* Wed Jun 13 2007 Andrew McNab <Andrew.McNab@man.ac.uk>
- Include ctx->param->flags fix in mod_gridsite for
OpenSSL 0.9.8 from Bruno Harbulot.
+- Restrict export of VOMS attributes to ones present
+ in the last proxy of the chain to contain attributes
* Fri May 10 2007 Andrew McNab <Andrew.McNab@man.ac.uk>
- ==== GridSite version 1.5.1 ====
* Fri Feb 16 2007 Andrew McNab <Andrew.McNab@man.ac.uk>
## This file should be renamed /etc/httpd/conf/httpd.conf and Apache
## restarted to use Apache2/GridSite as a simple HTTP(S) fileserver.
##
-## You do not need to install the GridSite mod_ssl.so module if you
-## do not wish to use Globus Proxies or VOMS attributes, but you must
-## have the mod_gridsite.so in /usr/lib/httpd/modules
-##
-## We're assuming you have (a) the host's hostcert.pem and hostkey.pem
+## We assume that you have mod_gridsite.so in /usr/lib/httpd/modules
+## and that you have (a) the host's hostcert.pem and hostkey.pem
## in /etc/grid-security/ and (b) the Certification Authorities' you
## trust have their root certs in /etc/grid-security/certificates
##
## If you want to use DN Lists in ACLs, they should be placed/downloaded
## in /etc/grid-security/dn-lists/
##
-## To start serving files, make a directory /var/www/htdocs owned by
+## To start serving files, make a directory /var/www/html owned by
## apache.apache, including the file .gacl containing:
##
## <gacl>
User apache
Group apache
-DocumentRoot "/var/www/htdocs"
+DocumentRoot "/var/www/html"
<Directory />
AllowOverride None
Listen 777
<VirtualHost *:80 *:777>
-<Directory "/var/www/htdocs">
+<Directory "/var/www/html">
GridSiteIndexes on
GridSiteAuth on
GridSiteDNlists /etc/grid-security/dn-lists/
SSLVerifyDepth 10
SSLOptions +ExportCertData +StdEnvVars
-<Directory "/var/www/htdocs">
+<Directory "/var/www/html">
GridSiteIndexes on
GridSiteAuth on
GridSiteDNlists /etc/grid-security/dn-lists/
- GridSiteGSIProxyLimit 0
-# GridSiteMethods GET PUT DELETE MOVE
+ GridSiteGSIProxyLimit 9
+ GridSiteMethods GET PUT DELETE MOVE
</Directory>
</VirtualHost>
--- /dev/null
+##############################################################################
+## GridSite httpd-storage.conf - Andrew McNab <Andrew.McNab@man.ac.uk>
+##
+## For GridSite documentation, see http://www.gridsite.org/
+##
+## Example configuration file for GridSite as an HTTP(S) storage server,
+## listening on ports 80/777 (HTTP) and 443/488 (HTTPS)
+##
+## (777/488 is to allow firewalls to distinguish between Grid and
+## Web HTTP(S) traffic. See http://www.gridsite.org/wiki/IP_Ports )
+##
+## This file should be renamed /etc/httpd/conf/httpd.conf and Apache
+## restarted to use Apache2/GridSite as a simple HTTP(S) fileserver.
+##
+## We assume that you have mod_gridsite.so in /usr/lib/httpd/modules
+## and that you have (a) the host's hostcert.pem and hostkey.pem
+## in /etc/grid-security/ and (b) the Certification Authorities' you
+## trust have their root certs in /etc/grid-security/certificates
+##
+## (You can get RPMs for many European and North American Grid CAs
+## from https://datagrid.in2p3.fr/distribution/datagrid/security/ )
+##
+## If you want to use DN Lists in ACLs, they should be placed/downloaded
+## in /etc/grid-security/dn-lists/
+##
+## To start serving files, make a directory /var/www/html owned by
+## apache.apache, including the file .gacl containing:
+##
+## <gacl>
+## <entry>
+## <any-user/>
+## <allow><read/><list/></allow>
+## </entry>
+## </gacl>
+##
+## To enable writing, add DN List, Person or VOMS entries to the GACL
+## (see the GridSite GACL document for the syntax.) For example:
+##
+## <gacl>
+## <entry>
+## <any-user/>
+## <allow><read/><list/></allow>
+## </entry>
+## <entry>
+## <person>
+## <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab</dn>
+## </person>
+## <allow><write/></allow>
+## </entry>
+## </gacl>
+##
+## and add the following directive to the HTTPS <Directory> section:
+##
+## GridSiteMethods GET PUT DELETE MOVE
+##
+## If you wish to accept Globus GSI Proxies as well as full X.509 user
+## certificates, set GridSiteGSIProxyLimit to the depth of proxy you
+## wish to accept.
