httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: Listen 443 https
Date Thu, 14 Sep 2017 12:56:34 GMT
On Fri, Sep 8, 2017 at 5:03 AM, Stefan Eissing
<> wrote:
>> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr <>:
>> Reminder, this will not work with the current server_rec, we have a 1:1 correspondence
to the server port. We would need to stop looking at that field and track the port entirely
on the connection and the server rec addresses array.
> Urgs.
> 1. Irregardless of multiple addresses in a VirtualHost, I still like the idea of
>     SSLEngine *:443 local_interface:8001
> that is best used in the base server, once.
> a) I think it is easy to understand what it does.
> b) It prevents missing 'SSLEngine on' in a VirtualHost that needs it
> c) It causes required fails when a VirtualHost on a SSL port has no certificates

What do the parameters mean here?

> With that, we could advise people who want to start using SSL to include the following
in their main conf:
>   Listen 443
>   # The following fails if your OpenSSL is not new enough.
>   SSLPolicy modern
>   SSLEngine *:443

I don't like this so much.

I'd rather a new directive altogether if it will live outside of the
affected VH and that the name convey a little more of what it's doing.

> 2. For people *moving* from http: to https: for a VirtualHost, we'd advise
>   <VirtualHost *:80>
>     ServerName yourhostname
>     Redirect 301 "/" "https://yourhostname/"
>   </VirtualHost>
>   <VirtualHost *:443>
>     ServerName yourhostname
>      ...the former http: config
>   </VirtualHost>

The only difference from the as-is here is that the SSL config is
implicit because of some global directive, right?

> 3. For people wanting to offer both http: and https: for the same resources (maybe for
a trial period), what would we tell them?
> a) Copy to a new VirtualHost
> b) Make separate file and Include in two VirtualHost?
> c) Macros???

I think this leads back to 1 VH with directives like SSLRequireSSL and
automatic SSL over 443 or opted in ports.
Or, global configs w/ no VH at all that just work.

View raw message