httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <>
Subject Re: Listen 443 https
Date Thu, 14 Sep 2017 15:04:55 GMT

> Am 14.09.2017 um 16:19 schrieb Eric Covener <>:
>> To recap: I am looking for an easy way to instruct someone to enable https: for
>> Listen 80
>> <VirtualHost *:80>
>>   ServerName
>>   ...lots of stuff...
>> </VirtualHost>
>> and with the current trunk, she can change this to:
>> Listen 80
>> Listen 443
>> SSLEngine *:443
>> ManagedDomain
>> <VirtualHost *:443 *:80>
>>   ServerName
>>   ...lots of stuff...
>> </VirtualHost>
>> Hey, it's not that I *want* to define this on my own. I am asking since March for
feedback on these things here. I am not sure how to react to "Don't like this so much." now.
> It's a bit hard for me to understand the contrast points in this
> thread, even with the followups, especially as a non-mod_ssl user. So
> take my earlier feedback from today with a grain of salt.    My
> personal preference is to give someone directives with expressive
> names if the objective is to make the basic configuration easier.

Understood. I can totally agree to the point about descriptive names. I am not a big fan of
"SSLEngine" myself. I chose it because:

a) it already is the central directive to enable mod_ssl
b) there are other *Engine configs similar, so it is a common pattern in httpd.
c) A new directive would need to describe how it interacts with SSLEngine and what has precedence

But we could use a different name. I would, no matter the name, like a directive that is one
line in the global context. Editing the same directives in all virtual hosts is tedious, error-prone
work *). 

One other way of providing more descriptive SSL setups would be a new "SSLPolicy" directives.
We could pre-define

<SSLPolicy auto-enable>
  SSLEngine *:443

and people just add

SSLPolicy auto-enable

to their httpd.conf (we need *some* new config, to make that happen in 2.4.x).


*) I already got several people testing mod_md and forgetting "SSLEngine on". The problem
is that clients often spew out a cryptic (haha!) error message about TLS record lengths or
some such that does not really help people to discover their, easy to fix, mistake.

View raw message