| #!/bin/sh |
| |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| # Generate a minimal HTTPD SSL configuration |
| here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here` |
| mkdir -p $1 |
| root=`echo "import os; print os.path.realpath('$1')" | python` |
| |
| conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"` |
| host=`echo $conf | awk '{ print $6 }'` |
| gport=`echo $conf | awk '{ print $7 }'` |
| port=`$here/httpd-addr port $gport` |
| pport=`$here/httpd-addr pport $gport` |
| |
| sslpport=`$here/httpd-addr pport $2` |
| sslport=`$here/httpd-addr listen $2` |
| sslvhost=`$here/httpd-addr vhost $2` |
| if [ "$sslpport" = "443" ]; then |
| sslpportsuffix="" |
| else |
| sslpportsuffix=":$sslpport" |
| fi |
| |
| htdocs=`echo $conf | awk '{ print $8 }'` |
| mkdir -p $htdocs |
| htdocs=`echo "import os; print os.path.realpath('$htdocs')" | python` |
| |
| # Extract organization name from our CA certificate |
| org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'` |
| |
| # Generate HTTPD configuration |
| cat >>$root/conf/httpd.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| |
| # Configure SSL support |
| AddType application/x-x509-ca-cert .crt |
| AddType application/x-pkcs7-crl .crl |
| SSLPassPhraseDialog builtin |
| SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)" |
| SSLSessionCacheTimeout 300 |
| Mutex "file:$root/logs" ssl-cache |
| SSLRandomSeed startup builtin |
| SSLRandomSeed connect builtin |
| |
| # Listen on HTTPS port |
| Listen $sslport |
| |
| # HTTPS virtual host |
| <VirtualHost $sslvhost> |
| ServerName https://$host$sslpportsuffix |
| |
| <Location /> |
| RewriteEngine on |
| RewriteCond %{HTTP_HOST} !^$host [NC] |
| RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R] |
| </Location> |
| |
| Include conf/svhost-ssl.conf |
| </VirtualHost> |
| |
| EOF |
| |
| # Generate HTTP vhost configuration |
| cat >>$root/conf/svhost.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| # Redirect HTTP traffic to HTTPS |
| <Location /> |
| RewriteEngine on |
| RewriteCond %{SERVER_PORT} ^$port$ [OR] |
| RewriteCond %{SERVER_PORT} ^$pport$ |
| RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R] |
| </Location> |
| |
| EOF |
| |
| cat >>$root/conf/dvhost.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| # Redirect HTTP traffic to HTTPS |
| <Location /> |
| RewriteEngine on |
| RewriteCond %{SERVER_PORT} ^$port$ [OR] |
| RewriteCond %{SERVER_PORT} ^$pport$ |
| RewriteRule .* https://%{SERVER_NAME}$sslpportsuffix%{REQUEST_URI} [R] |
| </Location> |
| |
| EOF |
| |
| # Generate HTTPS vhost configuration |
| cat >$root/conf/vhost-ssl.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| # Virtual host configuration |
| UseCanonicalName Off |
| |
| # Enable SSL |
| SSLEngine on |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
| BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 |
| SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth |
| |
| # Require clients to use SSL and authenticate |
| <Location /> |
| SSLRequireSSL |
| SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 |
| </Location> |
| |
| # Log SSL requests |
| # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol |
| # SSL-cipher "request-line" status response-size "referrer" "user-agent" |
| # "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host |
| # response-time bytes-received bytes-sent |
| LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined |
| Include conf/log-ssl.conf |
| |
| # Enable HTTPS reverse proxy |
| ProxyRequests Off |
| ProxyPreserveHost Off |
| ProxyStatus On |
| SSLProxyEngine on |
| SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
| |
| # Verify server certificates |
| SSLProxyVerify require |
| SSLProxyVerifyDepth 1 |
| SSLProxyCheckPeerCN Off |
| |
| EOF |
| |
| # Configure logging |
| cat >$root/conf/log-ssl.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| CustomLog $root/logs/ssl_access_log sslcombined |
| |
| EOF |
| |
| # Configure virtual hosts |
| proxycert="server" |
| if [ "$proxyconf" != "" ]; then |
| proxycert="proxy" |
| fi |
| |
| cat >$root/conf/svhost-ssl.conf <<EOF |
| # Generated by: httpd-ssl-conf $* |
| # Static virtual host configuration |
| Include conf/vhost-ssl.conf |
| |
| # Declare SSL certificates used in this virtual host |
| SSLCACertificateFile "$root/cert/ca.crt" |
| SSLCertificateChainFile "$root/cert/ca.crt" |
| SSLCertificateFile "$root/cert/server.crt" |
| SSLCertificateKeyFile "$root/cert/server.key" |
| |
| # Declare proxy SSL client certificates |
| SSLProxyCACertificateFile "$root/cert/ca.crt" |
| SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" |
| |
| EOF |
| |
| cat >$root/conf/dvhost-ssl.conf <<EOF |
| # Mass dynamic virtual host configuration |
| # Generated by: httpd-ssl-conf $* |
| Include conf/vhost-ssl.conf |
| |
| # Declare wildcard SSL certificates used in this virtual host |
| SSLCACertificateFile "$root/cert/ca.crt" |
| SSLCertificateChainFile "$root/cert/ca.crt" |
| SSLCertificateFile "$root/cert/vhost.crt" |
| SSLCertificateKeyFile "$root/cert/vhost.key" |
| |
| # Declare proxy SSL client certificates |
| SSLProxyCACertificateFile "$root/cert/ca.crt" |
| SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem" |
| |
| EOF |
| |