modules/http/httpd-ssl-conf - tuscany-sca-cpp - Git at Google

 #!/bin/sh

 #  Licensed to the Apache Software Foundation (ASF) under one
 #  or more contributor license agreements.  See the NOTICE file
 #  distributed with this work for additional information
 #  regarding copyright ownership.  The ASF licenses this file
 #  to you under the Apache License, Version 2.0 (the
 #  "License"); you may not use this file except in compliance
 #  with the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 #  Unless required by applicable law or agreed to in writing,
 #  software distributed under the License is distributed on an
 #  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 #  KIND, either express or implied.  See the License for the
 #  specific language governing permissions and limitations
 #  under the License.

 # Generate a minimal HTTPD SSL configuration
 here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
 mkdir -p $1
 root=`echo "import os; print os.path.realpath('$1')" | python`

 conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
 host=`echo $conf | awk '{ print $6 }'`
 gport=`echo $conf | awk '{ print $7 }'`
 port=`$here/httpd-addr port $gport`
 pport=`$here/httpd-addr pport $gport`

 sslpport=`$here/httpd-addr pport $2`
 sslport=`$here/httpd-addr listen $2`
 sslvhost=`$here/httpd-addr vhost $2`

 htdocs=`echo $conf | awk '{ print $8 }'`
 mkdir -p $htdocs
 htdocs=`echo "import os; print os.path.realpath('$htdocs')" | python`

 # Extract organization name from our CA certificate
 org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'`

 # Generate HTTPD configuration
 cat >>$root/conf/httpd.conf <<EOF
 # Generated by: httpd-ssl-conf $*

 # Configure SSL support
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl
 SSLPassPhraseDialog  builtin
 SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout 300
 Mutex "file:$root/logs" ssl-cache
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin

 # Listen on HTTPS port
 Listen $sslport

 # HTTPS virtual host
 <VirtualHost $sslvhost>
 ServerName https://$host:$sslpport

 Include conf/svhost-ssl.conf

 # Allow the server admin to view the server status
 <Location /server-status>
 SetHandler server-status
 HostnameLookups on
 Require user admin
 </Location>

 <Location /server-info>
 SetHandler server-info
 HostnameLookups on
 Require user admin
 </Location>
 </VirtualHost>

 EOF

 # Generate HTTP vhost configuration
 cat >>$root/conf/svhost.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Redirect HTTP traffic to HTTPS
 <Location />
 RewriteEngine on
 RewriteCond %{SERVER_PORT} ^$port$ [OR]
 RewriteCond %{SERVER_PORT} ^$pport$
 RewriteRule .* https://$host:$sslpport%{REQUEST_URI} [R,L]
 </Location>

 EOF

 cat >>$root/conf/dvhost.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Redirect HTTP traffic to HTTPS
 <Location />
 RewriteEngine on
 RewriteCond %{SERVER_PORT} ^$port$ [OR]
 RewriteCond %{SERVER_PORT} ^$pport$
 RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
 </Location>

 EOF

 # Generate HTTPS vhost configuration
 cat >$root/conf/vhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Virtual host configuration
 UseCanonicalName Off

 # Enable SSL
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth

 # Require clients to use SSL and authenticate
 <Location />
 SSLRequireSSL
 SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
 </Location>

 # Log SSL requests
 # [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
 # SSL-cipher "request-line" status response-size "referrer" "user-agent"
 # "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host
 # response-time bytes-received bytes-sent
 LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined
 CustomLog $root/logs/ssl_access_log sslcombined

 # Enable HTTPS reverse proxy
 ProxyRequests Off
 ProxyPreserveHost Off
 ProxyStatus On
 SSLProxyEngine on
 SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 # Verify server certificates
 SSLProxyVerify require
 SSLProxyVerifyDepth 1
 SSLProxyCheckPeerCN Off

 EOF

 proxycert="server"
 if [ "$proxyconf" != "" ]; then
     proxycert="proxy"
 fi

 cat >$root/conf/svhost-ssl.conf <<EOF
 # Generated by: httpd-ssl-conf $*
 # Static virtual host configuration
 Include conf/vhost-ssl.conf

 # Declare SSL certificates used in this virtual host
 SSLCACertificateFile "$root/cert/ca.crt"
 SSLCertificateChainFile "$root/cert/ca.crt"
 SSLCertificateFile "$root/cert/vhost.crt"
 SSLCertificateKeyFile "$root/cert/vhost.key"

 # Declare proxy SSL client certificates
 SSLProxyCACertificateFile "$root/cert/ca.crt"
 SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"

 EOF

 cat >$root/conf/dvhost-ssl.conf <<EOF
 # Mass dynamic virtual host configuration
 # Generated by: httpd-ssl-conf $*
 Include conf/vhost-ssl.conf

 # Declare wildcard SSL certificates used in this virtual host
 SSLCACertificateFile "$root/cert/ca.crt"
 SSLCertificateChainFile "$root/cert/ca.crt"
 SSLCertificateFile "$root/cert/vhost.crt"
 SSLCertificateKeyFile "$root/cert/vhost.key"

 # Declare proxy SSL client certificates
 SSLProxyCACertificateFile "$root/cert/ca.crt"
 SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"

 EOF
	#!/bin/sh

	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.

	# Generate a minimal HTTPD SSL configuration
	here=`echo "import os; print os.path.realpath('$0')" \| python`; here=`dirname $here`
	mkdir -p $1
	root=`echo "import os; print os.path.realpath('$1')" \| python`

	conf=`cat $root/conf/httpd.conf \| grep "# Generated by: httpd-conf"`
	host=`echo $conf \| awk '{ print $6 }'`
	gport=`echo $conf \| awk '{ print $7 }'`
	port=`$here/httpd-addr port $gport`
	pport=`$here/httpd-addr pport $gport`

	sslpport=`$here/httpd-addr pport $2`
	sslport=`$here/httpd-addr listen $2`
	sslvhost=`$here/httpd-addr vhost $2`

	htdocs=`echo $conf \| awk '{ print $8 }'`
	mkdir -p $htdocs
	htdocs=`echo "import os; print os.path.realpath('$htdocs')" \| python`

	# Extract organization name from our CA certificate
	org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt \| grep organizationName \| awk -F "= " '{ print $2 }'`

	# Generate HTTPD configuration
	cat >>$root/conf/httpd.conf <<EOF
	# Generated by: httpd-ssl-conf $*

	# Configure SSL support
	AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl .crl
	SSLPassPhraseDialog builtin
	SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)"
	SSLSessionCacheTimeout 300
	Mutex "file:$root/logs" ssl-cache
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin

	# Listen on HTTPS port
	Listen $sslport

	# HTTPS virtual host
	<VirtualHost $sslvhost>
	ServerName https://$host:$sslpport

	Include conf/svhost-ssl.conf

	# Allow the server admin to view the server status
	<Location /server-status>
	SetHandler server-status
	HostnameLookups on
	Require user admin
	</Location>

	<Location /server-info>
	SetHandler server-info
	HostnameLookups on
	Require user admin
	</Location>
	</VirtualHost>

	EOF

	# Generate HTTP vhost configuration
	cat >>$root/conf/svhost.conf <<EOF
	# Generated by: httpd-ssl-conf $*
	# Redirect HTTP traffic to HTTPS
	<Location />
	RewriteEngine on
	RewriteCond %{SERVER_PORT} ^$port$ [OR]
	RewriteCond %{SERVER_PORT} ^$pport$
	RewriteRule .* https://$host:$sslpport%{REQUEST_URI} [R,L]
	</Location>

	EOF

	cat >>$root/conf/dvhost.conf <<EOF
	# Generated by: httpd-ssl-conf $*
	# Redirect HTTP traffic to HTTPS
	<Location />
	RewriteEngine on
	RewriteCond %{SERVER_PORT} ^$port$ [OR]
	RewriteCond %{SERVER_PORT} ^$pport$
	RewriteRule .* https://%{SERVER_NAME}:$sslpport%{REQUEST_URI} [R,L]
	</Location>

	EOF

	# Generate HTTPS vhost configuration
	cat >$root/conf/vhost-ssl.conf <<EOF
	# Generated by: httpd-ssl-conf $*
	# Virtual host configuration
	UseCanonicalName Off

	# Enable SSL
	SSLEngine on
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
	SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth

	# Require clients to use SSL and authenticate
	<Location />
	SSLRequireSSL
	SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
	</Location>

	# Log SSL requests
	# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
	# SSL-cipher "request-line" status response-size "referrer" "user-agent"
	# "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host
	# response-time bytes-received bytes-sent
	LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O" sslcombined
	CustomLog $root/logs/ssl_access_log sslcombined

	# Enable HTTPS reverse proxy
	ProxyRequests Off
	ProxyPreserveHost Off
	ProxyStatus On
	SSLProxyEngine on
	SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

	# Verify server certificates
	SSLProxyVerify require
	SSLProxyVerifyDepth 1
	SSLProxyCheckPeerCN Off

	EOF

	proxycert="server"
	if [ "$proxyconf" != "" ]; then
	proxycert="proxy"
	fi

	cat >$root/conf/svhost-ssl.conf <<EOF
	# Generated by: httpd-ssl-conf $*
	# Static virtual host configuration
	Include conf/vhost-ssl.conf

	# Declare SSL certificates used in this virtual host
	SSLCACertificateFile "$root/cert/ca.crt"
	SSLCertificateChainFile "$root/cert/ca.crt"
	SSLCertificateFile "$root/cert/vhost.crt"
	SSLCertificateKeyFile "$root/cert/vhost.key"

	# Declare proxy SSL client certificates
	SSLProxyCACertificateFile "$root/cert/ca.crt"
	SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"

	EOF

	cat >$root/conf/dvhost-ssl.conf <<EOF
	# Mass dynamic virtual host configuration
	# Generated by: httpd-ssl-conf $*
	Include conf/vhost-ssl.conf

	# Declare wildcard SSL certificates used in this virtual host
	SSLCACertificateFile "$root/cert/ca.crt"
	SSLCertificateChainFile "$root/cert/ca.crt"
	SSLCertificateFile "$root/cert/vhost.crt"
	SSLCertificateKeyFile "$root/cert/vhost.key"

	# Declare proxy SSL client certificates
	SSLProxyCACertificateFile "$root/cert/ca.crt"
	SSLProxyMachineCertificateFile "$root/cert/$proxycert.pem"

	EOF