Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 1AA73200CEF for ; Mon, 4 Sep 2017 10:43:00 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 193C416438B; Mon, 4 Sep 2017 08:43:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 60BD6164374 for ; Mon, 4 Sep 2017 10:42:59 +0200 (CEST) Received: (qmail 68066 invoked by uid 500); 4 Sep 2017 08:42:58 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 68056 invoked by uid 99); 4 Sep 2017 08:42:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Sep 2017 08:42:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id A5575C4342 for ; Mon, 4 Sep 2017 08:42:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.698 X-Spam-Level: X-Spam-Status: No, score=0.698 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=greenbytes.de header.b=pKx4n4gU; dkim=pass (1024-bit key) header.d=greenbytes.de header.b=pKx4n4gU Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id qUahQr502U7v for ; Mon, 4 Sep 2017 08:42:56 +0000 (UTC) Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D499E5FACE for ; Mon, 4 Sep 2017 08:42:55 +0000 (UTC) Received: by mail.greenbytes.de (Postfix, from userid 117) id 8E43C15A3EB2; Mon, 4 Sep 2017 10:42:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1504514569; bh=bOYr7WtswjOyzv/+1XjU4K3s0LjXJFFdCHWa1MJ88Dg=; h=From:Subject:Date:References:To:In-Reply-To:From; b=pKx4n4gUu8OZRqVLdfFvGC7WtiWlGuoixKLnqG/pTGaZOgWWl56O/BMCq7CtMIOc/ 71IS/EM+ajSMIj1tfWt3eufmcxed4XUT7ZybnFn5VL9XLDU1i9fdrlZdugoT9Ym9k8 XhzMEW0Fk+2YFjryL3juiyWOxohD+N5SDm9s0K2Q= Received: from resistance.greenbytes.local (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 19AE515A3EB0 for ; Mon, 4 Sep 2017 10:42:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1504514569; bh=bOYr7WtswjOyzv/+1XjU4K3s0LjXJFFdCHWa1MJ88Dg=; h=From:Subject:Date:References:To:In-Reply-To:From; b=pKx4n4gUu8OZRqVLdfFvGC7WtiWlGuoixKLnqG/pTGaZOgWWl56O/BMCq7CtMIOc/ 71IS/EM+ajSMIj1tfWt3eufmcxed4XUT7ZybnFn5VL9XLDU1i9fdrlZdugoT9Ym9k8 XhzMEW0Fk+2YFjryL3juiyWOxohD+N5SDm9s0K2Q= From: Stefan Eissing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Listen 443 https Date: Mon, 4 Sep 2017 10:42:48 +0200 References: <678BA83E-09F8-4216-9F8A-675176BEDCCB@greenbytes.de> To: dev@httpd.apache.org In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3273) archived-at: Mon, 04 Sep 2017 08:43:00 -0000 > Am 01.09.2017 um 17:12 schrieb Eric Covener : >=20 > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing > wrote: >> I get the first feedback from Apache users that want their http: only = hosts to also serve https:. This is nice feedback to improve usability = of mod_md. >>=20 >> Ideally, what these people want - and that is purely my = interpretation - is to add a few lines to their config and - voila - = https: is available. And, honestly, why should they not expect that? >>=20 >>=20 >>=20 >> Example: Duplication/Redirect >>=20 >> They have something like: >> ---------------------------------- >> Listen 80 >> >> ServerName xxx.yyy >> ... >> >> ---------------------------------- >>=20 >> and want to also make that available on https: >> ---------------------------------- >> Listen http://*:80 >> Listen https://*:443 >>=20 >> >> ServerName xxx.yyy >> AlternatePorts 443 >> ... >> >> ---------------------------------- >>=20 >> or redirect everyone to https: >> ---------------------------------- >> Listen http://*:80 >> Listen https://*:443 >>=20 >> >> ServerName xxx.yyy >> RedirectPermanent=46rom 80 >> ... >> >=20 > I am not keen on the syntax because we already permit multiple > addresses in the VirtualHost tag. >=20 > How about e.g. >=20 > > # no protocol > ServerName example.com > # repurpose "optional" or pick something new > SSLEgine optional > # Extend SSLRequireSSL. no-arg is deny. Default w/ "redirect" is > 80, 443. For redirects, may need to not match TCP listening port > SSLRequireSSL ["redirect" [ from-port to-port ]] > I like the SSLRequireSSL gist. I was thinking about this over the = weekend and like the following a lot: SSLEngine *:443 10.0.0.1:8001 SSLRequireSSL ["temporary"|"permanent" [ from-port to-port ]] with "permanent" as default and port 443, or the first port in SSLEngine = - if given - as default. This can be specified in a or, better even, in the base = server. I think this can, together with multiple ports at , = simplify configurations of TLS hosts. At least for people who want to = offer the same resources on 80 and 443, or want to migrate existing *:80 = hosts to TLS. What do you think? -Stefan