Re: Listen 443 https

2017-09-18 Thread Daniel
I have to admit my point of view focuses on more generic cases rather than extreme cases like the one you describe with "hundreds of virtualhosts". 2017-09-18 20:03 GMT+02:00 Reindl Harald : > > > Am 18.09.2017 um 19:28 schrieb Daniel: >> >> I see >> >> But we already

Re: Listen 443 https

2017-09-18 Thread Reindl Harald
Am 18.09.2017 um 19:28 schrieb Daniel: I see But we already have a handy directive to avoid repetition when necessary, a directive that btw many distros abuse, "Include". You define the common parts in a single file and Include the appropiate file. that scales bad when the vhost itself is

Re: Listen 443 https

2017-09-18 Thread Stefan Eissing
Thanks for you feedback, Daniel. Very much appreciated! You describe the approach I suggest as "confusing" and "complicated", while for me it is the opposite. ;-) But there are really two separate things here. The SSLEngine addition and the multi-port vhost. I'll argue that the first make sense,

Re: Listen 443 https

2017-09-18 Thread Daniel
I see But we already have a handy directive to avoid repetition when necessary, a directive that btw many distros abuse, "Include". You define the common parts in a single file and Include the appropiate file. 2017-09-18 19:18 GMT+02:00 Reindl Harald : > > Am 18.09.2017

Re: Listen 443 https

2017-09-18 Thread Reindl Harald
Am 18.09.2017 um 17:56 schrieb Daniel: I tried to read and understand the whole thread and what we are trying to solve here, but I can't help to think this is an attempt at a new ".htaccess" wildcard thing for SSL that will end in greater confusion. in Freenode #httpd we generally try to teach

Re: Listen 443 https

2017-09-18 Thread Daniel
I tried to read and understand the whole thread and what we are trying to solve here, but I can't help to think this is an attempt at a new ".htaccess" wildcard thing for SSL that will end in greater confusion. in Freenode #httpd we generally try to teach people to not be afraid of defining the

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-17 Thread Yann Ylavic
Come on, let's keep technical once again. Personal grudges ended! On Sun, Sep 17, 2017 at 3:20 AM, Reindl Harald wrote: > > > Am 17.09.2017 um 03:07 schrieb Nick Edwards: >> >> phpmyadmin 4.4.15 is YEARS old > > > and how does that change the fact that >

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald
Am 17.09.2017 um 03:07 schrieb Nick Edwards: phpmyadmin 4.4.15  is YEARS old and how does that change the fact that https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" in case of a https-connection is plain wrong? we using 4.7 for nearly a year, 4.7.2 is current

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Nick Edwards
phpmyadmin 4.4.15 is YEARS old we using 4.7 for nearly a year, 4.7.2 is current this from a troll who verbally abuses the hell out of people on other lists for posting similar comments using very outdated softwares HAH, this ones in google for life. On Sun, Sep 17, 2017 at 10:24 AM, Reindl

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald
assumption confirmed - and my connection is for sure https:// because of the mod_rewrite and finally HSTS https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 updated too phpinfo(): SERVER_PORT 80 ServerName www.rhsoft.net SSLEngine Optional SSLUseStapling On SSLCertificateFile

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald
that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some bad code using that var instead of $_SERVER['HTTPS'] which again leaded in a endless loop in case of phpMyAdmin it redirects to

Re: Listen 443 https

2017-09-14 Thread Reindl Harald
Am 14.09.2017 um 16:08 schrieb Stefan Eissing: Ok, as I read the code a bit more, there is a tangle of things that can influence port/scheme selection. But what I can see, the version in *trunk* should do the right thing *iff* a) you use "SSLEngine *:443" instead of "Optional" b) you use

Re: Listen 443 https

2017-09-14 Thread Stefan Eissing
> Am 14.09.2017 um 16:19 schrieb Eric Covener : > >> To recap: I am looking for an easy way to instruct someone to enable https: >> for >> >> Listen 80 >> >> >> ServerName blabla.org >> ...lots of stuff... >> >> >> and with the current trunk, she can change this to:

Re: Listen 443 https

2017-09-14 Thread Eric Covener
> To recap: I am looking for an easy way to instruct someone to enable https: > for > > Listen 80 > > >ServerName blabla.org >...lots of stuff... > > > and with the current trunk, she can change this to: > > Listen 80 > Listen 443 > SSLEngine *:443 > > ManagedDomain blabla.org > >

Re: Listen 443 https

2017-09-14 Thread Stefan Eissing
Ok, as I read the code a bit more, there is a tangle of things that can influence port/scheme selection. But what I can see, the version in *trunk* should do the right thing *iff* a) you use "SSLEngine *:443" instead of "Optional" b) you use "ServerName xxx.yyy" *without* a port name the a

Re: Listen 443 https

2017-09-14 Thread Reindl Harald
Am 14.09.2017 um 15:40 schrieb Stefan Eissing: Harald, could you check if a configuration like: UseCanonicalPhysicalPort on in the server or vhost mitigates the problem? it makes it even more terrible and the resulting http:// protocol instead https// on port 443 here even tiggers

Re: Listen 443 https

2017-09-14 Thread Stefan Eissing
Harald, could you check if a configuration like: UseCanonicalPhysicalPort on in the server or vhost mitigates the problem? Cheers, Stefan > Am 14.09.2017 um 12:00 schrieb Reindl Harald : > > > > Am 10.08.2017 um 18:22 schrieb Reindl Harald: >>> If you want to

Re: Listen 443 https

2017-09-14 Thread Stefan Eissing
> Am 14.09.2017 um 12:00 schrieb Reindl Harald : > > > > Am 10.08.2017 um 18:22 schrieb Reindl Harald: >>> If you want to experiment... >>> >>> is already recognized >> but with "SSLEngine On" and "SSLCertificateFile" configured non-https no >> longer would work > >

Re: Listen 443 https

2017-09-14 Thread Stefan Eissing
> Am 14.09.2017 um 14:56 schrieb Eric Covener : > > On Fri, Sep 8, 2017 at 5:03 AM, Stefan Eissing > wrote: >> >>> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr : >>> >>> Reminder, this will not work with the current

Re: Listen 443 https

2017-09-14 Thread Eric Covener
On Fri, Sep 8, 2017 at 5:03 AM, Stefan Eissing wrote: > >> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr : >> >> Reminder, this will not work with the current server_rec, we have a 1:1 >> correspondence to the server port. We would need to

Re: Listen 443 https

2017-09-14 Thread Reindl Harald
Am 10.08.2017 um 18:22 schrieb Reindl Harald: If you want to experiment... is already recognized but with "SSLEngine On" and "SSLCertificateFile" configured non-https no longer would work OK, figured it out * you need the *first* vhost with "SSLEngine On" * others can have "SSLEngine

Re: Listen 443 https

2017-09-08 Thread Stefan Eissing
> Am 08.09.2017 um 04:37 schrieb William A Rowe Jr : > > Reminder, this will not work with the current server_rec, we have a 1:1 > correspondence to the server port. We would need to stop looking at that > field and track the port entirely on the connection and the server

Re: Listen 443 https

2017-09-07 Thread William A Rowe Jr
Reminder, this will not work with the current server_rec, we have a 1:1 correspondence to the server port. We would need to stop looking at that field and track the port entirely on the connection and the server rec addresses array. On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener

Re: Listen 443 https

2017-09-04 Thread Stefan Eissing
> Am 01.09.2017 um 17:12 schrieb Eric Covener : > > On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing > wrote: >> I get the first feedback from Apache users that want their http: only hosts >> to also serve https:. This is nice feedback to improve

Re: Listen 443 https

2017-09-01 Thread Eric Covener
On Fri, Sep 1, 2017 at 10:39 AM, Stefan Eissing wrote: > I get the first feedback from Apache users that want their http: only hosts > to also serve https:. This is nice feedback to improve usability of mod_md. > > Ideally, what these people want - and that is

Re: Listen 443 https

2017-09-01 Thread Stefan Eissing
I get the first feedback from Apache users that want their http: only hosts to also serve https:. This is nice feedback to improve usability of mod_md. Ideally, what these people want - and that is purely my interpretation - is to add a few lines to their config and - voila - https: is

Re: Listen 443 https

2017-08-10 Thread Reindl Harald
Am 10.08.2017 um 17:57 schrieb William A Rowe Jr: On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald > wrote: > > > ServerName corecms.example.com > DocumentRoot

Re: Listen 443 https

2017-08-10 Thread William A Rowe Jr
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote: > > > ServerName corecms.example.com > DocumentRoot "/www/corecms.example.com" > This doesn't work, of course, owing to server_rec members such as scheme and port. If these moved to the addrs member, and we

Re: Listen 443 https

2017-08-10 Thread William A Rowe Jr
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote: > > it also would solve the chicken-egg-problem (again, without mod_md) that you > first need the http-host working for the well-known verfication file and the > path of the certificate could be easily pre-configured in

Re: Listen 443 https

2017-08-10 Thread William A Rowe Jr
On Thu, Aug 10, 2017 at 9:19 AM, Stefan Eissing wrote: > >> Am 10.08.2017 um 16:09 schrieb William A Rowe Jr : >> >>> Would we expect breakage by such a change? >> >> I think that Listen *:NNN is maybe the most common misconfiguration >> in

Re: Listen 443 https

2017-08-10 Thread Reindl Harald
Am 10.08.2017 um 15:28 schrieb Stefan Eissing: Now that mod_md has landed in trunk, I am looking at more ways to simplify a SSL configuration. Looking at the Listen directive, it has an optional 2nd protocol parameter. Would it be unreasonable to assume that a Listen NNN https means

Re: Listen 443 https

2017-08-10 Thread Stefan Eissing
> Am 10.08.2017 um 16:09 schrieb William A Rowe Jr : > > Let's break it down and consider the implications of Listen... > > On Thu, Aug 10, 2017 at 8:28 AM, Stefan Eissing > wrote: >> Now that mod_md has landed in trunk, I am looking at more

Re: Listen 443 https

2017-08-10 Thread William A Rowe Jr
Let's break it down and consider the implications of Listen... On Thu, Aug 10, 2017 at 8:28 AM, Stefan Eissing wrote: > Now that mod_md has landed in trunk, I am looking at more ways > to simplify a SSL configuration. Looking at the Listen directive, > it has an