httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Listen 443 https
Date Mon, 18 Sep 2017 18:03:40 GMT


Am 18.09.2017 um 19:28 schrieb Daniel:
> I see
> 
> But we already have a handy directive to avoid repetition when
> necessary, a directive that btw many distros abuse, "Include". You
> define the common parts in a single file and Include the appropiate
> file.

that scales bad when the vhost itself is already one of hundrets of 
Includes

i have currently written/refactored a "config parser" for vhosts with 
support of some comments to configure Letsencrypt tasks as well as 
generate the remap/ssl config of a reverse proxy, based on some 
Alias-statements webstats shellscripts are generated and the whole 
hosting database is feeded with that data too

that works independent of the number of hosts, a shellscript on the 
admin-servers fetchs all config file sof all webservers and from there 
the central proxy configuration is feeded

well, in other word, with some lines of code based on apache vhost 
includes the whole company is driven and implement includs support here 
would be at least dangerous and hard to test since that all runs over 
many machines and testing environments

> 2017-09-18 19:18 GMT+02:00 Reindl Harald <h.reindl@thelounge.net>:
>>
>> Am 18.09.2017 um 17:56 schrieb Daniel:
>>>
>>> I tried to read and understand the whole thread and what we are trying
>>> to solve here, but I can't help to think this is an attempt at a new
>>> ".htaccess" wildcard thing for SSL that will end in greater confusion.
>>>
>>> in Freenode #httpd we generally try to teach people to not be afraid
>>> of defining the necessary virtualhosts. Everyone seems inclined, due
>>> to the amount of trash they have found through google, to define a
>>> single .htaccess files that will solve all their cases, redirections,
>>> and whatnot, and 90% are frustrated on how complicated it is.
>>>
>>> The generic solution we give is, (the iconic simplest way), one
>>> virtualhost for each:
>>>
>>> <Virtualhost *:80>
>>> ServerName whatever.example.com
>>> Redirect / https://whatever.example.com/
>>> </Virtualhost>
>>>
>>> <Virtualhost *:443>
>>> ServerName whatever.example.com
>>> SSLEngine on
>>> etc..
>>> </Virtualhost>
>>>
>>> Isn't this much better than any other attempt at reducing it to
>>> "another minimum expression" in a complicated kind of way?
>>
>>
>> no it is not - have fun define two hosts with all options and i would have
>> much more samples with much more php-options which needs to be included in
>> both in doubt
>>
>> yes, the software fetching lyrics likely had a problem with self-signed
>> certificates which was the case until short ago but that don't make the
>> config unreasonable exclude specific locations from enforced https
>>
>> the only problem cuurently is that $_SERVER['HTTP_PORT'] is wrong for such a
>> vhost with 80 while it should be 443 in case of a https-connection
>>
>> <VirtualHost *:80 *:443>
>>   DocumentRoot "/mnt/data/www/example.rhsoft.net"
>>   ServerName example.rhsoft.net
>>   ServerAlias example.test.rh example example.rh.thelounge.net
>>   Alias "/usage" "/var/www/usage/example"
>>   CustomLog "/var/log/apache_example.log" combined
>>   <Directory "/mnt/data/www/example.rhsoft.net">
>>   php_admin_value open_basedir
>> "/mnt/data/www/example.rhsoft.net:/Volumes/dune/www-servers/phpincludes:/usr/share/php:/usr/share/pear:/mnt/data/audio:/media/WALKMAN/music"
>>   php_admin_value upload_tmp_dir
>> "/mnt/data/www/example.rhsoft.net/uploadtemp"
>>   php_admin_value soap.wsdl_cache_dir
>> "/mnt/data/www/example.rhsoft.net/uploadtemp"
>>   php_flag session.cookie_secure "1"
>>   Require all granted
>>   </Directory>
>>   <Directory "/mnt/data/www/example.rhsoft.net/modules/pchart">
>>   Require all denied
>>   </Directory>
>>   <IfModule mod_rewrite.c>
>>   RewriteEngine On
>>   RewriteCond %{REQUEST_FILENAME} !lyrics.php
>>   RewriteCond %{HTTPS} off
>>   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>>   </IfModule>
>>   <IfModule mod_ratelimit.c>
>>   SetOutputFilter RATE_LIMIT
>>   SetEnv rate-limit 2800
>>   </IfModule>
>>   RedirectMatch 404 ^/modules/karaoke\-download\.php$
>>   RedirectMatch 404 ^/modules/music/copy\-cli\.php$
>>   RedirectMatch 404 ^/modules/music/validate\-all\-id3\-tags\.php$
>>   SSLEngine Optional
>>   SSLUseStapling On
>>   SSLCertificateFile "/var/lib/letsencrypt/certs/rhsoft-example.conf_rsa.pem"
>>   SSLCertificateFile
>> "/var/lib/letsencrypt/certs/rhsoft-example.conf_ecdsa.pem"
>> </VirtualHost>

Mime
View raw message