+##
+## (As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy
+## owned by running Globus job; 3=Proxy delegated by a Globus job.)
+##
+## With this done and Apache restarted, you can upload a file with:
+##
+## curl -v --cert ~/.globus/usercert.pem --key ~/.globus/userkey.pem \
+## --capath /etc/grid-security/certificates --upload-file /tmp/tmp.txt \
+## https://INSERT.HOSTNAME.HERE/tmp.txt
+##
+## (or with --cert /tmp/x509up_u`id -u` --key /tmp/x509up_u`id -u` to use
+## a Globus GSI Proxy created with grid-proxy-init.)
+##
+##############################################################################
+
+ServerRoot "/etc/httpd"
+
+#######!!!!!!!!!!!!!!!!!!!!
+ServerName pc63.hep.man.ac.uk
+
+PidFile logs/httpd.pid
+
+Timeout 300
+KeepAlive On
+MaxKeepAliveRequests 100
+KeepAliveTimeout 15
+
+LoadModule log_config_module /usr/lib/httpd/modules/mod_log_config.so
+LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so
+LoadModule gridsite_module /usr/lib/httpd/modules/mod_gridsite.so
+LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so
+LoadModule dir_module /usr/lib/httpd/modules/mod_dir.so
+
+TypesConfig /etc/mime.types
+
+# User and group who will own files created by Apache
+User apache
+Group apache
+
+DocumentRoot "/var/www/html"
+
+<Directory />
+ AllowOverride None
+</Directory>
+
+LogLevel debug
+LogFormat "%h \"%{SSL_CLIENT_S_DN}x\" %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+
+CustomLog logs/httpd-gridsite-access combined
+ErrorLog logs/httpd-gridsite-errors
+
+HostnameLookups On
+
+# Enable SiteCast location of files via multicast
+GridSiteCastGroup 224.0.1.111:777
+
+######################################################################
+# Plain unauthenticated HTTP on ports 80 and 777
+######################################################################
+
+Listen 80
+Listen 777
+<VirtualHost *:80 *:777>
+
+GridSiteGridHTTP on
+GridSiteCastAlias http://sitecast.domain:777/ /var/www/html
+
+<Directory "/var/www/html">
+ GridSiteIndexes on
+ GridSiteAuth on
+ GridSiteDNlists /etc/grid-security/dn-lists/
+</Directory>
+
+</VirtualHost>
+
+######################################################################
+# Secured and possibly authenticated HTTPS on ports 443 and 488
+######################################################################
+Listen 443
+Listen 488
+SSLSessionCacheTimeout 300
+SSLSessionCache shm:/var/cache/mod_ssl/shm_cache
+
+<VirtualHost *:443 *:488>
+
+SSLEngine on
+SSLCertificateFile /etc/grid-security/hostcert.pem
+SSLCertificateKeyFile /etc/grid-security/hostkey.pem
+SSLCACertificatePath /etc/grid-security/certificates
+#SSLCARevocationPath YOUR CRL DIRECTORY WOULD GO HERE
+SSLVerifyClient optional
+SSLVerifyDepth 10
+SSLOptions +ExportCertData +StdEnvVars
+
+GridSiteGridHTTP on
+GridSiteCastAlias https://sitecast.domain:777/ /var/www/html
+
+<Directory "/var/www/html">
+ GridSiteIndexes on
+ GridSiteAuth on
+ GridSiteDNlists /etc/grid-security/dn-lists/
+ GridSiteGSIProxyLimit 9
+ GridSiteMethods GET PUT DELETE MOVE
+</Directory>
+
+</VirtualHost>
## This file should be renamed /etc/httpd/conf/httpd.conf and Apache
## restarted to use Apache2/GridSite as a webserver.
##
-## You do not need to install the GridSite mod_ssl.so module if you
-## do not wish to use Globus Proxies or VOMS attributes, but you must
-## have the mod_gridsite.so in /usr/lib/httpd/modules
-##
-## We're assuming you have (a) the host's hostcert.pem and hostkey.pem
+## We assume you have mod_gridsite.so in /usr/lib/httpd/modules
+## and that you have (a) the host's hostcert.pem and hostkey.pem
## in /etc/grid-security/ and (b) the Certification Authorities' you
## trust have their root certs in /etc/grid-security/certificates
##
## from https://datagrid.in2p3.fr/distribution/datagrid/security/ )
##
## If you want to use DN Lists in ACLs, they should be placed/downloaded
-## in /etc/grid-security/dn-lists/ or /var/www/htdocs/dn-lists/
+## in /etc/grid-security/dn-lists/ or /var/www/html/dn-lists/
## (Lists in /etc/grid-security/dn-lists/ override lists elsewhere.)
##
-## To start serving files, make a directory /var/www/htdocs owned by
+## To start serving files, make a directory /var/www/html owned by
## apache.apache, including the file .gacl containing:
##
## <gacl>
User apache
Group apache
-DocumentRoot "/var/www/htdocs"
+DocumentRoot "/var/www/html"
<Directory />
AllowOverride None
## and to allow you to edit files and ACLs via your browser.
ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi
-<Directory "/var/www/htdocs">
+<Directory "/var/www/html">
## This sets up GACL authorization for this server.
GridSiteAuth on
## and to allow you to edit files and ACLs via your browser.
ScriptAlias /real-gridsite-admin.cgi /usr/sbin/real-gridsite-admin.cgi
-<Directory "/var/www/htdocs">
+<Directory "/var/www/html">
## This sets up GACL authorization for this server.
GridSiteAuth on
## GACL to search when it encounters a dn-list credential. The DN List
## files are plain text, one DN per line, and must have the full url
## as the file name, but URL Encoded - eg with urlencode(1)
- GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/htdocs/dn-lists/
+ GridSiteDNlists /etc/grid-security/dn-lists/:/var/www/html/dn-lists/
## This is used to form the URL at which DN Lists "owned" by this
## server are exported. https://FULL.SERVER.NAME/dn-lists/file
-#define HT_LEAK_TEST
/*
Copyright (c) 2002-6, Andrew McNab, University of Manchester
All rights reserved.
#include <apr_strings.h>
#include <apr_tables.h>
+#include <apr_network_io.h>
#include <ap_config.h>
#include <httpd.h>
const char *parm1, const char *parm2)
{
int i;
- char *p, *q;
+ char *p, *q, buf[APRMAXHOSTLEN + 1] = "localhost";
if (strcasecmp(a->cmd->name, "GridSiteUserGroup") == 0)
{
sitecastaliases[i].sitecast_url = apr_pstrdup(a->pool, parm1);
sitecastaliases[i].local_path = apr_pstrdup(a->pool, parm2);
- sitecastaliases[i].local_hostname = apr_pstrdup(a->pool,
+
+ if (a->server->server_hostname == NULL)
+ {
+ apr_gethostname(buf, APRMAXHOSTLEN + 1, a->pool);
+ sitecastaliases[i].local_hostname = apr_pstrdup(a->pool, buf);
+ }
+ else sitecastaliases[i].local_hostname = apr_pstrdup(a->pool,
a->server->server_hostname);
break;
void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain)
{
- int i, lastcred;
+ int i, lastcred, lowest_voms_delegation = 65535;
char envname[14], *tempfile = NULL,
*sessionfile, session_id[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2];
apr_file_t *fp = NULL;
APR_CREATE | APR_WRITE | APR_EXCL, conn->pool);
}
- grst_cert = grst_chain->firstcert;
+ i=0;
- for (i=0; grst_cert != NULL; grst_cert = grst_cert->next)
+ for (grst_cert = grst_chain->firstcert;
+ grst_cert != NULL; grst_cert = grst_cert->next)
{
if (grst_cert->type == GRST_CERT_TYPE_VOMS)
{
+ /* want to record the delegation level
+ of the last proxy with VOMS attributes */
+
+ lowest_voms_delegation = grst_cert->delegation;
+ }
+ else if ((grst_cert->type == GRST_CERT_TYPE_EEC) ||
+ (grst_cert->type == GRST_CERT_TYPE_PROXY))
+ {
apr_table_setn(conn->notes,
apr_psprintf(conn->pool, "GRST_CRED_AURI_%d", i),
- apr_pstrcat(conn->pool, "fqan:", grst_cert->value, NULL));
+ apr_pstrcat(conn->pool, "dn:", grst_cert->dn, NULL));
- if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=fqan:%s\n",
- i, grst_cert->value);
+ if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=dn:%s\n",
+ i, grst_cert->dn);
apr_table_setn(conn->notes,
apr_psprintf(conn->pool, "GRST_CRED_VALID_%d", i),
apr_psprintf(conn->pool,
"notbefore=%ld notafter=%ld delegation=%d nist-loa=%d",
grst_cert->notbefore,
- grst_cert->notafter,
+ grst_cert->notafter,
grst_cert->delegation, 0));
if (fp != NULL) apr_file_printf(fp,
"GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n",
i, grst_cert->notbefore,
- grst_cert->notafter,
+ grst_cert->notafter,
grst_cert->delegation, 0);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server,
- "store GRST_CRED_AURI_%d=fqan:%s", i, grst_cert->value);
+ "store GRST_CRED_AURI_%d=dn:%s", i, grst_cert->dn);
++i;
}
- else if ((grst_cert->type == GRST_CERT_TYPE_EEC) ||
- (grst_cert->type == GRST_CERT_TYPE_PROXY))
+ }
+
+ for (grst_cert = grst_chain->firstcert;
+ grst_cert != NULL; grst_cert = grst_cert->next)
+ {
+ if ((grst_cert->type == GRST_CERT_TYPE_VOMS) &&
+ (grst_cert->delegation == lowest_voms_delegation))
{
+ /* only export attributes from the last proxy to contain them */
+
apr_table_setn(conn->notes,
apr_psprintf(conn->pool, "GRST_CRED_AURI_%d", i),
- apr_pstrcat(conn->pool, "dn:", grst_cert->dn, NULL));
+ apr_pstrcat(conn->pool, "fqan:", grst_cert->value, NULL));
- if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=dn:%s\n",
- i, grst_cert->dn);
+ if (fp != NULL) apr_file_printf(fp, "GRST_CRED_AURI_%d=fqan:%s\n",
+ i, grst_cert->value);
apr_table_setn(conn->notes,
apr_psprintf(conn->pool, "GRST_CRED_VALID_%d", i),
apr_psprintf(conn->pool,
"notbefore=%ld notafter=%ld delegation=%d nist-loa=%d",
grst_cert->notbefore,
- grst_cert->notafter,
+ grst_cert->notafter,
grst_cert->delegation, 0));
if (fp != NULL) apr_file_printf(fp,
"GRST_CRED_VALID_%d=notbefore=%ld notafter=%ld delegation=%d nist-loa=%d\n",
i, grst_cert->notbefore,
- grst_cert->notafter,
+ grst_cert->notafter,
grst_cert->delegation, 0);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server,
- "store GRST_CRED_AURI_%d=dn:%s", i, grst_cert->dn);
+ "store GRST_CRED_AURI_%d=fqan:%s", i, grst_cert->value);
++i;
}
git://scientific.zcu.cz / jra1mw.git / commitdiff