You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Helmut K. C. Tessarek" <te...@evermeet.cx> on 2018/04/02 18:56:13 UTC
Re: TLSv1.3
Hello,
On 2018-03-29 04:16, Stefan Eissing wrote:
> Besides, except for data center setups, Apache will be used *only*
> with https: (and http: redirects to https:) very, very soon. That
> shifts the average expertise of an admin setting up a https: site.
This statement makes me a bit nervous. Are you saying that there won't
be a way to use Apache with http anymore? (Since I don't know what a
data center setup entails that is - new directive, http only setup, ...)
Also, the 'will be used' part is a bit puzzling. This part rather
suggests that all users will magically only use https from that point
forward. Or was it meant as "Apache will only use https anymore"?
I'm basically using https anyway, however there are connections that
*must* be plain http, e.g. the ACME challenge. I like to use my own
scripts for maintaining the certificates thus I am not using the Apache
module, which further means that I must have control over Apache's http
setup.
I'm doing something like this:
<VirtualHost IP_ADDRESS:80>
ServerName HOSTNAME:80
Alias "/.well-known/acme-challenge/"
"/COMMON_DIR/acme-challenge/.well-known/acme-challenge/"
<Directory "/COMMON_DIR/acme-challenge/">
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
</VirtualHost>
<VirtualHost IP_ADDRESS:443>
ServerName HOSTNAME:443
# Your "real" configuration here
</VirtualHost>
Can you please elaborate on your above statement and clear that up for me?
Cheers,
K. C.
--
regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/*
Thou shalt not follow the NULL pointer for chaos and madness
await thee at its end.
*/
Re: TLSv1.3
Posted by Nick Edwards <ni...@gmail.com>.
well well if its not BANNED USER Reindl harrold using a ghost account
On Tue, Apr 3, 2018 at 5:02 AM, lists@rhsoft.net <li...@rhsoft.net> wrote:
>
>
> no, it's just an opinion based on the Chrome will penalty non-https in
> general (bseides: the ACME challenge is happy with a automatic rediect
> to https even if it's a self-signed certificate)
>
> that opinion completly ignores setups where the load-balancer does
>
Re: TLSv1.3
Posted by "lists@rhsoft.net" <li...@rhsoft.net>.
Am 02.04.2018 um 20:56 schrieb Helmut K. C. Tessarek:
> On 2018-03-29 04:16, Stefan Eissing wrote:
>> Besides, except for data center setups, Apache will be used *only*
>> with https: (and http: redirects to https:) very, very soon. That
>> shifts the average expertise of an admin setting up a https: site.
>
> This statement makes me a bit nervous. Are you saying that there won't
> be a way to use Apache with http anymore?
no, it's just an opinion based on the Chrome will penalty non-https in
general (bseides: the ACME challenge is happy with a automatic rediect
to https even if it's a self-signed certificate)
that opinion completly ignores setups where the load-balancer does
tls-offloading/caching and has a dediacted connection in a seperated
network to the backend servers which are http-only forever
the load-balancer can be http://trafficserver.apache.org/ as example
which also does HTTP2-over-TLS for the client while the backend
connection is also HTTP/1.1 forever - in that case mod_h2/mod_md are not
part of the game and even mpm_prefork stays untouched