> Am 01.09.2017 um 17:12 schrieb Eric Covener <cove...@gmail.com>:
> 
> On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing
> <stefan.eiss...@greenbytes.de> wrote:
>> I get the first feedback from Apache users that want their http: only hosts 
>> to also serve https:. This is nice feedback to improve usability of mod_md.
>> 
>> Ideally, what these people want - and that is purely my interpretation - is 
>> to add a few lines to their config and  - voila - https: is available. And, 
>> honestly, why should they not expect that?
>> 
>> 
>> 
>> Example: Duplication/Redirect
>> 
>> They have something like:
>> ----------------------------------
>> Listen 80
>> <VirtualHost *:80>
>>  ServerName xxx.yyy
>>  ...
>> </VirtualHost>
>> ----------------------------------
>> 
>> and want to also make that available on https:
>> ----------------------------------
>> Listen http://*:80
>> Listen https://*:443
>> 
>> <VirtualHost *:80>
>>  ServerName xxx.yyy
>>  AlternatePorts 443
>>  ...
>> </VirtualHost>
>> ----------------------------------
>> 
>> or redirect everyone to https:
>> ----------------------------------
>> Listen http://*:80
>> Listen https://*:443
>> 
>> <VirtualHost *:443>
>>  ServerName xxx.yyy
>>  RedirectPermanentFrom 80
>>  ...
>> </VirtualHost>
> 
> I am not keen on the syntax because we already permit multiple
> addresses in the VirtualHost tag.
> 
> How about e.g.
> 
> <virtualhost *:80 *:443>
>  # no protocol
>  ServerName example.com
>  # repurpose "optional" or pick something new
>  SSLEgine optional
>  # Extend SSLRequireSSL.  no-arg is deny. Default w/ "redirect" is
> 80, 443. For redirects, may need to not match TCP listening port
>  SSLRequireSSL ["redirect" [ from-port to-port ]]
> </virtualhost>

I like the SSLRequireSSL gist. I was thinking about this over the weekend and 
like the following a lot:

  SSLEngine *:443 10.0.0.1:8001
  SSLRequireSSL ["temporary"|"permanent" [ from-port to-port ]]

with "permanent" as default and port 443, or the first port in SSLEngine - if 
given - as default.

This can be specified in a <VirtualHost> or, better even, in the base server. I 
think this can, together with multiple ports at <VirtualHost>, simplify 
configurations of TLS hosts. At least for people who want to offer the same 
resources on 80 and 443, or want to migrate existing *:80 hosts to TLS.

What do you think?

-Stefan



Reply via email to