Index: openacs-4/etc/config.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/etc/config.tcl,v diff -u -r1.53 -r1.54 --- openacs-4/etc/config.tcl 16 Mar 2010 12:27:23 -0000 1.53 +++ openacs-4/etc/config.tcl 8 Nov 2010 19:29:58 -0000 1.54 @@ -324,85 +324,14 @@ #--------------------------------------------------------------------- # -# OpenSSL for Aolserver 3.3 and 4 -# +# OpenSSL for Aolserver 4 +# #--------------------------------------------------------------------- -if { [ns_info version] < 4} { - #--------------------------------------------------------------------- - # OpenSSL for Aolserver 3.3 - #--------------------------------------------------------------------- +ns_section "ns/server/${server}/module/nsopenssl" - ns_section "ns/server/${server}/module/nsopenssl" - - ns_param ModuleDir ${serverroot}/etc/certs - - # NSD-driven connections: - ns_param ServerPort $httpsport - ns_param ServerHostname $hostname - ns_param ServerAddress $address - ns_param ServerCertFile certfile.pem - ns_param ServerKeyFile keyfile.pem - ns_param ServerProtocols "SSLv2, SSLv3, TLSv1" - ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" - ns_param ServerSessionCache true - ns_param ServerSessionCacheID 1 - ns_param ServerSessionCacheSize 512 - ns_param ServerSessionCacheTimeout 300 - ns_param ServerPeerVerify false - ns_param ServerPeerVerifyDepth 3 - ns_param ServerCADir ca - ns_param ServerCAFile ca.pem - ns_param ServerTrace false - - # For listening and accepting SSL connections via Tcl/C API: - ns_param SockServerCertFile certfile.pem - ns_param SockServerKeyFile keyfile.pem - ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1" - ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" - ns_param SockServerSessionCache true - ns_param SockServerSessionCacheID 2 - ns_param SockServerSessionCacheSize 512 - ns_param SockServerSessionCacheTimeout 300 - ns_param SockServerPeerVerify false - ns_param SockServerPeerVerifyDepth 3 - ns_param SockServerCADir internal_ca - ns_param SockServerCAFile internal_ca.pem - ns_param SockServerTrace false - - # Outgoing SSL connections - ns_param SockClientCertFile certfile.pem - ns_param SockClientKeyFile keyfile.pem - ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1" - ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" - ns_param SockClientSessionCache false - ns_param SockClientSessionCacheID 3 - ns_param SockClientSessionCacheSize 512 - ns_param SockClientSessionCacheTimeout 300 - ns_param SockClientPeerVerify false - ns_param SockServerPeerVerifyDepth 3 - ns_param SockClientCADir ca - ns_param SockClientCAFile ca.pem - ns_param SockClientTrace false - - # OpenSSL library support: - # ns_param RandomFile /some/file - ns_param SeedBytes 1024 - -} else { - - #--------------------------------------------------------------------- - # OpenSSL for Aolserver 4 - #--------------------------------------------------------------------- - ns_section "ns/server/${server}/module/nsopenssl" - - # Note this portion of the configuration is not perfect, and you - # will get errors in the your error.log. However, it does - # work. Fixes welcome. - - # this is used by acs-tcl/tcl/security-procs.tcl to get the - # https port. - ns_param ServerPort $httpsport + # this is used by acs-tcl/tcl/security-procs.tcl to get the https port. + ns_param ServerPort $httpsport # setting maxinput higher than practical may leave the server vulnerable to resource DoS attacks # see http://www.panoptic.com/wiki/aolserver/166 # must set maxinput for nsopenssl as well as nssock @@ -414,31 +343,31 @@ # specificied in the driver section. The Tcl API will use the defaults as there # is currently no provision to specify which SSL context to use for a # particular connection via an ns_openssl Tcl command. - ns_section "ns/server/${server}/module/nsopenssl/sslcontexts" +ns_section "ns/server/${server}/module/nsopenssl/sslcontexts" ns_param users "SSL context used for regular user access" # ns_param admins "SSL context used for administrator access" ns_param client "SSL context used for outgoing script socket connections" - ns_section "ns/server/${server}/module/nsopenssl/defaults" +ns_section "ns/server/${server}/module/nsopenssl/defaults" ns_param server users ns_param client client - ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" +ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" ns_param Role server ns_param ModuleDir ${serverroot}/etc/certs - ns_param CertFile certfile.pem - ns_param KeyFile keyfile.pem - # ns_param CADir ca-client/dir - # ns_param CAFile ca-client/ca-client.crt + ns_param CertFile users-certfile.pem + ns_param KeyFile users-keyfile.pem + # CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert. + ns_param CADir ${serverroot}/etc/certs + ns_param CAFile users-ca.crt # for Protocols "ALL" = "SSLv2, SSLv3, TLSv1" ns_param Protocols "SSLv3, TLSv1" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerify false ns_param PeerVerifyDepth 3 ns_param Trace false - # following from bartt's nsd4.tcl, might help stablize openssl connections? - # http://www.mail-archive.com/aolserver@listserv.aol.com/msg07092.html + # following helps to stablize some openssl connections from buggy clients. ns_param SessionCache true ns_param SessionCacheID 1 ns_param SessionCacheSize 512 @@ -459,22 +388,22 @@ # ns_param PeerVerifyDepth 3 # ns_param Trace false - ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client" +ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client" ns_param Role client ns_param ModuleDir ${serverroot}/etc/certs - ns_param CertFile certfile.pem - ns_param KeyFile keyfile.pem - # ns_param CADir ${serverroot}/etc/certs - # ns_param CAFile certfile.pem + ns_param CertFile client-certfile.pem + ns_param KeyFile client-keyfile.pem + # CADir/CAFile can be commented out, if CA chain cert is appended to CA issued server cert. + ns_param CADir ${serverroot}/etc/certs + ns_param CAFile client-ca.crt # for Protocols "ALL" = "SSLv2, SSLv3, TLSv1" ns_param Protocols "SSLv2, SSLv3, TLSv1" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerify false ns_param PeerVerifyDepth 3 ns_param Trace false - # following from bartt's nsd4.tcl, might help stablize openssl connections? - # http://www.mail-archive.com/aolserver@listserv.aol.com/msg07092.html + # following helps to stablize some openssl connections to buggy servers. ns_param SessionCache true ns_param SessionCacheID 1 ns_param SessionCacheSize 512 @@ -484,11 +413,11 @@ # SSL context to associate with it. Note that you can now have multiple driver # connections within a single virtual server, which can be tied to different # SSL contexts. - ns_section "ns/server/${server}/module/nsopenssl/ssldrivers" +ns_section "ns/server/${server}/module/nsopenssl/ssldrivers" ns_param users "Driver for regular user access" # ns_param admins "Driver for administrator access" - ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users" +ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users" ns_param sslcontext users # ns_param port $httpsport_users ns_param port $httpsport @@ -507,8 +436,8 @@ # ns_param port $httpsport # ns_param hostname $hostname # ns_param address $address -} + #--------------------------------------------------------------------- # # Database drivers @@ -537,12 +466,17 @@ # # AOLserver can have different pools connecting to different databases # and even different different database servers. See -# http://openacs.org/doc/openacs-5-1/tutorial-second-database.html +# http://openacs.org/doc/tutorial-second-database.html +# An example 'other db' configuration is included (and commented out) using other1_db_name +# set other1_db_name "yourDBname" ns_section ns/db/pools ns_param pool1 "Pool 1" ns_param pool2 "Pool 2" ns_param pool3 "Pool 3" +# ns_param pool4 "Pool4 Other1" +# ns_param pool5 "Pool5 Other1" +# ns_param pool6 "Pool6 Other1" ns_section ns/db/pool/pool1 ns_param maxidle 0 @@ -601,11 +535,45 @@ ns_param password "" } +# ns_section ns/db/pool/pool4 +# ns_param maxidle 0 +# ns_param maxopen 0 +# ns_param connections 5 +# ns_param verbose $debug +# ns_param extendedtableinfo true +# ns_param logsqlerrors $debug +# if { $database eq "oracle" } { +# ns_param driver ora8 +# ns_param datasource {} +# ns_param user $db_name +# ns_param password $db_password +# } else { +# ns_param driver postgres +# ns_param datasource ${db_host}:${db_port}:${other1_db_name} +# ns_param user $db_user +# ns_param password "" +# } + +# ns_section ns/db/pool/pool5 +# ... +# ns_section ns/db/pool/pool6 +# ... + + ns_section ns/server/${server}/db ns_param pools pool1,pool2,pool3 +# if a second db is added, add the pools here. for example, replace above line with: +# ns_param pools pool1,pool2,pool3,pool4,pool5,pool6 ns_param defaultpool pool1 +# following from http://openacs.org/doc/tutorial-second-database.html +#ns_section ns/server/${server}/acs/database +# ns_param database_names [list main other1] +# ns_param pools_main [list pool1 pool2 pool3] +# ns_param pools_other1 [list pool4 pool5 pool6] + + #--------------------------------------------------------------------- # which modules should be loaded? Missing modules break the server, so # don't uncomment modules unless they have been installed.