
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1052740 13f79535-47bb-0310-9956-ffa450edef68
163 lines
4.9 KiB
Bash
Executable file
163 lines
4.9 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# Generate a minimal HTTPD SSL configuration
|
|
here=`readlink -f $0`; here=`dirname $here`
|
|
mkdir -p $1
|
|
root=`readlink -f $1`
|
|
|
|
conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
|
|
host=`echo $conf | awk '{ print $6 }'`
|
|
gport=`echo $conf | awk '{ print $7 }'`
|
|
port=`$here/httpd-addr port $gport`
|
|
pport=`$here/httpd-addr pport $gport`
|
|
|
|
sslpport=`$here/httpd-addr pport $2`
|
|
sslport=`$here/httpd-addr listen $2`
|
|
sslvhost=`$here/httpd-addr vhost $2`
|
|
|
|
htdocs=`echo $conf | awk '{ print $8 }'`
|
|
mkdir -p $htdocs
|
|
htdocs=`readlink -f $htdocs`
|
|
|
|
# Extract organization name from our CA certificate
|
|
org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'`
|
|
|
|
# Generate HTTPD configuration
|
|
cat >>$root/conf/httpd.conf <<EOF
|
|
# Generated by: httpd-ssl-conf $*
|
|
|
|
# Configure SSL support
|
|
AddType application/x-x509-ca-cert .crt
|
|
AddType application/x-pkcs7-crl .crl
|
|
SSLPassPhraseDialog builtin
|
|
SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)"
|
|
SSLSessionCacheTimeout 300
|
|
Mutex "file:$root/logs" ssl-cache
|
|
SSLRandomSeed startup builtin
|
|
SSLRandomSeed connect builtin
|
|
|
|
# Listen on HTTPS port
|
|
Listen $sslport
|
|
|
|
# HTTPS virtual host
|
|
<VirtualHost $sslvhost>
|
|
ServerName https://$host:$sslpport
|
|
|
|
Include conf/svhost-ssl.conf
|
|
|
|
# Allow the server admin to view the server status
|
|
<Location /server-status>
|
|
SetHandler server-status
|
|
HostnameLookups on
|
|
Require user admin
|
|
</Location>
|
|
|
|
</VirtualHost>
|
|
|
|
EOF
|
|
|
|
# Generate HTTP vhost configuration
|
|
cat >>$root/conf/svhost.conf <<EOF
|
|
# Generated by: httpd-ssl-conf $*
|
|
# Redirect HTTP traffic to HTTPS
|
|
<Location />
|
|
RewriteEngine on
|
|
RewriteCond %{SERVER_PORT} ^$port$ [OR]
|
|
RewriteCond %{SERVER_PORT} ^$pport$
|
|
RewriteRule .* https://$host:$sslpport%{REQUEST_URI} [R,L]
|
|
</Location>
|
|
|
|
EOF
|
|
|
|
cat >>$root/conf/dvhost.conf <<EOF
|
|
# Generated by: httpd-ssl-conf $*
|
|
# Redirect HTTP traffic to HTTPS
|
|
<Location />
|
|
RewriteEngine on
|
|
RewriteCond %{SERVER_PORT} ^$port$ [OR]
|
|
RewriteCond %{SERVER_PORT} ^$pport$
|
|
RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
|
|
</Location>
|
|
|
|
EOF
|
|
|
|
# Generate HTTPS vhost configuration
|
|
cat >$root/conf/vhost-ssl.conf <<EOF
|
|
# Generated by: httpd-ssl-conf $*
|
|
# Virtual host configuration
|
|
UseCanonicalName Off
|
|
|
|
# Enable SSL
|
|
SSLEngine on
|
|
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
|
|
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
|
|
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth
|
|
|
|
# Require clients to use SSL and authenticate
|
|
<Location />
|
|
SSLRequireSSL
|
|
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
|
</Location>
|
|
|
|
# Log SSL requests
|
|
# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
|
|
# SSL-cipher "request-line" status response-size "referrer" "user-agent"
|
|
# "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host
|
|
# response-time bytes-received bytes-sent
|
|
LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined
|
|
CustomLog $root/logs/ssl_access_log sslcombined
|
|
|
|
EOF
|
|
|
|
proxycert="server"
|
|
if [ "$proxyconf" != "" ]; then
|
|
proxycert="proxy"
|
|
fi
|
|
|
|
cat >$root/conf/svhost-ssl.conf <<EOF
|
|
# Generated by: httpd-ssl-conf $*
|
|
# Static virtual host configuration
|
|
Include conf/vhost-ssl.conf
|
|
|
|
# Declare SSL certificates used in this virtual host
|
|
SSLCACertificateFile "$root/cert/ca.crt"
|
|
SSLCertificateChainFile "$root/cert/ca.crt"
|
|
SSLCertificateFile "$root/cert/server.crt"
|
|
SSLCertificateKeyFile "$root/cert/server.key"
|
|
|
|
EOF
|
|
|
|
cat >$root/conf/dvhost-ssl.conf <<EOF
|
|
# Mass dynamic virtual host configuration
|
|
# Generated by: httpd-ssl-conf $*
|
|
Include conf/vhost-ssl.conf
|
|
|
|
# Declare wildcard SSL certificates used in this virtual host
|
|
SSLCACertificateFile "$root/cert/ca.crt"
|
|
SSLCertificateChainFile "$root/cert/ca.crt"
|
|
SSLCertificateFile "$root/cert/vhost.crt"
|
|
SSLCertificateKeyFile "$root/cert/vhost.key"
|
|
|
|
# Declare proxy SSL client certificates
|
|
SSLProxyCACertificateFile "$root/cert/ca.crt"
|
|
SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"
|
|
|
|
EOF
|
|
|