httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: Listen 443 https
Date Fri, 08 Sep 2017 09:03:41 GMT

> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr <wrowe@rowe-clan.net>:
> 
> Reminder, this will not work with the current server_rec, we have a 1:1 correspondence
to the server port. We would need to stop looking at that field and track the port entirely
on the connection and the server rec addresses array.

Urgs.

1. Irregardless of multiple addresses in a VirtualHost, I still like the idea of

    SSLEngine *:443 local_interface:8001

that is best used in the base server, once. 
a) I think it is easy to understand what it does.
b) It prevents missing 'SSLEngine on' in a VirtualHost that needs it 
c) It causes required fails when a VirtualHost on a SSL port has no certificates

With that, we could advise people who want to start using SSL to include the following in
their main conf:

  Listen 443
  # The following fails if your OpenSSL is not new enough. 
  SSLPolicy modern
  SSLEngine *:443


2. For people *moving* from http: to https: for a VirtualHost, we'd advise

  <VirtualHost *:80>
    ServerName yourhostname
    Redirect 301 "/" "https://yourhostname/"
  </VirtualHost>

  <VirtualHost *:443>
    ServerName yourhostname
     ...the former http: config
  </VirtualHost>

?

3. For people wanting to offer both http: and https: for the same resources (maybe for a trial
period), what would we tell them?
a) Copy to a new VirtualHost
b) Make separate file and Include in two VirtualHost?
c) Macros???

Cheers,

Stefan

-------------------------------------------------------------------
Quick scan where we use server_rec->port:

core:
AP_DECLARE(apr_port_t) ap_get_server_port(const request_rec *r)
{
                ...
                port = r->parsed_uri.port_str ? r->parsed_uri.port :
                       r->server->port ? r->server->port :
                       ap_default_port(r);

mod_log_config.c:
static const char *log_server_port(request_rec *r, char *a)
{
    apr_port_t port;

    if (*a == '\0' || !strcasecmp(a, "canonical")) {
        port = r->server->port ? r->server->port : ap_default_port(r);
    }


ssl_engine_init.c:
        if ((sc->enabled == SSL_ENABLED_TRUE) && (s->port == DEFAULT_HTTP_PORT))
{

ssl_util.c:
char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
{
    char *id;
    SSLSrvConfigRec *sc;
    char *host;
    apr_port_t port;

    host = s->server_hostname;
    if (s->port != 0)
        port = s->port;
    else {

vhost.c:
    /* the Port has to match now, because the rest don't have ports associated
     * with them. */
    if (port != s->port) {
        return 0;
    }


> On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener <covener@gmail.com> wrote:
> > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing
> > <stefan.eissing@greenbytes.de> wrote:
> >> I get the first feedback from Apache users that want their http: only hosts
to also serve https:. This is nice feedback to improve usability of mod_md.
> >>
> >> Ideally, what these people want - and that is purely my interpretation - is
to add a few lines to their config and - voila - https: is available. And, honestly, why should
they not expect that?
> >>
> >>
> >>
> >> Example: Duplication/Redirect
> >>
> >> They have something like:
> >> ----------------------------------
> >> Listen 80
> >> <VirtualHost *:80>
> >> ServerName xxx.yyy
> >> ...
> >> </VirtualHost>
> >> ----------------------------------
> >>
> >> and want to also make that available on https:
> >> ----------------------------------
> >> Listen http://*:80
> >> Listen https://*:443
> >>
> >> <VirtualHost *:80>
> >> ServerName xxx.yyy
> >> AlternatePorts 443
> >> ...
> >> </VirtualHost>
> >> ----------------------------------
> >>
> >> or redirect everyone to https:
> >> ----------------------------------
> >> Listen http://*:80
> >> Listen https://*:443
> >>
> >> <VirtualHost *:443>
> >> ServerName xxx.yyy
> >> RedirectPermanentFrom 80
> >> ...
> >> </VirtualHost>
> >
> > I am not keen on the syntax because we already permit multiple
> > addresses in the VirtualHost tag.
> >
> > How about e.g.
> >
> > <virtualhost *:80 *:443>
> 
> Again, fo


Mime
View raw message