I tried to read and understand the whole thread and what we are trying to solve here, but I can't help to think this is an attempt at a new ".htaccess" wildcard thing for SSL that will end in greater confusion.
in Freenode #httpd we generally try to teach people to not be afraid of defining the necessary virtualhosts. Everyone seems inclined, due to the amount of trash they have found through google, to define a single .htaccess files that will solve all their cases, redirections, and whatnot, and 90% are frustrated on how complicated it is. The generic solution we give is, (the iconic simplest way), one virtualhost for each: <Virtualhost *:80> ServerName whatever.example.com Redirect / https://whatever.example.com/ </Virtualhost> <Virtualhost *:443> ServerName whatever.example.com SSLEngine on etc.. </Virtualhost> Isn't this much better than any other attempt at reducing it to "another minimum expression" in a complicated kind of way? Is it really neccessary to have <Virtualhost *:80 *:443..> and try to do the same thing as above in a new more confusing complicated way? Of course users may not be admins, but still they can have virtualhost for both ports (SSL and not SSL) and use .htaccess and all the RewriteCond %{HTTPS} !on etc.. But the way I see it.. Are we really going to complicate virtualhosts too? Do we really need to offer added functionality to do the same thing that is already being offered now in the simple starting example I provided of two single virtualhosts, one for each? Obviously one can complicate it already as needed using If, or RewriteCond, etc.. but shouldn't we strive to make virtualhosts as simple to understand as possible? To me a single virtualhost which handles both SSL and non-SSL connection seems like doing the opposite, adding a new way for user confusion. Perhaps we need to stop for a minute if we wand to add more complicated ways to do the same thing we can already do (and probably many should do) in a very simple way? Regarding the SSL changes, SSLPolicy and such are great additions and they belong in server config, we should stop there for the moment and leave Virtualhost as simple as possible. Hope I don't sound impolite or anything like that, the ideas thrown and your work (@Stefan) is amazing! 2017-08-10 15:28 GMT+02:00 Stefan Eissing <stefan.eiss...@greenbytes.de>: > Now that mod_md has landed in trunk, I am looking at more ways > to simplify a SSL configuration. Looking at the Listen directive, > it has an optional 2nd protocol parameter. > > Would it be unreasonable to assume that a > Listen NNN https > > means that "SSLEngine on" should be the default in all > <VirtualHost *:NNN> > ServerName xxx.yyy > ... > </VirtualHost> > > sections? Would we expect breakage by such a change? > > What about name-based virtual hosts that apply to _all_ > addresses and ports? E.g. something like: > <VirtualHost> > ServerName xxx.yyy > ... > <If "%{HTTPS} != 'on'"> > Redirect permanent "/" "https://xxx.yyy/"; > </If> > ... > </VirtualHost> > > Do you find that ugly/feasible/desirable? > > -Stefan -- Daniel Ferradal IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal
