/json-rpc application/atom+xml', \
+setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
+setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
+
+# Brute force protection
+SecAction "phase:1,id:'981214',t:none,nolog,pass, \
+setvar:'tx.brute_force_protected_urls=/login', \
+setvar:'tx.brute_force_burst_time_slice=60', \
+setvar:'tx.brute_force_counter_threshold=10', \
+setvar:'tx.brute_force_block_timeout=300'"
+
+# DoS protection
+SecAction "phase:1,id:'981215',t:none,nolog,pass, \
+setvar:'tx.dos_burst_time_slice=60', \
+setvar:'tx.dos_counter_threshold=100', \
+setvar:'tx.dos_block_timeout=600'"
+
+# Check UTF-8 encoding
+SecAction "phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
+
+# Global and IP collections
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
+SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
+SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
+SecRule &TX:REAL_IP "@eq 0"  "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
+
+# Include all base mod-security CRS rules
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_20_protocol_violations.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_xss_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_50_outbound.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_35_bad_robots.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_47_common_exceptions.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_60_correlation.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_40_generic_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_21_protocol_anomalies.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_30_http_policy.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_49_inbound_blocking.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_45_trojans.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_59_outbound_blocking.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_23_request_limits.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_42_tight_security.conf
+
+# Include some optional mod-security CRS rules
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_10_ignore_static.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_13_xml_enabler.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf
+EOF
+
--- a/sca-cpp/trunk/ubuntu/ubuntu-bin-all-image
+++ b/sca-cpp/trunk/ubuntu/ubuntu-bin-all-image
@ -34,7 +34,7 @@ sudo chgrp $g /mnt/tuscany
 cd /mnt/tuscany

 # Install core dev tools
-sudo apt-get -y install wget git-core subversion autoconf automake libtool g++
+sudo apt-get -y install wget git-core subversion autoconf pkg-config automake libtool g++
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -53,11 +53,6 @@ sudo apt-get -y install autoconf2.13 zip
 if [ "$?" != "0" ]; then
    exit $?
 fi
-# Required by Apache Axis2/C
-sudo apt-get -y install pkg-config
-if [ "$?" != "0" ]; then
-    exit $?
-fi
 # Required by Apache Qpid/C++
 sudo apt-get -y install libboost-dev libboost-program-options-dev libboost-filesystem-dev uuid-dev
 if [ "$?" != "0" ]; then
@ -68,7 +63,7 @@ sudo apt-get -y install openjdk-6-jdk
 if [ "$?" != "0" ]; then
    exit $?
 fi
-# Require by HTML Tidy
+# Required by HTML Tidy
 sudo apt-get -y install cvs
 if [ "$?" != "0" ]; then
    exit $?
--- a/sca-cpp/trunk/ubuntu/ubuntu-bin-image
+++ b/sca-cpp/trunk/ubuntu/ubuntu-bin-image
@ -0,0 +1,75 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Install a complete distribution, the required system tools and libraries,
+# the runtime dependencies and the Tuscany SCA runtime on a fresh Ubuntu Server
+# 10.10 image.
+
+# Display commands as they are executed
+set -x
+
+# First update the system
+sudo apt-get update
+
+# Create install directory
+u=`id -un`
+g=`id -gn`
+sudo mkdir -p /mnt/tuscany
+sudo chown $u /mnt/tuscany
+sudo chgrp $g /mnt/tuscany
+cd /mnt/tuscany
+
+# Install core dev tools
+sudo apt-get -y install wget git-core subversion autoconf pkg-config automake libtool g++
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by Apache HTTP server
+sudo apt-get -y install libssl-dev libpcre3-dev
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by Memcached
+sudo apt-get -y install libevent-dev
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by TraceMonkey
+sudo apt-get -y install autoconf2.13 zip
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by HTML Tidy
+sudo apt-get -y install cvs
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by Apache Thrift
+sudo apt-get -y install bison flex python-dev libboost-dev libboost-filesystem-dev
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+# Required by Facebook Scribe
+sudo apt-get -y install gawk
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+
+# Download and install the Tuscany runtime
+wget http://people.apache.org/~jsdelfino/tuscany/test/tuscany-sca-cpp-1.0.tar.gz
+tar xzf tuscany-sca-cpp-1.0.tar.gz
+
--- a/sca-cpp/trunk/ubuntu/ubuntu-dev-image
+++ b/sca-cpp/trunk/ubuntu/ubuntu-dev-image
@ -0,0 +1,41 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Install a complete distribution, the required system tools and libraries,
+# the runtime dependencies and the Tuscany SCA runtime on a fresh Ubuntu
+# Server 10.10 image.
+
+# Display commands as they are executed
+set -x
+
+# First update the system
+sudo apt-get update
+
+# Create install directory
+u=`id -un`
+g=`id -gn`
+sudo mkdir -p /mnt/tuscany
+sudo chown $u /mnt/tuscany
+sudo chgrp $g /mnt/tuscany
+cd /mnt/tuscany
+
+# Download and run install script
+sudo apt-get -y install wget
+wget http://svn.apache.org/repos/asf/tuscany/sca-cpp/trunk/ubuntu/ubuntu-install
+chmod +x ./ubuntu-install
+./ubuntu-install
+
--- a/sca-cpp/trunk/ubuntu/ubuntu-install
+++ b/sca-cpp/trunk/ubuntu/ubuntu-install
@ -26,7 +26,7 @@ set -x
 build=`pwd`

