> Am 01.09.2017 um 17:12 schrieb Eric Covener <cove...@gmail.com>: > > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing > <stefan.eiss...@greenbytes.de> wrote: >> I get the first feedback from Apache users that want their http: only hosts >> to also serve https:. This is nice feedback to improve usability of mod_md. >> >> Ideally, what these people want - and that is purely my interpretation - is >> to add a few lines to their config and - voila - https: is available. And, >> honestly, why should they not expect that? >> >> >> >> Example: Duplication/Redirect >> >> They have something like: >> ---------------------------------- >> Listen 80 >> <VirtualHost *:80> >> ServerName xxx.yyy >> ... >> </VirtualHost> >> ---------------------------------- >> >> and want to also make that available on https: >> ---------------------------------- >> Listen http://*:80 >> Listen https://*:443 >> >> <VirtualHost *:80> >> ServerName xxx.yyy >> AlternatePorts 443 >> ... >> </VirtualHost> >> ---------------------------------- >> >> or redirect everyone to https: >> ---------------------------------- >> Listen http://*:80 >> Listen https://*:443 >> >> <VirtualHost *:443> >> ServerName xxx.yyy >> RedirectPermanentFrom 80 >> ... >> </VirtualHost> > > I am not keen on the syntax because we already permit multiple > addresses in the VirtualHost tag. > > How about e.g. > > <virtualhost *:80 *:443> > # no protocol > ServerName example.com > # repurpose "optional" or pick something new > SSLEgine optional > # Extend SSLRequireSSL. no-arg is deny. Default w/ "redirect" is > 80, 443. For redirects, may need to not match TCP listening port > SSLRequireSSL ["redirect" [ from-port to-port ]] > </virtualhost>
I like the SSLRequireSSL gist. I was thinking about this over the weekend and like the following a lot: SSLEngine *:443 10.0.0.1:8001 SSLRequireSSL ["temporary"|"permanent" [ from-port to-port ]] with "permanent" as default and port 443, or the first port in SSLEngine - if given - as default. This can be specified in a <VirtualHost> or, better even, in the base server. I think this can, together with multiple ports at <VirtualHost>, simplify configurations of TLS hosts. At least for people who want to offer the same resources on 80 and 443, or want to migrate existing *:80 hosts to TLS. What do you think? -Stefan
