> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr <[email protected]>:
>
> Reminder, this will not work with the current server_rec, we have a 1:1
> correspondence to the server port. We would need to stop looking at that
> field and track the port entirely on the connection and the server rec
> addresses array.
Urgs.
1. Irregardless of multiple addresses in a VirtualHost, I still like the idea of
SSLEngine *:443 local_interface:8001
that is best used in the base server, once.
a) I think it is easy to understand what it does.
b) It prevents missing 'SSLEngine on' in a VirtualHost that needs it
c) It causes required fails when a VirtualHost on a SSL port has no certificates
With that, we could advise people who want to start using SSL to include the
following in their main conf:
Listen 443
# The following fails if your OpenSSL is not new enough.
SSLPolicy modern
SSLEngine *:443
2. For people *moving* from http: to https: for a VirtualHost, we'd advise
<VirtualHost *:80>
ServerName yourhostname
Redirect 301 "/" "https://yourhostname/";
</VirtualHost>
<VirtualHost *:443>
ServerName yourhostname
...the former http: config
</VirtualHost>
?
3. For people wanting to offer both http: and https: for the same resources
(maybe for a trial period), what would we tell them?
a) Copy to a new VirtualHost
b) Make separate file and Include in two VirtualHost?
c) Macros???
Cheers,
Stefan
-------------------------------------------------------------------
Quick scan where we use server_rec->port:
core:
AP_DECLARE(apr_port_t) ap_get_server_port(const request_rec *r)
{
...
port = r->parsed_uri.port_str ? r->parsed_uri.port :
r->server->port ? r->server->port :
ap_default_port(r);
mod_log_config.c:
static const char *log_server_port(request_rec *r, char *a)
{
apr_port_t port;
if (*a == '\0' || !strcasecmp(a, "canonical")) {
port = r->server->port ? r->server->port : ap_default_port(r);
}
ssl_engine_init.c:
if ((sc->enabled == SSL_ENABLED_TRUE) && (s->port ==
DEFAULT_HTTP_PORT)) {
ssl_util.c:
char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
{
char *id;
SSLSrvConfigRec *sc;
char *host;
apr_port_t port;
host = s->server_hostname;
if (s->port != 0)
port = s->port;
else {
vhost.c:
/* the Port has to match now, because the rest don't have ports associated
* with them. */
if (port != s->port) {
return 0;
}
> On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener <[email protected]> wrote:
> > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing
> > <[email protected]> wrote:
> >> I get the first feedback from Apache users that want their http: only
> >> hosts to also serve https:. This is nice feedback to improve usability of
> >> mod_md.
> >>
> >> Ideally, what these people want - and that is purely my interpretation -
> >> is to add a few lines to their config and - voila - https: is available.
> >> And, honestly, why should they not expect that?
> >>
> >>
> >>
> >> Example: Duplication/Redirect
> >>
> >> They have something like:
> >> ----------------------------------
> >> Listen 80
> >> <VirtualHost *:80>
> >> ServerName xxx.yyy
> >> ...
> >> </VirtualHost>
> >> ----------------------------------
> >>
> >> and want to also make that available on https:
> >> ----------------------------------
> >> Listen http://*:80
> >> Listen https://*:443
> >>
> >> <VirtualHost *:80>
> >> ServerName xxx.yyy
> >> AlternatePorts 443
> >> ...
> >> </VirtualHost>
> >> ----------------------------------
> >>
> >> or redirect everyone to https:
> >> ----------------------------------
> >> Listen http://*:80
> >> Listen https://*:443
> >>
> >> <VirtualHost *:443>
> >> ServerName xxx.yyy
> >> RedirectPermanentFrom 80
> >> ...
> >> </VirtualHost>
> >
> > I am not keen on the syntax because we already permit multiple
> > addresses in the VirtualHost tag.
> >
> > How about e.g.
> >
> > <virtualhost *:80 *:443>
>
> Again, fo