 # Install core dev tools
-sudo apt-get -y install wget git-core subversion autoconf automake libtool g++
+sudo apt-get -y install wget git-core subversion autoconf pkg-config automake libtool g++
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -202,8 +202,27 @@ if [ "$?" != "0" ]; then
 fi
 cd $build

+# Build mod_security
+wget http://cdnetworks-us-1.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.0/modsecurity-apache_2.6.0.tar.gz
+tar xzf modsecurity-apache_2.6.0.tar.gz
+cd modsecurity-apache_2.6.0
+./configure --prefix=$build/modsecurity-apache-2.6.0-bin --with-apxs=$build/httpd-2.3.10-bin/bin/apxs --with-apr=$build/apr-1.4.x-bin/bin/apr-2-config --with-apu=$build/apr-1.4.x-bin/bin/apr-2-config --with-libxml=$build/libxml2-2.7.7-bin --with-curl=$build/curl-7.19.5-bin LIBS="-L$build/expat-2.0.1-bin/lib -R$build/expat-2.0.1-bin/lib"
+make
+make install
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+cd $build
+wget http://cdnetworks-us-1.dl.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.0.tar.gz
+tar xzf modsecurity-crs_2.2.0.tar.gz
+cp -R $build/modsecurity-crs_2.2.0/base_rules $build/modsecurity-apache-2.6.0-bin
+cp -R $build/modsecurity-crs_2.2.0/optional_rules $build/modsecurity-apache-2.6.0-bin
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+
 # Build Apache Thrift
-sudo apt-get -y install bison flex python-dev
+sudo apt-get -y install bison flex python-dev libboost-dev libboost-filesystem-dev 
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -270,7 +289,7 @@ cd $build
 git clone git://git.apache.org/tuscany-sca-cpp.git
 cd tuscany-sca-cpp
 ./bootstrap
-./configure --prefix=$build/tuscany-sca-cpp-bin --with-curl=$build/curl-7.19.5-bin --with-apr=$build/apr-1.4.x-bin --with-httpd=$build/httpd-2.3.10-bin --with-memcached=$build/memcached-1.4.5-bin --with-tinycdb=$build/tinycdb-0.77-bin --with-js-include=$build/tracemonkey-bin/include/js --with-js-lib=$build/tracemonkey-bin/lib --with-libcloud=$build/libcloud-0.4.2-bin --enable-threads --enable-python --with-libxml2=$build/libxml2-2.7.7-bin --enable-chat --with-libstrophe=$build/libstrophe-bin --enable-log --with-thrift=$build/thrift-0.2.0-bin --with-scribe=$build/scribe-2.2-bin --enable-openid --with-mod-auth-openid=$build/mod-auth-openid-bin --enable-oauth --with-liboauth=$build/liboauth-0.9.1-bin
+./configure --prefix=$build/tuscany-sca-cpp-bin --with-curl=$build/curl-7.19.5-bin --with-apr=$build/apr-1.4.x-bin --with-httpd=$build/httpd-2.3.10-bin --with-memcached=$build/memcached-1.4.5-bin --with-tinycdb=$build/tinycdb-0.77-bin --with-js-include=$build/tracemonkey-bin/include/js --with-js-lib=$build/tracemonkey-bin/lib --with-libcloud=$build/libcloud-0.4.2-bin --enable-threads --enable-python --with-libxml2=$build/libxml2-2.7.7-bin --enable-chat --with-libstrophe=$build/libstrophe-bin --enable-log --with-thrift=$build/thrift-0.2.0-bin --with-scribe=$build/scribe-2.2-bin --enable-openid --with-mod-auth-openid=$build/mod-auth-openid-bin --enable-oauth --with-liboauth=$build/liboauth-0.9.1-bin --enable-mod-security --with-mod-security=$build/modsecurity-apache-2.6.0-bin
 make
 make install
 if [ "$?" != "0" ]; then
@ -279,8 +298,8 @@ fi
 cd $build

 # Create src archive
-tar czf tuscany-sca-cpp-all-1.0-src.tar.gz apache-libcloud-incubating-0.4.2 apache-libcloud-incubating-0.4.2.tar.bz2 apr-1.4.x apr-1.4.x-bin curl-7.19.5 curl-7.19.5-bin curl-7.19.5.tar.gz expat-2.0.1 expat-2.0.1-bin expat-2.0.1.tar.gz htmltidy-bin httpd-2.3.10 httpd-2.3.10-alpha.tar.gz httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1 liboauth-0.9.1-bin liboauth-0.9.1.tar.gz libopkele libopkele-bin libstrophe libstrophe-bin libxml2-2.7.7 libxml2-2.7.7-bin libxml2-sources-2.7.7.tar.gz memcached-1.4.5 memcached-1.4.5-bin memcached-1.4.5.tar.gz mod_auth_openid mod-auth-openid-bin nuvem scribe scribe-2.2-bin scribe-2.2.tar.gz thrift-0.2.0 thrift-0.2.0-bin thrift-0.2.0-incubating.tar.gz tidy tinycdb-0.77 tinycdb-0.77-bin tinycdb_0.77.tar.gz tracemonkey-bin tracemonkey-e4364736e170 tracemonkey-e4364736e170.tar.gz tuscany-sca-cpp tuscany-sca-cpp-bin
+tar czf tuscany-sca-cpp-1.0-src.tar.gz apache-libcloud-incubating-0.4.2 apache-libcloud-incubating-0.4.2.tar.bz2 apr-1.4.x apr-1.4.x-bin curl-7.19.5 curl-7.19.5-bin curl-7.19.5.tar.gz expat-2.0.1 expat-2.0.1-bin expat-2.0.1.tar.gz htmltidy-bin httpd-2.3.10 httpd-2.3.10-alpha.tar.gz httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1 liboauth-0.9.1-bin liboauth-0.9.1.tar.gz libopkele libopkele-bin libstrophe libstrophe-bin libxml2-2.7.7 libxml2-2.7.7-bin libxml2-sources-2.7.7.tar.gz memcached-1.4.5 memcached-1.4.5-bin memcached-1.4.5.tar.gz mod_auth_openid mod-auth-openid-bin modsecurity-apache_2.6.0 modsecurity-apache-2.6.0-bin modsecurity-apache_2.6.0.tar.gz modsecurity-crs_2.2.0 modsecurity-crs_2.2.0.tar.gz nuvem scribe scribe-2.2-bin scribe-2.2.tar.gz thrift-0.2.0 thrift-0.2.0-bin thrift-0.2.0-incubating.tar.gz tidy tinycdb-0.77 tinycdb-0.77-bin tinycdb_0.77.tar.gz tracemonkey-bin tracemonkey-e4364736e170 tracemonkey-e4364736e170.tar.gz tuscany-sca-cpp tuscany-sca-cpp-bin

 # Create bin archive
-tar czf tuscany-sca-cpp-all-1.0.tar.gz apr-1.4.x-bin curl-7.19.5-bin expat-2.0.1-bin htmltidy-bin httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1-bin libopkele-bin libstrophe-bin libxml2-2.7.7-bin memcached-1.4.5-bin mod-auth-openid-bin nuvem/nuvem-parallel scribe-2.2-bin thrift-0.2.0-bin tinycdb-0.77-bin tracemonkey-bin tuscany-sca-cpp tuscany-sca-cpp-bin
+tar czf tuscany-sca-cpp-1.0.tar.gz apr-1.4.x-bin curl-7.19.5-bin expat-2.0.1-bin htmltidy-bin httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1-bin libopkele-bin libstrophe-bin libxml2-2.7.7-bin memcached-1.4.5-bin mod-auth-openid-bin modsecurity-apache-2.6.0-bin nuvem/nuvem-parallel scribe-2.2-bin thrift-0.2.0-bin tinycdb-0.77-bin tracemonkey-bin tuscany-sca-cpp tuscany-sca-cpp-bin

--- a/sca-cpp/trunk/ubuntu/ubuntu-install-all
+++ b/sca-cpp/trunk/ubuntu/ubuntu-install-all
@ -26,7 +26,7 @@ set -x
 build=`pwd`

 # Install core dev tools
-sudo apt-get -y install wget git-core subversion autoconf automake libtool g++
+sudo apt-get -y install wget git-core subversion autoconf pkg-config automake libtool g++
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -143,7 +143,6 @@ wget http://googleappengine.googlecode.com/files/google_appengine_1.4.0.zip
 unzip google_appengine_1.4.0.zip

 # Build Apache Axis2/C
-sudo apt-get -y install pkg-config
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -257,6 +256,25 @@ if [ "$?" != "0" ]; then
 fi
 cd $build

+# Build mod_security
+wget http://cdnetworks-us-1.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.0/modsecurity-apache_2.6.0.tar.gz
+tar xzf modsecurity-apache_2.6.0.tar.gz
+cd modsecurity-apache_2.6.0
+./configure --prefix=$build/modsecurity-apache-2.6.0-bin --with-apxs=$build/httpd-2.3.10-bin/bin/apxs --with-apr=$build/apr-1.4.x-bin/bin/apr-2-config --with-apu=$build/apr-1.4.x-bin/bin/apr-2-config --with-libxml=$build/libxml2-2.7.7-bin --with-curl=$build/curl-7.19.5-bin LIBS="-L$build/expat-2.0.1-bin/lib -R$build/expat-2.0.1-bin/lib"
+make
+make install
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+cd $build
+wget http://cdnetworks-us-1.dl.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.0.tar.gz
+tar xzf modsecurity-crs_2.2.0.tar.gz
+cp -R $build/modsecurity-crs_2.2.0/base_rules $build/modsecurity-apache-2.6.0-bin
+cp -R $build/modsecurity-crs_2.2.0/optional_rules $build/modsecurity-apache-2.6.0-bin
+if [ "$?" != "0" ]; then
+    exit $?
+fi
+
 # Build PostgreSQL
 sudo apt-get -y install libreadline-dev
 if [ "$?" != "0" ]; then
@ -274,7 +292,7 @@ fi
 cd $build

 # Build Apache Thrift
-sudo apt-get -y install bison flex python-dev
+sudo apt-get -y install bison flex python-dev libboost-dev libboost-filesystem-dev
 if [ "$?" != "0" ]; then
    exit $?
 fi
@ -341,7 +359,7 @@ cd $build
 git clone git://git.apache.org/tuscany-sca-cpp.git
 cd tuscany-sca-cpp
 ./bootstrap
-./configure --prefix=$build/tuscany-sca-cpp-bin --with-curl=$build/curl-7.19.5-bin --with-apr=$build/apr-1.4.x-bin --with-httpd=$build/httpd-2.3.10-bin --with-memcached=$build/memcached-1.4.5-bin --with-tinycdb=$build/tinycdb-0.77-bin --with-js-include=$build/tracemonkey-bin/include/js --with-js-lib=$build/tracemonkey-bin/lib --with-libcloud=$build/libcloud-0.4.2-bin --enable-threads --enable-python --enable-gae --with-gae=$build/google_appengine --enable-java --with-java=/usr/lib/jvm/java-6-openjdk --enable-webservice --with-libxml2=$build/libxml2-2.7.7-bin --with-axis2c=$build/axis2c-1.6.0-bin --enable-queue --with-qpidc=$build/qpidc-0.6-bin --enable-chat --with-libstrophe=$build/libstrophe-bin --with-vysper=$build/vysper-0.6 --enable-sqldb --with-pgsql=$build/postgresql-9.0.3-bin --enable-log --with-thrift=$build/thrift-0.2.0-bin --with-scribe=$build/scribe-2.2-bin --enable-openid --with-mod-auth-openid=$build/mod-auth-openid-bin --enable-oauth --with-liboauth=$build/liboauth-0.9.1-bin
+./configure --prefix=$build/tuscany-sca-cpp-bin --with-curl=$build/curl-7.19.5-bin --with-apr=$build/apr-1.4.x-bin --with-httpd=$build/httpd-2.3.10-bin --with-memcached=$build/memcached-1.4.5-bin --with-tinycdb=$build/tinycdb-0.77-bin --with-js-include=$build/tracemonkey-bin/include/js --with-js-lib=$build/tracemonkey-bin/lib --with-libcloud=$build/libcloud-0.4.2-bin --enable-threads --enable-python --enable-gae --with-gae=$build/google_appengine --enable-java --with-java=/usr/lib/jvm/java-6-openjdk --enable-webservice --with-libxml2=$build/libxml2-2.7.7-bin --with-axis2c=$build/axis2c-1.6.0-bin --enable-queue --with-qpidc=$build/qpidc-0.6-bin --enable-chat --with-libstrophe=$build/libstrophe-bin --with-vysper=$build/vysper-0.6 --enable-sqldb --with-pgsql=$build/postgresql-9.0.3-bin --enable-log --with-thrift=$build/thrift-0.2.0-bin --with-scribe=$build/scribe-2.2-bin --enable-openid --with-mod-auth-openid=$build/mod-auth-openid-bin --enable-oauth --with-liboauth=$build/liboauth-0.9.1-bin --enable-mod-security --with-mod-security=$build/modsecurity-apache-2.6.0-bin
 make
 make install
 if [ "$?" != "0" ]; then
@ -350,8 +368,8 @@ fi
 cd $build

 # Create src archive
-tar czf tuscany-sca-cpp-all-1.0-src.tar.gz apache-libcloud-incubating-0.4.2 apache-libcloud-incubating-0.4.2.tar.bz2 apr-1.4.x apr-1.4.x-bin axis2c-1.6.0-bin axis2c-src-1.6.0 axis2c-src-1.6.0.tar.gz curl-7.19.5 curl-7.19.5-bin curl-7.19.5.tar.gz expat-2.0.1 expat-2.0.1-bin expat-2.0.1.tar.gz google_appengine google_appengine_1.4.0.zip htmltidy-bin httpd-2.3.10 httpd-2.3.10-alpha.tar.gz httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1 liboauth-0.9.1-bin liboauth-0.9.1.tar.gz libopkele libopkele-bin libstrophe libstrophe-bin libxml2-2.7.7 libxml2-2.7.7-bin libxml2-sources-2.7.7.tar.gz memcached-1.4.5 memcached-1.4.5-bin memcached-1.4.5.tar.gz mod_auth_openid mod-auth-openid-bin nuvem postgresql-9.0.3 postgresql-9.0.3-bin postgresql-9.0.3.tar.gz qpidc-0.6 qpidc-0.6-bin qpid-cpp-0.6.tar.gz scribe scribe-2.2-bin scribe-2.2.tar.gz thrift-0.2.0 thrift-0.2.0-bin thrift-0.2.0-incubating.tar.gz tidy tinycdb-0.77 tinycdb-0.77-bin tinycdb_0.77.tar.gz tracemonkey-bin tracemonkey-e4364736e170 tracemonkey-e4364736e170.tar.gz tuscany-sca-cpp tuscany-sca-cpp-bin vysper-0.6 vysper-0.6-bin.tar.gz
+tar czf tuscany-sca-cpp-all-1.0-src.tar.gz apache-libcloud-incubating-0.4.2 apache-libcloud-incubating-0.4.2.tar.bz2 apr-1.4.x apr-1.4.x-bin axis2c-1.6.0-bin axis2c-src-1.6.0 axis2c-src-1.6.0.tar.gz curl-7.19.5 curl-7.19.5-bin curl-7.19.5.tar.gz expat-2.0.1 expat-2.0.1-bin expat-2.0.1.tar.gz google_appengine google_appengine_1.4.0.zip htmltidy-bin httpd-2.3.10 httpd-2.3.10-alpha.tar.gz httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1 liboauth-0.9.1-bin liboauth-0.9.1.tar.gz libopkele libopkele-bin libstrophe libstrophe-bin libxml2-2.7.7 libxml2-2.7.7-bin libxml2-sources-2.7.7.tar.gz memcached-1.4.5 memcached-1.4.5-bin memcached-1.4.5.tar.gz mod_auth_openid mod-auth-openid-bin modsecurity-apache_2.6.0 modsecurity-apache-2.6.0-bin modsecurity-apache_2.6.0.tar.gz modsecurity-crs_2.2.0 modsecurity-crs_2.2.0.tar.gz nuvem postgresql-9.0.3 postgresql-9.0.3-bin postgresql-9.0.3.tar.gz qpidc-0.6 qpidc-0.6-bin qpid-cpp-0.6.tar.gz scribe scribe-2.2-bin scribe-2.2.tar.gz thrift-0.2.0 thrift-0.2.0-bin thrift-0.2.0-incubating.tar.gz tidy tinycdb-0.77 tinycdb-0.77-bin tinycdb_0.77.tar.gz tracemonkey-bin tracemonkey-e4364736e170 tracemonkey-e4364736e170.tar.gz tuscany-sca-cpp tuscany-sca-cpp-bin vysper-0.6 vysper-0.6-bin.tar.gz

