You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2016/03/13 16:31:16 UTC
svn commit: r1734819 - in /httpd/httpd/trunk/docs/manual: howto/ mod/
Author: trawick
Date: Sun Mar 13 15:31:15 2016
New Revision: 1734819
URL: http://svn.apache.org/viewvc?rev=1734819&view=rev
Log:
make docs
Modified:
httpd/httpd/trunk/docs/manual/howto/access.html.fr
httpd/httpd/trunk/docs/manual/howto/http2.html.en
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.en
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.fr
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.fr
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.meta
httpd/httpd/trunk/docs/manual/mod/mod_include.html.en
httpd/httpd/trunk/docs/manual/mod/mod_include.xml.ja
httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
httpd/httpd/trunk/docs/manual/mod/quickreference.html.de
httpd/httpd/trunk/docs/manual/mod/quickreference.html.en
httpd/httpd/trunk/docs/manual/mod/quickreference.html.es
httpd/httpd/trunk/docs/manual/mod/quickreference.html.ja.utf8
httpd/httpd/trunk/docs/manual/mod/quickreference.html.ko.euc-kr
httpd/httpd/trunk/docs/manual/mod/quickreference.html.tr.utf8
httpd/httpd/trunk/docs/manual/mod/quickreference.html.zh-cn.utf8
Modified: httpd/httpd/trunk/docs/manual/howto/access.html.fr
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/howto/access.html.fr?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/howto/access.html.fr (original)
+++ httpd/httpd/trunk/docs/manual/howto/access.html.fr Sun Mar 13 15:31:15 2016
@@ -26,6 +26,8 @@
<p><span>Langues Disponibles: </span><a href="../en/howto/access.html" hreflang="en" rel="alternate" title="English"> en </a> |
<a href="../fr/howto/access.html" title="Français"> fr </a></p>
</div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+ anglaise pour les changements récents.</div>
<p>Le contrôle d'accès fait référence à tout concept de contrôle
d'accès à une ressource quelconque. Il est distinct du processus d'<a href="auth.html">authentification et d'autorisation</a>.</p>
Modified: httpd/httpd/trunk/docs/manual/howto/http2.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/howto/http2.html.en?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/howto/http2.html.en (original)
+++ httpd/httpd/trunk/docs/manual/howto/http2.html.en Sun Mar 13 15:31:15 2016
@@ -30,39 +30,195 @@
<a href="../tr/howto/public_html.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
</div>
- <p>This howto is still a work in progress! Please do not trust completely the following information until the work is finished.</p>
+ <p>This is the howto guide for the HTTP/2 implementation in Apache httpd. This
+ feature is <em>experimental</em> and you may expect interfaces and directives to
+ change between releases.
+ </p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#protocol">The HTTP/2 protocol</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#implementation">HTTP/2 in Apache httpd</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#building">Build httpd with HTTP/2 support</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#configurations">Configurations</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#browsers">Browsers</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#basic-config">Basic Configuration</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#clients">Clients</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#tools">Useful tools to debug HTTP/2</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#push">Server Push</a></li>
</ul><h3>See also</h3><ul class="seealso"><li><a href="../mod/mod_http2.html">mod_http2</a></li></ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="protocol" id="protocol">The HTTP/2 protocol</a></h2>
- <p>This section should contain an overview of the protocol and links to official docs.</p>
+ <p>HTTP/2 is the evolution of the world's most successful application layer protocol, HTTP.
+ It focuses on making more efficient use of network resources. It does not change the fundamentals
+ of HTTP, the semantics. There are still request and responses and headers and all that. So, if
+ you already know HTTP/1, you know 95% about HTTP/2 as well.</p>
+ <p>There has been a lot written about HTTP/2 and how it works. The most normative is, of course,
+ its <a href="https://tools.ietf.org/html/rfc7540">RFC 7540</a>
+ (<a href="http://httpwg.org/specs/rfc7540.html">also available in more readable formatting, YMMV</a>).
+ So, there you'll find the nuts and bolts.</p>
+ <p>But, as RFC do, it's not really a good thing to read first. It's better to first understand
+ <em>what</em> a thing wants to do and then read the RFC about <em>how</em> it is done. A much
+ better document to start with is <a href="https://daniel.haxx.se/http2/">http2 explained</a>
+ by Daniel Stenberg, the author of <a href="https://curl.haxx.se">curl</a>. It is available in
+ an ever growing list of languages, too!</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="implementation" id="implementation">HTTP/2 in Apache httpd</a></h2>
+
+ <p>The HTTP/2 protocol is implemented by its own httpd module, aptly named
+ <a href="../mod/mod_http2.html">mod_http2</a>. It implements the complete set
+ of features described by RFC 7540 and supports HTTP/2 over cleartext (http:), as
+ well as secure (https:) connections. The cleartext variant is named '<code>h2c</code>',
+ the secure one '<code>h2</code>'. For <code>h2c</code> it allows the <em>direct</em>
+ mode and the <code>Upgrade:</code> via an initial HTTP/1 request.</p>
+ <p>One feature of HTTP/2 that offers new capabilities for web developers is
+ <a href="#push">Server Push</a>. See that section on how your web application
+ can make use of it.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="building" id="building">Build httpd with HTTP/2 support</a></h2>
- <p>This section should contain info about how to build HTTP/2 support into httpd plus other requirements.</p>
+ <p><a href="../mod/mod_http2.html">mod_http2</a> uses the library of <a href="https://nghttp2.org">nghttp2</a>
+ as its implementation base. In order to build <code>mod_http2</code> you need at least version 1.2.1 of
+ <code>libnghttp2</code> installed on your system.</p>
+ <p>When you <code>./configure</code> you Apache httpd source tree, you need to give it
+ '<code>--enable-http2</code>' as additional argument to trigger the build of the module.
+ Should your <code>libnghttp2</code> reside in an unusual place (whatever that is on your
+ operating system), you may announce its location with '<code>--with-nghttp2=<path></code>'
+ to <code>configure</code>.</p>
+ <p>While that should do the trick for most, they are people who might prefer a statically
+ linked <code>nghttp2</code> in this module. For those, the option <code>--enable-nghttp2-staticlib-deps</code>
+ exists. It works quite similar to how one statically links openssl to mod_ssl.</p>
+ <p>Speaking of SSL, you need to be aware that most browsers will speak HTTP/2 only on <code>https:</code>
+ URLs, so you need a server with SSL support. But not only that, you will need a SSL library
+ that supports the <code>ALPN</code> extension. If OpenSSL is the library you use, you need
+ at least version 1.0.2.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
-<h2><a name="configurations" id="configurations">Configurations</a></h2>
+<h2><a name="basic-config" id="basic-config">Basic Configuration</a></h2>
+
+
+ <p>When you have a <code>httpd</code> built with <code>mod_http2</code> you need some
+ basic configuration for it becoming active. The first thing, as with every Apache module,
+ is that you need to load it:</p>
+ <pre class="prettyprint lang-config">LoadModule http2_module modules/mod_http2.so</pre>
+
- <p>This section should contain various configuration examples for HTTP/2 (h2, h2c, etc..) plus common pitfalls (for example not setting a strong TLS cipher suite with h2).</p>
+ <p>The second directive you need to add to your server configuration is</p>
+ <pre class="prettyprint lang-config">Protocols h2 http/1.1</pre>
+
+ <p>This allows h2, the secure variant, to be the preferred protocol on your server
+ connections. When you want to enable all HTTP/2 variants, you simply write:</p>
+ <pre class="prettyprint lang-config">Protocols h2 h2c http/1.1</pre>
+
+ <p>Depending on where you put this directive, it affects all connections or just
+ the ones to a certain virtual host. You can nest it, as in:</p>
+ <pre class="prettyprint lang-config">Protocols http/1.1
+<VirtualHost ...>
+ ServerName test.example.org
+ Protocols h2 http/1.1
+</VirtualHost></pre>
+
+
+ <p>This allows only HTTP/1 on connections, except SSL connections to <code>test.example.org</code>
+ which offer HTTP/2.</p>
+ <p>The order of protocols mentioned is also relevant. By default, the first one is the
+ most peferred protocol. When a client offers multiple choices, the one most to the
+ left is selected. In</p>
+ <pre class="prettyprint lang-config">Protocols http/1.1 h2</pre>
+
+ <p>the most preferred protocol is HTTP/1 and it will always be selected unless a
+ client <em>only</em> supports h2. Since we want to talk HTTP/2 to clients that
+ support it, the better order is</p>
+ <pre class="prettyprint lang-config">Protocols h2 h2c http/1.1</pre>
+
+
+ <p>There is one more thing to ordering: the client has its own preferences, too. If
+ you want, you can configure your server to select the protocol most preferred by
+ the client:</p>
+ <pre class="prettyprint lang-config">ProtocolsHonorOrder Off</pre>
+
+ <p>makes the order <em>you</em> wrote the Protocols irrelevant and only the client's
+ ordering will decide.</p>
+ <p>A last thing: the protocols you configure are not checked for correctness
+ or spelling. You can mention protocols that do not exist, so there is no need
+ to guard <code>Protocols</code> with any <code>IfModule</code> checks.</p>
+ <p>For more advanced tips on configuration, see the <a href="../mod/mod_http2.html#dimensioning">
+ modules section about dimensioning</a> and <a href="../mod/mod_http2.html#misdirected">
+ how to manage multiple hosts with the same certificate</a>.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
-<h2><a name="browsers" id="browsers">Browsers</a></h2>
+<h2><a name="clients" id="clients">Clients</a></h2>
- <p>Browser support.</p>
+ <p>Almost all modern browsers support HTTP/2, but only over SSL connections: Firefox (v43),
+ Chrome (v45), Safari (since v9), iOS Safari (v9), Opera (v35), Chrome for Android (v49)
+ and Internet Explorer (v11 on Windows10) (<a href="http://caniuse.com/#search=http2">source</a>).</p>
+ <p>Other clients, as well as servers, are listed
+ <a href="https://github.com/http2/http2-spec/wiki/Implementations">on the Implementations wiki</a>,
+ among them implementations for c, c++, common lisp, dart, erlang, haskell, java, nodejs, php,
+ python, perl, ruby, rust, scala and swift.</p>
+ <p>Several of the non-browser client implementations support HTTP/2 over cleartext, h2c. The
+ most versatile being <a href="https://curl.haxx.se">curl</a>.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="tools" id="tools">Useful tools to debug HTTP/2</a></h2>
- <p>This section should contain examples of tools to test/debug HTTP/2 connections.</p>
+ <p><a href="https://curl.haxx.se">curl</a>.</p>
+ <p>And for really deep inspection <a href="https://www.wireshark.org">wireshark</a>.</p>
+ <p>The <a href="https://nghttp2.org">nghttp2</a> package also includes clients, such as
+ <code>nghttp</code> and <code>h2load</code>, the latter one being very useful in putting
+ some stress on your server.</p>
+ <p>Chrome offers also detailed HTTP/2 logs on its connections via the
+ <a href="chrome://net-internals/#http2">special net-internals page</a>.</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="push" id="push">Server Push</a></h2>
+
+ <p>The HTTP/2 protocol allows the server to PUSH responses to a client it never
+ asked for. The tone of the conversation is: "here is a request that you
+ never sent and the response to it will arrive soon..."</p>
+ <p>But there are restrictions: the client can disable this feature and the
+ server may only ever PUSH on a request that came from the client.</p>
+ <p>The intention is to allow the server to send resources to the clien that
+ it will most likely need: a css or javascript resource that belongs to a html
+ page the client requested. A set of images that is referenced by a css, etc.</p>
+ <p>The advantage for the client is that it saves the time to send the request which
+ may range from a few milli seconds to half a second, depending on where on the
+ globe both are located. The disadvantage is that the client may get sent
+ things it already has in its cache. Sure, HTTP/2 allows for the early cancellation
+ of such requests, but still there are resources wasted.</p>
+ <p>To summarize: there is no one good strategy on how to make best use of this
+ feature of HTTP/2 and everyone is still experimenting. So, how do you experiment
+ with it in Apache httpd?</p>
+ <p><code>mod_http2</code> inspect response header for <code>Link</code> headers
+ in a certain format:</p>
+ <pre class="prettyprint lang-config">Link </xxx.css>;rel=preload, </xxx.js>; rel=preload</pre>
+
+ <p>If the connection supports PUSH, these two resources will be sent to the
+ client. As a web developer, you may set these headers either directly in
+ your application response or you configure the server via</p>
+ <pre class="prettyprint lang-config"><Location /xxx.html>
+ Header add Link "</xxx.css>;rel=preload"
+ Header add Link "</xxx.js>;rel=preload"
+</Location></pre>
+
+ <p>If you want to use <code>preload</code> links without triggering a PUSH, you
+ can use the <code>nopush</code> parameter, as in</p>
+ <pre class="prettyprint lang-config">Link </xxx.css>;rel=preload;nopush</pre>
+
+ <p>or you may disable PUSHes for your server entirely with the directive</p>
+ <pre class="prettyprint lang-config">H2Push Off</pre>
+
+ <p>And there is more:</p>
+ <p>The module will keep a diary of what has been PUSHed for each connection
+ (hashes of URLs, basically) and will not PUSH the same resource twice. When
+ the connection closes, this information is discarded.</p>
+ <p>There are people thinking about how a client can tell a server what it
+ already has, so PUSHes for those things can be avoided, but this is all
+ highly experimental right now.</p>
+ <p>Another experimental draft that has been implemented in <code>mod_http2</code>
+ is the <a href="https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00">
+ Accept-Push-Policy Header Field</a> where a client can, for each request, define
+ what kind of PUSHes it accepts.</p>
</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/howto/public_html.html" title="English"> en </a> |
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.en?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.en Sun Mar 13 15:31:15 2016
@@ -73,7 +73,8 @@ address)</td></tr>
<p>Apache's <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
directive is used during the authorization phase to ensure that a user is allowed or
denied access to a resource. mod_authz_host extends the
- authorization types with <code>ip</code>, <code>host</code> and <code>local</code>.
+ authorization types with <code>ip</code>, <code>host</code>,
+ <code>forward-dns</code> and <code>local</code>.
Other authorization types may also be
used but may require that additional authorization modules be loaded.</p>
@@ -165,6 +166,28 @@ Require host .net example.edu</pre>
+<h3><a name="reqfwddns" id="reqfwddns">Require forward-dns</a></h3>
+
+ <p>The <code>forward-dns</code> provider allows access to the server
+ to be controlled based on simple host names. When
+ <code>Require forward-dns <var>host-name</var></code> is specified,
+ all IP addresses corresponding to <code><var>host-name</var></code>
+ are allowed access.</p>
+
+ <p>In contrast to the <code>host</code> provider, this provider does not
+ rely on reverse DNS lookups: it simply queries the DNS for the host name
+ and allows a client if its IP matches. As a consequence, it will only
+ work with host names, not domain names. However, as the reverse DNS is
+ not used, it will work with clients which use a dynamic DNS service.</p>
+
+ <pre class="prettyprint lang-config">Require forward-dns bla.example.org</pre>
+
+
+ <p>A client the IP of which is resolved from the name
+ <code>bla.example.org</code> will be granted access.</p>
+
+
+
<h3><a name="reqlocal" id="reqlocal">Require local</a></h3>
<p>The <code>local</code> provider allows access to the server if any
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.fr
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.fr?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.fr (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.html.fr Sun Mar 13 15:31:15 2016
@@ -29,6 +29,8 @@
<p><span>Langues Disponibles: </span><a href="../en/mod/mod_authz_host.html" hreflang="en" rel="alternate" title="English"> en </a> |
<a href="../fr/mod/mod_authz_host.html" title="Français"> fr </a></p>
</div>
+<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version
+ anglaise pour les changements récents.</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Autorisations de groupe basées sur l'hôte (nom ou adresse
IP)</td></tr>
<tr><th><a href="module-dict.html#Status">Statut:</a></th><td>Base</td></tr>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.fr
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.fr?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.fr (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.fr Sun Mar 13 15:31:15 2016
@@ -1,7 +1,7 @@
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision: 1702013 -->
+<!-- English Revision: 1702013:1734412 (outdated) -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.meta
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.meta?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.meta (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml.meta Sun Mar 13 15:31:15 2016
@@ -8,6 +8,6 @@
<variants>
<variant>en</variant>
- <variant>fr</variant>
+ <variant outdated="yes">fr</variant>
</variants>
</metafile>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_include.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_include.html.en?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_include.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_include.html.en Sun Mar 13 15:31:15 2016
@@ -560,10 +560,22 @@ AddOutputFilter INCLUDES .shtml</pre>
the user.</dd>
<dt><code>QUERY_STRING_UNESCAPED</code></dt>
- <dd>If a query string is present, this variable contains the
- (%-decoded) query string, which is <em>escaped</em> for shell
- usage (special characters like <code>&</code> etc. are
- preceded by backslashes).</dd>
+ <dd>If a query string is present in the request for the active
+ SSI document, this variable contains the (%-decoded) query
+ string, which is <em>escaped</em> for shell usage (special
+ characters like <code>&</code> etc. are preceded by
+ backslashes). It is not set if a query string is not
+ present. Use <code>DOCUMENT_ARGS</code> if shell escaping
+ is not desired.</dd>
+
+ <dt><code>DOCUMENT_ARGS</code></dt>
+ <dd>This variable contains the query string of the active SSI
+ document, or the empty string if a query string is not
+ included. For subrequests invoked through the
+ <code>include</code> SSI directive, <code>QUERY_STRING</code>
+ will represent the query string of the subrequest and
+ <code>DOCUMENT_ARGS</code> will represent the query string of
+ the SSI document.</dd>
</dl>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
Modified: httpd/httpd/trunk/docs/manual/mod/mod_include.xml.ja
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_include.xml.ja?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_include.xml.ja [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_include.xml.ja [utf-8] Sun Mar 13 15:31:15 2016
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?>
-<!-- English Revision: 656287:1673947 (outdated) -->
+<!-- English Revision: 656287:1734817 (outdated) -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Sun Mar 13 15:31:15 2016
@@ -461,11 +461,13 @@ this directory contains the appropriate
<div class="directive-section"><h2><a name="SSLCARevocationCheck" id="SSLCARevocationCheck">SSLCARevocationCheck</a> <a name="sslcarevocationcheck" id="sslcarevocationcheck">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable CRL-based revocation checking</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCARevocationCheck none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Optional <em>flag</em>s available in httpd 2.5-dev or
+later</td></tr>
</table>
<p>
Enables certificate revocation list (CRL) checking. At least one of
@@ -475,22 +477,32 @@ configured. When set to <code>chain</cod
CRL checks are applied to all certificates in the chain, while setting it to
<code>leaf</code> limits the checks to the end-entity cert.
</p>
-<div class="note">
-<h3>When set to <code>chain</code> or <code>leaf</code>,
-CRLs <em>must</em> be available for successful validation</h3>
-<p>
-Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
-no CRL(s) were found in any of the locations configured with
-<code class="directive"><a href="#sslcarevocationfile">SSLCARevocationFile</a></code>
-or <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.
-With the introduction of this directive, the behavior has been changed:
-when checking is enabled, CRLs <em>must</em> be present for the validation
-to succeed - otherwise it will fail with an
-<code>"unable to get certificate CRL"</code> error.
-</p>
-</div>
+<p>The available <em>flag</em>s are:</p>
+<ul>
+<li><code>no_crl_for_cert_ok</code>
+ <p>
+ Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
+ no CRL(s) for the checked certificate(s) were found in any of the locations
+ configured with <code class="directive"><a href="#sslcarevocationfile">SSLCARevocationFile</a></code>
+ or <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.
+ </p>
+ <p>
+ With the introduction of <code class="directive">SSLCARevocationFile</code>,
+ the behavior has been changed: by default with <code>chain</code> or
+ <code>leaf</code>, CRLs <strong>must</strong> be present for the
+ validation to succeed - otherwise it will fail with an
+ <code>"unable to get certificate CRL"</code> error.
+ </p>
+ <p>
+ The <em>flag</em> <code>no_crl_for_cert_ok</code> allows to restore
+ previous behaviour.
+ </p>
+</li>
+</ul>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationCheck chain</pre>
</div>
+<div class="example"><h3>Compatibility with versions 2.2</h3><pre class="prettyprint lang-config">SSLCARevocationCheck chain no_crl_for_cert_ok</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.de
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.de?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.de (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.de Sun Mar 13 15:31:15 2016
@@ -1025,7 +1025,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.en?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.en Sun Mar 13 15:31:15 2016
@@ -1013,7 +1013,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.es
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.es?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.es (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.es Sun Mar 13 15:31:15 2016
@@ -1020,7 +1020,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.ja.utf8
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.ja.utf8?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.ja.utf8 [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.ja.utf8 [utf-8] Sun Mar 13 15:31:15 2016
@@ -945,7 +945,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.ko.euc-kr
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.ko.euc-kr?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.ko.euc-kr [euc-kr] (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.ko.euc-kr [euc-kr] Sun Mar 13 15:31:15 2016
@@ -971,7 +971,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.tr.utf8
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.tr.utf8?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.tr.utf8 [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.tr.utf8 [utf-8] Sun Mar 13 15:31:15 2016
@@ -1010,7 +1010,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sk</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sk</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for
Modified: httpd/httpd/trunk/docs/manual/mod/quickreference.html.zh-cn.utf8
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/quickreference.html.zh-cn.utf8?rev=1734819&r1=1734818&r2=1734819&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/quickreference.html.zh-cn.utf8 (original)
+++ httpd/httpd/trunk/docs/manual/mod/quickreference.html.zh-cn.utf8 Sun Mar 13 15:31:15 2016
@@ -1008,7 +1008,7 @@ Client Auth</td></tr>
for defining acceptable CA names</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcadnrequestpath">SSLCADNRequestPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Directory of PEM-encoded CA Certificates for
defining acceptable CA names</td></tr>
-<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
+<tr><td><a href="mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck chain|leaf|none <em>flag</em>s</a></td><td> none </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable CRL-based revocation checking</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslcarevocationfile">SSLCARevocationFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA CRLs for
Client Auth</td></tr>
<tr><td><a href="mod_ssl.html#sslcarevocationpath">SSLCARevocationPath <em>directory-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Directory of PEM-encoded CA CRLs for