https://bz.apache.org/bugzilla/show_bug.cgi?id=61984
--- Comment #5 from Yann Ylavic <[email protected]> --- Startup failure is certainly not the norm, nginx and ATS don't do that for instance (and default to verify none too), haproxy seems to require a ca-file by default though (in any event, none takes the frontend's configuration as the backend's one, AFAICT). I don't think we can change this in any httpd released versions without breaking existing configurations for reverse proxies (e.g. in trusted environments, the most common ones IMHO), we can't make httpd startup fail all of a sudden because "SSLProxyVery none" wasn't specified. The SSL* vs SSLProxy* cases may not be ovious, but we have to differentiate between the frontend vs backend SSL configurations anyway, and somehow both SSLEngine and SSLProxyEngine had better be used for your configuration to work in the first place, there is a reason for that, nothing implicit here. I'm not saying understanding/configuring SSL is easy, nor that it shouldn't be improved, but I don't think we should error by default, even in future versions. SSL isn't the default for mod_proxy, one has to set it up explicitely, and that must be done above "SSLProxyEngine on" for sensible cases (like untrusted networks), no one should ignore that. So still a documentation issue for me, let's see what others think for the next major version. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
