httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1812519 - in /httpd/httpd/trunk/docs/manual/mod: mod_md.html.en mod_ssl.html.en mod_ssl.xml.meta
Date Wed, 18 Oct 2017 14:22:44 GMT
Author: elukey
Date: Wed Oct 18 14:22:44 2017
New Revision: 1812519

Documentation rebuild


Modified: httpd/httpd/trunk/docs/manual/mod/mod_md.html.en
--- httpd/httpd/trunk/docs/manual/mod/mod_md.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_md.html.en Wed Oct 18 14:22:44 2017
@@ -510,12 +510,32 @@ MDRenewWindow 10%</pre>
             <div class="example"><h3>Example</h3><pre class="prettyprint
lang-config">MDRequireHttps temporary</pre>
             <p>you announce that you want all traffic via http: URLs to be redirected

-            to the https: ones, for now. If you want client to no longer use the
+            to the https: ones, for now. This is safe and you can remove this again at
+            any time.
+            </p><p>
+                <strong>The following has consequences: </strong>if you want
client to <strong>no longer</strong> use the
              http: URLs, configure:
-            <div class="example"><h3>Example</h3><pre class="prettyprint
lang-config">MDRequireHttps permanent</pre>
+            <div class="example"><h3>Permanent (for at least half a year!)</h3><pre
class="prettyprint lang-config">MDRequireHttps permanent</pre>
-            <p>You can achieve the same with mod_alias and some Redirect configuration,

+            <p>This does two things:
+            </p>
+            <ol>
+                <li>All request to the <code>http:</code> resources are
redirected to the
+                    same url with the <code>https:</code> scheme using the <code>301</code>
+                status code. This tells clients that this is intended to be forever and
+                the should update any links they have accordingly.
+                </li>
+                <li>All answers to <code>https:</code> requests will carry
the header
+                    <code>Strict-Transport-Security</code> with a life time of
half a year.
+                    This tells the browser that it <strong>never</strong> (for
half a year) shall use <code>http:</code>
+                    when talking to this domain name. Browsers will, after having seen this,
+                    to contact your unencrypted site. This prevents malicious middleware
+                    downgrade connections and listen/manipulate the traffic. Which is good.
+                    you cannot simply take it back again.
+                </li>
+            </ol>
+            <p>You can achieve the same with mod_alias and some Redirect configuration,
             basically. If you do it yourself, please make sure to exclude the paths 
             /.well-known/* from your redirection, otherwise mod_md might have trouble 
             signing on new certificates.
@@ -524,20 +544,9 @@ MDRenewWindow 10%</pre>
             it for a specific domain only, use:
             <div class="example"><h3>Example</h3><pre class="prettyprint
lang-config">&lt;ManagedDomain xxx.yyy&gt;
-  MDRequireHttps permanent
+  MDRequireHttps temporary
-            <p>When you configure MDRequireHttps permanent, an additional security

-            feature is automatically applied: HSTS. This adds the header 
-            Strict-Transport-Security to responses sent out via https:. 
-            Basically, this instructs the browser to only perform secure 
-            communications with that domain. This instruction holds for the 
-            amount of time specified in the header as 'max-age'. 
-            This is about half a year as generated by mod_md.
-            </p><p>
-            It is therefore advisable to first test the MDRequireHttps temporary 
-            configuration and switch to permanent only once that works satisfactory.
-            </p>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Wed Oct 18 14:22:44 2017
@@ -201,7 +201,7 @@ compatibility variables.</p>
 <p><em>x509</em> specifies a component of an X.509 DN; one of
-<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>.  In Apache 2.1 and
+<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>.  In httpd 2.2.0 and
 later, <em>x509</em> may also include a numeric <code>_n</code>
 suffix.  If the DN in question contains multiple attributes of the
 same name, this suffix is used as a zero-based index to select a
@@ -217,6 +217,12 @@ the <code class="directive"><a href="#ss
 first (or only) attribute of any DN is added only under a non-suffixed
 name; i.e. no <code>_0</code> suffixed entries are added.</p>
+<p>In httpd 2.5.0 and later, an optional <em>_RAW</em> suffix may be
+added to <em>x509</em> in a DN component, to suppress conversion of
+the attribute value to UTF-8. This must be placed after the index
+suffix (if any). For example, <code>SSL_SERVER_S_DN_OU_RAW</code> or
+<code>SSL_SERVER_S_DN_OU_0_RAW</code> could be used.</p>
 <p>The format of the <em>*_DN</em> variables has changed in Apache HTTPD
 2.3.11. See the <code>LegacyDNStringFormat</code> option for
 <code class="directive"><a href="#ssloptions">SSLOptions</a></code>
for details.</p>

Modified: httpd/httpd/trunk/docs/manual/mod/
--- httpd/httpd/trunk/docs/manual/mod/ [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/ [utf-8] Wed Oct 18 14:22:44 2017
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/"?>
-<!-- English Revision: 1807869 -->
+<!-- English Revision: 1807869:1811976 (outdated) -->
 <!-- French translation : Lucien GENTIS -->

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml.meta
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml.meta (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml.meta Wed Oct 18 14:22:44 2017
@@ -8,6 +8,6 @@
-    <variant>fr</variant>
+    <variant outdated="yes">fr</variant>

View raw message