modules/http/httpd-ssl-conf

#!/bin/sh

#  Licensed to the Apache Software Foundation (ASF) under one
#  or more contributor license agreements.  See the NOTICE file
#  distributed with this work for additional information
#  regarding copyright ownership.  The ASF licenses this file
#  to you under the Apache License, Version 2.0 (the
#  "License"); you may not use this file except in compliance
#  with the License.  You may obtain a copy of the License at
#  
#    http://www.apache.org/licenses/LICENSE-2.0
#    
#  Unless required by applicable law or agreed to in writing,
#  software distributed under the License is distributed on an
#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
#  KIND, either express or implied.  See the License for the
#  specific language governing permissions and limitations
#  under the License.

# Generate a minimal HTTPD SSL configuration
here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here`
mkdir -p $1
root=`echo "import os; print os.path.realpath('$1')" | python`

conf=`cat $root/conf/httpd.conf | grep "# Generated by: httpd-conf"`
host=`echo $conf | awk '{ print $6 }'`
gport=`echo $conf | awk '{ print $7 }'`
port=`$here/httpd-addr port $gport`
pport=`$here/httpd-addr pport $gport`

sslpport=`$here/httpd-addr pport $2`
sslport=`$here/httpd-addr listen $2`
sslvhost=`$here/httpd-addr vhost $2`
if [ "$sslpport" = "443" ]; then
    sslpportsuffix=""
else
    sslpportsuffix=":$sslpport"
fi

dothost=`echo $host | grep "\."`

htdocs=`echo $conf | awk '{ print $8 }'`
mkdir -p $htdocs
htdocs=`echo "import os; print os.path.realpath('$htdocs')" | python`

uname=`uname -s`
if [ $uname = "Darwin" ]; then
    libsuffix=".dylib"
else
    libsuffix=".so"
fi

modules_prefix=`cat $here/httpd-modules.prefix`

# Extract organization name from our CA certificate
org=`openssl x509 -noout -subject -nameopt multiline -in $root/cert/ca.crt | grep organizationName | awk -F "= " '{ print $2 }'`

# Generate HTTPD configuration
cat >>$root/conf/httpd.conf <<EOF
# Generated by: httpd-ssl-conf $*

# Configure SSL support
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:$root/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Mutex "file:$root/logs" ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCompression Off

# Listen on HTTPS port
Listen $sslport

# HTTPS virtual host
<VirtualHost $sslvhost>
ServerName https://$host$sslpportsuffix

<Location />
RewriteEngine on
Include conf/hostcond.conf
RewriteCond %{HTTP:X-Forwarded-Server} ^$ [NC]
RewriteCond %{REQUEST_URI} !^/server-status [NC]
RewriteCond %{REQUEST_URI} !^/balancer-manager [NC]
RewriteCond %{REQUEST_URI} !^/proxy/ [NC]
RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
</Location>

Include conf/svhost-ssl.conf

# Configure authentication
Include conf/noauth-ssl.conf
Include conf/locauth-ssl.conf
Include conf/pubauth-ssl.conf
Include conf/adminauth-ssl.conf

# Configure tracking
Include conf/tracking-ssl.conf

</VirtualHost>

EOF

# Generate auth configuration
cat >$root/conf/locauth-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Authentication and authorization configuration
Include conf/locauth.conf

EOF

cat >$root/conf/pubauth-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Allow everyone to access public locations
Include conf/pubauth.conf

EOF

cat >$root/conf/adminauth-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Allow admin access
Include conf/adminauth.conf

EOF

# Allow public access to server resources
cat >$root/conf/noauth-ssl.conf <<EOF
# Generated by: httpd-conf $*
# Allow public access to server resources
Include conf/noauth.conf

EOF

# Generate HTTP vhost configuration
cat >>$root/conf/svhost.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Redirect HTTP traffic to HTTPS
<Location />
RewriteEngine on
RewriteCond %{SERVER_PORT} ^$port$ [OR]
RewriteCond %{SERVER_PORT} ^$pport$
RewriteRule .* https://$host$sslpportsuffix%{REQUEST_URI} [R]
</Location>

EOF

# Redirect HTTP traffic to HTTPS in HTTP vhost
cat >>$root/conf/dvhost.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Redirect HTTP traffic to HTTPS
<Location />
RewriteEngine on
RewriteCond %{SERVER_PORT} ^$port$ [OR]
RewriteCond %{SERVER_PORT} ^$pport$
RewriteRule .* https://%{SERVER_NAME}$sslpportsuffix%{REQUEST_URI} [R]
</Location>

EOF

# Generate HTTPS vhost configuration
cat >$root/conf/vhost-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Virtual host configuration
UseCanonicalName Off

# Enable SSL
SSLEngine on
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
SSLCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLOptions +StrictRequire +OptRenegotiate +FakeBasicAuth

# Require clients to use SSL and authenticate
<Location />
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>

# Log SSL requests
# [timestamp] [sslaccess] remote-host remote-ident remote-user SSL-protocol
# SSL-cipher "request-line" status response-size "referrer" "user-agent"
# "SSL-client-I-DN" "SSL-client-S-DN" "user-track" local-IP virtual-host
# response-time bytes-received bytes-sent
LogFormat "[%{%a %b %d %H:%M:%S %Y}t] [sslaccess] %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_I_DN}x\" \"%{SSL_CLIENT_S_DN}x\" \"%{cookie}n\" %A %V %D %I %O %{mod_security-message}i" sslcombined
Include conf/log-ssl.conf

# Enable HTTPS reverse proxy
ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
SSLProxyEngine on
SSLProxyProtocol ALL -SSLv2
#SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES128-SHA:HIGH:!MD5:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL
SSLProxyCipherSuite ECDHE-RSA-RC4-SHA:RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:AES256-SHA:!DHE:!3DES:!EXP:!ADH:!EDH:!aNULL:!eNULL:!NULL

# Verify server certificates
SSLProxyCACertificateFile "$root/cert/cacert.pem"
SSLProxyVerify require
SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN Off

# Enable server status
<Location /server-status>
SetHandler server-status
HostnameLookups on
</Location>

EOF

# Generate tracking configuration
cat >$root/conf/tracking-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Configure tracking
CookieTracking on
CookieName TuscanyVisitorId
CookieStyle Cookie
CookieExpires 31556926

EOF

if [ "$dothost" != "" ]; then
    cat >>$root/conf/tracking-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
CookieDomain .$dothost

EOF

fi

# Configure logging
cat >$root/conf/log-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
CustomLog $root/logs/ssl_access_log sslcombined

EOF

# Configure virtual hosts
cat >$root/conf/svhost-ssl.conf <<EOF
# Generated by: httpd-ssl-conf $*
# Static virtual host configuration
Include conf/vhost-ssl.conf

# Declare SSL certificates used in this virtual host
SSLCACertificateFile "$root/cert/ca.crt"
SSLCertificateChainFile "$root/cert/ca.crt"
SSLCertificateFile "$root/cert/server.crt"
SSLCertificateKeyFile "$root/cert/server.key"

EOF

cat >$root/conf/dvhost-ssl.conf <<EOF
# Mass dynamic virtual host configuration
# Generated by: httpd-ssl-conf $*
Include conf/vhost-ssl.conf

# Declare wildcard SSL certificates used in this virtual host
SSLCACertificateFile "$root/cert/ca.crt"
SSLCertificateChainFile "$root/cert/ca.crt"
SSLCertificateFile "$root/cert/vhost.crt"
SSLCertificateKeyFile "$root/cert/vhost.key"

EOF