 # Create bin archive
-tar czf tuscany-sca-cpp-all-1.0.tar.gz apr-1.4.x-bin axis2c-1.6.0-bin curl-7.19.5-bin expat-2.0.1-bin google_appengine htmltidy-bin httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1-bin libopkele-bin libstrophe-bin libxml2-2.7.7-bin memcached-1.4.5-bin mod-auth-openid-bin nuvem/nuvem-parallel postgresql-9.0.3-bin qpidc-0.6-bin scribe-2.2-bin thrift-0.2.0-bin tinycdb-0.77-bin tracemonkey-bin tuscany-sca-cpp tuscany-sca-cpp-bin vysper-0.6
+tar czf tuscany-sca-cpp-all-1.0.tar.gz apr-1.4.x-bin axis2c-1.6.0-bin curl-7.19.5-bin expat-2.0.1-bin google_appengine htmltidy-bin httpd-2.3.10-bin libcloud-0.4.2-bin liboauth-0.9.1-bin libopkele-bin libstrophe-bin libxml2-2.7.7-bin memcached-1.4.5-bin mod-auth-openid-bin modsecurity-apache-2.6.0-bin nuvem/nuvem-parallel postgresql-9.0.3-bin qpidc-0.6-bin scribe-2.2-bin thrift-0.2.0-bin tinycdb-0.77-bin tracemonkey-bin tuscany-sca-cpp tuscany-sca-cpp-bin vysper-0.6

--- a/sca-cpp/trunk/ubuntu/uec2-bin-image
+++ b/sca-cpp/trunk/ubuntu/uec2-bin-image
@ -0,0 +1,23 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Install a Tuscany image on an EC2 instance
+host=$1
+
+# Download and execute Tuscany SCA install script
+ssh -i $HOME/.ec2/ec2-keypair.pem ubuntu@$host "wget http://svn.apache.org/repos/asf/tuscany/sca-cpp/trunk/ubuntu/ubuntu-bin-image; chmod 700 ./ubuntu-bin-image; ./ubuntu-bin-image"
+
--- a/sca-cpp/trunk/ubuntu/uec2-dev-image
+++ b/sca-cpp/trunk/ubuntu/uec2-dev-image
@ -0,0 +1,23 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Build a Tuscany image on an EC2 instance
+host=$1
+
+# Download and execute Tuscany SCA install script
+ssh -i $HOME/.ec2/ec2-keypair.pem ubuntu@$host "wget http://svn.apache.org/repos/asf/tuscany/sca-cpp/trunk/ubuntu/ubuntu-dev-image; chmod 700 ./ubuntu-dev-image; ./ubuntu-dev-image"
+