On Fri, Sep 8, 2017 at 5:03 AM, Stefan Eissing <[email protected]> wrote: > >> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr <[email protected]>: >> >> Reminder, this will not work with the current server_rec, we have a 1:1 >> correspondence to the server port. We would need to stop looking at that >> field and track the port entirely on the connection and the server rec >> addresses array. > > Urgs. > > 1. Irregardless of multiple addresses in a VirtualHost, I still like the idea > of > > SSLEngine *:443 local_interface:8001 > > that is best used in the base server, once. > a) I think it is easy to understand what it does. > b) It prevents missing 'SSLEngine on' in a VirtualHost that needs it > c) It causes required fails when a VirtualHost on a SSL port has no > certificates
What do the parameters mean here? > > With that, we could advise people who want to start using SSL to include the > following in their main conf: > > Listen 443 > # The following fails if your OpenSSL is not new enough. > SSLPolicy modern > SSLEngine *:443 I don't like this so much. I'd rather a new directive altogether if it will live outside of the affected VH and that the name convey a little more of what it's doing. > 2. For people *moving* from http: to https: for a VirtualHost, we'd advise > > <VirtualHost *:80> > ServerName yourhostname > Redirect 301 "/" "https://yourhostname/"; > </VirtualHost> > > <VirtualHost *:443> > ServerName yourhostname > ...the former http: config > </VirtualHost> > The only difference from the as-is here is that the SSL config is implicit because of some global directive, right? > > 3. For people wanting to offer both http: and https: for the same resources > (maybe for a trial period), what would we tell them? > a) Copy to a new VirtualHost > b) Make separate file and Include in two VirtualHost? > c) Macros??? I think this leads back to 1 VH with directives like SSLRequireSSL and automatic SSL over 443 or opted in ports. Or, global configs w/ no VH at all that just work.
