Forum OpenACS Q&A: Response to An OpenSSL/Aolserver HOWTO
Posted by
Titi Ala'ilima
on 07/10/02 09:55 PM
Here's the standard config file I use for MACS, which allows you to turn SSL on and off just by setting
use_openssl at the beginning:
# AOLServer ACS Virtual Server Configuration File Template
# Replace SERVICE_NAME, SERVICE_IP, SERVICE_DNS, and SERVICE_PORT
# and all will go well.
#
# Basic settings
#
set service_name "SERVICE_NAME"
set service_database_username $service_name
set service_database_password $service_name
set aol_home [file dirname [ns_info config]]
set aol_bin [file dirname [ns_info nsd]]
set service_short_name $service_name
set service_short_description "a description of your service"
set service_email "service@ybos.net"
set acs_home "/web/$service_name"
set service_ip_address "SERVICE_IP"
set service_ip_name "SERVICE_DNS"
set service_port "SERVICE_PORT"
set service_ip_address_ssl $service_ip_address
set service_ip_name_ssl $service_ip_name
set service_port_ssl "443"
set db_version "ora9"
set use_openssl "0"
# nscp: Uncomment the sample password and log in with "nsadmin", password "x",
# type "ns_crypt newpassword salt" and put the encrypted string below.
set nscp_port 9999
# Assume the IP is 127.0.0.1
set nscp_user ""
#set nscp_user "nsadmin:t2GqvvaiIUbF2:" ;# sample user="nsadmin", pw="x".
#
# The nitty gritty, which you usually won't need.
#
ns_section "ns/db/drivers"
ns_param $db_version "$aol_bin/$db_version.so"
ns_section "ns/db/pool/main"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "4"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pool/subquery"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "4"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pool/log"
ns_param MaxIdle "1000000000"
ns_param MaxOpen "1000000000"
ns_param Driver $db_version
ns_param Connections "3"
ns_param DataSource {}
ns_param User $service_database_username
ns_param Password $service_database_password
ns_param Verbose "On"
ns_param ExtendedTableInfo "On"
ns_section "ns/db/pools"
ns_param main "main"
ns_param subquery "subquery"
ns_param log "log"
ns_section "ns/parameters"
# This used to handled with a file under acs/parameters, but
# parameters are now stored in the database.
ns_param User "nsadmin"
ns_param Group "web"
ns_param ServerLog "$aol_home/log/$service_name-error.log"
# Display logging with 'dev' and 'debug' severity
ns_param dev true
ns_param debug false
ns_param Home $aol_home
ns_param StackSize "500000"
ns_param MaxKeepAlive "0"
ns_section "ns/threads"
# use more than 1 processor (Solaris)
ns_param SystemScope "on"
ns_section "ns/server/$service_name"
ns_param PageRoot "$acs_home/www"
ns_param DirectoryFile "index.tcl,index.adp,index.html,index.htm"
ns_param Webmaster $service_email
ns_param NoticeBgColor {"#ffffff"}
ns_param EnableTclPages "On"
ns_param NotFoundResponse "/global/file-not-found.html"
ns_param ServerBusyResponse "/global/busy.html"
ns_param ServerInternalErrorResponse "/global/error.html"
ns_param MaxThreads "10"
ns_param MinThreads "10"
ns_param MaxBusyThreads "15"
ns_param MaxWait "2"
ns_section "ns/server/$service_name/db"
ns_param Pools "main,subquery,log"
ns_param DefaultPool "main"
ns_section "ns/server/$service_name/adp"
ns_param Map "/*.adp"
ns_param DefaultParser "fancy"
ns_section "ns/server/$service_name/module/nslog"
ns_param EnableHostnameLookup "On"
ns_param File "$aol_home/log/$service_name.log"
ns_param LogCombined "On"
ns_param LogRefer "On"
ns_param LogUserAgent "On"
ns_param MaxBackup "5"
ns_param RollLog "Off"
ns_section "ns/server/$service_name/module/nsperm"
ns_param model "Small"
ns_param enablehostnamelookup "Off"
ns_section "ns/server/$service_name/module/nssock"
ns_param timeout "120"
ns_param Address $service_ip_address
ns_param Hostname $service_ip_name
ns_param Port $service_port
set openssl_able [expr $use_openssl &&
[file exists "$aol_bin/nsopenssl.so"] &&
[file exists "$aol_home/servers/$service_name/modules/nsopenssl/cert.pem"] &&
[file exists "$aol_home/servers/$service_name/modules/nsopenssl/key.pem"]]
if $openssl_able {
# Config for nsopenssl 2.1
ns_section "ns/server/zipcar/module/nsopenssl"
# NSD-driven connections:
ns_param ServerAddress $service_ip_address_ssl
ns_param ServerPort $service_posrt_ssl
ns_param ServerHostname $server_ip_name_ssl
ns_param ServerCertFile "cert.pem"
ns_param ServerKeyFile "key.pem"
ns_param ServerProtocol {SSLv2, SSLv3, TLSv1}
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache "False"
ns_param ServerSessionCacheID "1"
ns_param ServerSessionCacheSize "512"
ns_param ServerSessionCacheTimeout "300"
ns_param ServerPeerVerify "false"
ns_param ServerPeerVerifyDepth "3"
ns_param ServerCADir "ca"
ns_param ServerCAFile "ca.pem"
ns_param ServerTrace "false"
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile "cert.pem"
ns_param SockServerKeyFile "key.pem"
ns_param SockServerProtocol {SSLv2, SSLv3, TLSv1}
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache "False"
ns_param SockServerSessionCacheID "2"
ns_param SockServerSessionCacheSize "512"
ns_param SockServerSessionCacheTimeout "300"
ns_param SockServerPeerVerify "true"
ns_param SockServerPeerVerifyDepth "3"
ns_param SockServerCADir "ca"
ns_param SockServerCAFile "ca.pem"
ns_param SockServerTrace "false"
# Outgoing SSL connections
ns_param SockClientCertFile "cert.pem"
ns_param SockClientKeyFile "key.pem"
ns_param SockClientProtocol {SSLv2, SSLv3, TLSv1}
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache "False"
ns_param SockClientSessionCacheID "3"
ns_param SockClientSessionCacheSize "512"
ns_param SockClientSessionCacheTimeout "300"
ns_param SockClientPeerVerify "true"
ns_param SockClientPeerVerifyDepth "3"
ns_param SockClientCADir "ca"
ns_param SockClientCAFile "ca.pem"
ns_param SockClientTrace "false"
# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${servername}/modules/nsopenssl
ns_param ModuleDir "$aol_home/servers/$service_name/modules/nsopenssl"
# OpenSSL library support:
ns_param RandomFile "/etc/inittab"
ns_param SeedBytes "1024"
}
if {![string equal $nscp_user ""]} {
ns_section "ns/server/${servername}/module/nscp"
ns_param port $nscp_port
ns_param address $nscp_address
ns_section "ns/server/${servername}/module/nscp/users"
ns_param user $nscp_user
}
ns_section "ns/server/$service_name/modules"
ns_param nsperm "$aol_bin/nsperm.so"
ns_param nssock "$aol_bin/nssock.so"
ns_param nslog "$aol_bin/nslog.so"
ns_param nssha1 "$aol_bin/nssha1.so"
ns_param nscache "$aol_bin/nscache.so"
ns_param nsxml "$aol_bin/nsxml.so"
if $openssl_able {
ns_param nsssl "$aol_bin/nsopenssl.so"
}
if {![string equal $nscp_user ""]} {
ns_param nscp "$aol_bin/nscp.so"
}
ns_section "ns/server/$service_name/MimeTypes"
ns_param Default "text/plain"
ns_param NoExtension "text/plain"
ns_param .pcd "image/x-photo-cd"
ns_param .prc "application/x-pilot"
ns_section "ns/server/$service_name/tcl"
ns_param Library "$acs_home/tcl"
ns_section "ns/servers"
ns_param $service_name $service_short_description
