> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr <wr...@rowe-clan.net>: > > Reminder, this will not work with the current server_rec, we have a 1:1 > correspondence to the server port. We would need to stop looking at that > field and track the port entirely on the connection and the server rec > addresses array.
Urgs. 1. Irregardless of multiple addresses in a VirtualHost, I still like the idea of SSLEngine *:443 local_interface:8001 that is best used in the base server, once. a) I think it is easy to understand what it does. b) It prevents missing 'SSLEngine on' in a VirtualHost that needs it c) It causes required fails when a VirtualHost on a SSL port has no certificates With that, we could advise people who want to start using SSL to include the following in their main conf: Listen 443 # The following fails if your OpenSSL is not new enough. SSLPolicy modern SSLEngine *:443 2. For people *moving* from http: to https: for a VirtualHost, we'd advise <VirtualHost *:80> ServerName yourhostname Redirect 301 "/" "https://yourhostname/" </VirtualHost> <VirtualHost *:443> ServerName yourhostname ...the former http: config </VirtualHost> ? 3. For people wanting to offer both http: and https: for the same resources (maybe for a trial period), what would we tell them? a) Copy to a new VirtualHost b) Make separate file and Include in two VirtualHost? c) Macros??? Cheers, Stefan ------------------------------------------------------------------- Quick scan where we use server_rec->port: core: AP_DECLARE(apr_port_t) ap_get_server_port(const request_rec *r) { ... port = r->parsed_uri.port_str ? r->parsed_uri.port : r->server->port ? r->server->port : ap_default_port(r); mod_log_config.c: static const char *log_server_port(request_rec *r, char *a) { apr_port_t port; if (*a == '\0' || !strcasecmp(a, "canonical")) { port = r->server->port ? r->server->port : ap_default_port(r); } ssl_engine_init.c: if ((sc->enabled == SSL_ENABLED_TRUE) && (s->port == DEFAULT_HTTP_PORT)) { ssl_util.c: char *ssl_util_vhostid(apr_pool_t *p, server_rec *s) { char *id; SSLSrvConfigRec *sc; char *host; apr_port_t port; host = s->server_hostname; if (s->port != 0) port = s->port; else { vhost.c: /* the Port has to match now, because the rest don't have ports associated * with them. */ if (port != s->port) { return 0; } > On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener <cove...@gmail.com> wrote: > > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing > > <stefan.eiss...@greenbytes.de> wrote: > >> I get the first feedback from Apache users that want their http: only > >> hosts to also serve https:. This is nice feedback to improve usability of > >> mod_md. > >> > >> Ideally, what these people want - and that is purely my interpretation - > >> is to add a few lines to their config and - voila - https: is available. > >> And, honestly, why should they not expect that? > >> > >> > >> > >> Example: Duplication/Redirect > >> > >> They have something like: > >> ---------------------------------- > >> Listen 80 > >> <VirtualHost *:80> > >> ServerName xxx.yyy > >> ... > >> </VirtualHost> > >> ---------------------------------- > >> > >> and want to also make that available on https: > >> ---------------------------------- > >> Listen http://*:80 > >> Listen https://*:443 > >> > >> <VirtualHost *:80> > >> ServerName xxx.yyy > >> AlternatePorts 443 > >> ... > >> </VirtualHost> > >> ---------------------------------- > >> > >> or redirect everyone to https: > >> ---------------------------------- > >> Listen http://*:80 > >> Listen https://*:443 > >> > >> <VirtualHost *:443> > >> ServerName xxx.yyy > >> RedirectPermanentFrom 80 > >> ... > >> </VirtualHost> > > > > I am not keen on the syntax because we already permit multiple > > addresses in the VirtualHost tag. > > > > How about e.g. > > > > <virtualhost *:80 *:443> > > Again, fo