On Thu, 2015-01-15 at 13:53 +0100, Harald Dunkel wrote: > Unfortunately the VirtualHost statement defines both IP address > and port for each virtual host. They don't work without the > appropriate Listen statements, so I cannot follow your "independent > from each other". That's basically why you need to tell the vhosts for which IPs they're valid for, i.e. you can have probably different vhosts for the same names (i.e. domain-names or addresses the client sets in the HTTP Host: header) on different IP addresses.
So conceptually "Listen" is for the IP protocol level, while the address in VirtualHost (which can actually be a hostname as well, that is then however once resolved on startup) is just to tell on which addresses that vhost should be used, which is btw: also necessary for IP based vhosting (i.e. when no HTTP Host: header is given). > Can you confirm that the central Listen statement breaks the > modular approach of a2ensite? Not sure what you mean. I guess you'd probably want to get rid of the Listen statement altogether, and that Apache determines all the address/port combinations from all enabled vhosts automatically. I'm not sure whether I would generally like this and which implications it has... I think security wise it's not so good, because you loose that one central point where you control where to actually listen on. But anyway, this is not the case in Apache and one would have to request such "feature" upstream... and until that, Listen is IMHO "independent" from VirtualHost (but VirtualHost isn't independent from Listen)... and as such it doesn't make sense IMHO to have it in the sites-available dir,... and even less in the conf.d dir. > Thats my point: I want to disable apache2 for port 80/tcp without > the risk of loosing this setting on the next package upgrade. First, you don't loose anything on package upgrade, since dpkg doesn't blindly overwrite config files unless you tell it to - actually in the many years of running apache now, it never asked me the typical question, since the maintainer version of ports.conf never changed And the next problem is, that the listening settings are so deeply in the configuration schema of Apache, that you cannot just enable/disable them so easily by removing a config file. Even if you'd say a2dismod ports-http-80.conf or something like that... all your other config snippets would e.g. still refer to port 80 and fail then. And AFAIK there is no <IfListenOn> conditional directive where you can just opportunistically enable something, based on whether apache actually does listen on it. > This could be implemented by splitting ports.conf into 2 parts > conf-available/{port80.conf,port443.conf} and to create the symlinks > in conf-enabled (to keep Debian's default). Just a suggestion, of > course. Nah,... really not... then you get dozens of such small one liner files... many people listen on much more ports than just 80 / 443. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature