Bug#775176: please don't open tcp/80 by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This could be implemented by splitting ports.conf into 2 parts conf-available/{port80.conf,port443.conf} and to create the symlinks in conf-enabled (to keep Debian's default). Just a suggestion, of course. Nah,... really not... then you get dozens of such small one liner files... many people listen on much more ports than just 80 / 443. This bug report is about the files provided with the package. All I'm asking for is using a2enconf instead of ports.conf. I'm OK with having a single file for both ports. Regards Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJUulrRAAoJEAqeKp5m04HLilIH/1z8Iu4DAdeew7Gs/c92mXWW iEg70sBoX0zlXfmoYu6j9FWmYPhinqLe0/jDjV80A+l/9m8bQifLYYn82ybskpfg 77qR3KDTBiavj2kQ7DWUIBRXMPqx/b74FRJVE3HB6rWMS6gcVaQ47y+P9cLUmw/g woEVo9ETg/GGwEJs55RkFfmFSrJR8a2jylyQrVa+x7oTOkq5h/Er3+Aa2iV7KhJ8 HeelRNDK+kQbxSjp+L9RJZ4TN2E3K4vD8626uvHzq/Js5EwjvjmUIlfqvpng3Z6n n682AbpGPss5ppr8UoEhsvTU5H5aZjp2L4DnOBJdxd+UY3D455HGp5eLK25ZR/g= =Chmc -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
On Thu, 2015-01-15 at 13:53 +0100, Harald Dunkel wrote: Unfortunately the VirtualHost statement defines both IP address and port for each virtual host. They don't work without the appropriate Listen statements, so I cannot follow your independent from each other. That's basically why you need to tell the vhosts for which IPs they're valid for, i.e. you can have probably different vhosts for the same names (i.e. domain-names or addresses the client sets in the HTTP Host: header) on different IP addresses. So conceptually Listen is for the IP protocol level, while the address in VirtualHost (which can actually be a hostname as well, that is then however once resolved on startup) is just to tell on which addresses that vhost should be used, which is btw: also necessary for IP based vhosting (i.e. when no HTTP Host: header is given). Can you confirm that the central Listen statement breaks the modular approach of a2ensite? Not sure what you mean. I guess you'd probably want to get rid of the Listen statement altogether, and that Apache determines all the address/port combinations from all enabled vhosts automatically. I'm not sure whether I would generally like this and which implications it has... I think security wise it's not so good, because you loose that one central point where you control where to actually listen on. But anyway, this is not the case in Apache and one would have to request such feature upstream... and until that, Listen is IMHO independent from VirtualHost (but VirtualHost isn't independent from Listen)... and as such it doesn't make sense IMHO to have it in the sites-available dir,... and even less in the conf.d dir. Thats my point: I want to disable apache2 for port 80/tcp without the risk of loosing this setting on the next package upgrade. First, you don't loose anything on package upgrade, since dpkg doesn't blindly overwrite config files unless you tell it to - actually in the many years of running apache now, it never asked me the typical question, since the maintainer version of ports.conf never changed And the next problem is, that the listening settings are so deeply in the configuration schema of Apache, that you cannot just enable/disable them so easily by removing a config file. Even if you'd say a2dismod ports-http-80.conf or something like that... all your other config snippets would e.g. still refer to port 80 and fail then. And AFAIK there is no IfListenOn conditional directive where you can just opportunistically enable something, based on whether apache actually does listen on it. This could be implemented by splitting ports.conf into 2 parts conf-available/{port80.conf,port443.conf} and to create the symlinks in conf-enabled (to keep Debian's default). Just a suggestion, of course. Nah,... really not... then you get dozens of such small one liner files... many people listen on much more ports than just 80 / 443. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#775176: please don't open tcp/80 by default
As said before... where Apache listens on and which (whether at all) you have vhosts, is in principle independent from each other. a2en/dissite should not change the listening behaviour. Unfortunately the VirtualHost statement defines both IP address and port for each virtual host. They don't work without the appropriate Listen statements, so I cannot follow your independent from each other. Can you confirm that the central Listen statement breaks the modular approach of a2ensite? And wrt conf.d, this is IMHO rather other misc stuff, e.g. I put in files there which enforces httpOnly or secure on all cookies,... or things like that. But it doesn't seem to make much sense to make the port-listening such a config snippet which one can disable or enable - if you disable the port-listening than you effectively disable the daemon. Thats my point: I want to disable apache2 for port 80/tcp without the risk of loosing this setting on the next package upgrade. This could be implemented by splitting ports.conf into 2 parts conf-available/{port80.conf,port443.conf} and to create the symlinks in conf-enabled (to keep Debian's default). Just a suggestion, of course. Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
On Wed, 2015-01-14 at 06:47 +0100, Harald Dunkel wrote: the interface to enable and disable virtual hosts is a2ensite/a2dissite. That includes the IP/IPv6 address / virtual host names *and* the ports to listen. apache2.conf should provide just a basic configuration common for all vhosts and modules. As said before... where Apache listens on and which (whether at all) you have vhosts, is in principle independent from each other. a2en/dissite should not change the listening behaviour. And wrt conf.d, this is IMHO rather other misc stuff, e.g. I put in files there which enforces httpOnly or secure on all cookies,... or things like that. But it doesn't seem to make much sense to make the port-listening such a config snippet which one can disable or enable - if you disable the port-listening than you effectively disable the daemon. I would suggest to move the default vhosts for 80/tcp and 443/tcp to their own host modules in mods-available, making ports.conf obsolete. Then the default vhosts can be kicked out and replaced using a2dissite, as usual. Maybe I misunderstand you,... but ports.conf doesn't define any vhosts,... and you need to set the listening addresses, even when you do no vhosting at all... so it doesn't make much sense to move something here. Apart from that, which default vhost do you mean? There's the default vhost vor IP based vhosting,.. the default one when namebased vhosting is done, an IIRC there's even the main server host, which is effectively when you put the config outsite of any IP/name based vhost stanzas. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#775176: please don't open tcp/80 by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Of course I can edit ports.conf, apache2.conf, envvars and all the others. Thats not the point. Surely I am no expert in apache2 configuration, but IMU the interface to enable and disable virtual hosts is a2ensite/a2dissite. That includes the IP/IPv6 address / virtual host names *and* the ports to listen. apache2.conf should provide just a basic configuration common for all vhosts and modules. I would suggest to move the default vhosts for 80/tcp and 443/tcp to their own host modules in mods-available, making ports.conf obsolete. Then the default vhosts can be kicked out and replaced using a2dissite, as usual. I understand that its too late for Jessie, of course. Thanx very much. Keep on your good work. Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJUtgMCAAoJEAqeKp5m04HL/9UH/jGrk9qAoYFDyZFIOkC+geid GGG59PaCxW8x+uX/Xo7UM99WGBq0BcwIj7tDPFRKwmt/kUCgcm8ujX/FexO96t4s b3yBXVZ1m7WgmrsjxPyBUppDQ8W0+yDrakC/a5J9VbWuLonjw4604A2NaWwZ3Fno NNYJH0aG+Pki6RZ4ddmfKR1K1gC+qsIvCDCnNSqX9pLAGBNlBKDNpsw84lMyH3xj /Q+5GImZatYVzyGzcKpQvWWKnB/J5mY47FGb/La1HIPR7tDSf8xoCKH5Xcc551lR G+BEO2374VOe6KsR6t9/dQMprsqzbZfu4DNUqQkMaLhUwKHvB5aRMH+SBP2x4Bc= =Wu2M -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 PS: On 01/14/15 06:47, Harald Dunkel wrote: I would suggest to move the default vhosts for 80/tcp and 443/tcp to their own host modules in mods-available, making ports.conf obsolete. Then the default vhosts can be kicked out and replaced using a2dissite, as usual. s/mods-available/sites-available/ Sorry, I was in a rush Regards Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJUtgsJAAoJEAqeKp5m04HL4dgIAIaUkBCg8Ao7Nj4ThBDzstZJ ola79D8oxTWd9VRDbmB7dcGH407Nj5YYSBmWMlVqWEmXgDRInNXGKINwIHJvh7xe XmekEFH3wD9PYGWN7qvQLliYEp/kcGR92uaZaS4X8Am639uy8a/XE3/HTJBC6xML UaQWb8bpvP1GtXi4rgDwc/RfKPj3AII1ZIYs3l5y9v3vVQeT7uwlH6szQZ9x476I 3K4R4RjfETTSPFWWeOClUcGqY1noITA1raQzVxT3y1AcSbRuNEJto2Yaf1fPrUGi l9au8uUWnGjsbMWU3AR0U8qW2TW5FKXMM3H75GBy+yemN2ATdlyeI6J8/4VXxBU= =bKeU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
On Mon, 12 Jan 2015, Harald Dunkel wrote: Actually I don't see any reason why apache2 should unconditionally listen on 80/tcp for a https-only setup, so I wonder if ports.conf could be moved to conf.d to support a2disconf? As ports.conf does not contain anything else, editing it should not cause much hassle with updates. Therefore I don't see that this is necessary. Another option would be to move the Listen statements to the appropriate virtual host definitions, making ports.conf obsolete. Having the Listen statments in the virtual host files causes problems with name based virtual hosts, so I don't think that would be a good idea. Please mail if I could provide patches for this, or is it too late for Jessie? It's definitely too late for jessie. I will leave the bug open and consider it again after jessie release. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
Package: apache2 Version: 2.4.10-9 Actually I don't see any reason why apache2 should unconditionally listen on 80/tcp for a https-only setup, so I wonder if ports.conf could be moved to conf.d to support a2disconf? Another option would be to move the Listen statements to the appropriate virtual host definitions, making ports.conf obsolete. Please mail if I could provide patches for this, or is it too late for Jessie? Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775176: please don't open tcp/80 by default
On Mon, 2015-01-12 at 09:48 +0100, Harald Dunkel wrote: Actually I don't see any reason why apache2 should unconditionally listen on 80/tcp for a https-only setup, so I wonder if ports.conf could be moved to conf.d to support a2disconf? You can just modify ports.conf and set the listening sockets as necessary? Moving ports.conf to conf.d seems not to be conceptually sensible, since one will always need listen addresses. Another option would be to move the Listen statements to the appropriate virtual host definitions, making ports.conf obsolete. Also not really clean, since a single listening address might be used by multiple VHs... so it doesn't really belong there. I'd rather vote for httpd not being started automatically after installation... which gives the admin time to configure it appropriately and not having it unconditionally / insecurely(?) listening. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature