<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDRequireHttps temporary</pre>
</div>
<p>you announce that you want all traffic via http: URLs to be redirected
- to the https: ones, for now. If you want client to no longer use the
+ to the https: ones, for now. This is safe and you can remove this again at
+ any time.
+ </p><p>
+ <strong>The following has consequences: </strong>if you want client to <strong>no longer</strong> use the
http: URLs, configure:
</p>
- <div class="example"><h3>
Example</h3><pre class="prettyprint lang-config">MDRequireHttps permanent</pre>
+ <div class="example"><h3>
Permanent (for at least half a year!)</h3><pre class="prettyprint lang-config">MDRequireHttps permanent</pre>
</div>
- <p>You can achieve the same with mod_alias and some Redirect configuration,
+ <p>This does two things:
+ </p>
+ <ol>
+ <li>All request to the <code>http:</code> resources are redirected to the
+ same url with the <code>https:</code> scheme using the <code>301</code>
+ status code. This tells clients that this is intended to be forever and
+ the should update any links they have accordingly.
+ </li>
+ <li>All answers to <code>https:</code> requests will carry the header
+ <code>Strict-Transport-Security</code> with a life time of half a year.
+ This tells the browser that it <strong>never</strong> (for half a year) shall use <code>http:</code>
+ when talking to this domain name. Browsers will, after having seen this, refuse
+ to contact your unencrypted site. This prevents malicious middleware to
+ downgrade connections and listen/manipulate the traffic. Which is good. But
+ you cannot simply take it back again.
+ </li>
+ </ol>
+ <p>You can achieve the same with mod_alias and some Redirect configuration,
basically. If you do it yourself, please make sure to exclude the paths
/.well-known/* from your redirection, otherwise mod_md might have trouble
signing on new certificates.
it for a specific domain only, use:
</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><ManagedDomain xxx.yyy>
- MDRequireHttps permanent
+ MDRequireHttps temporary
</ManagedDomain></pre>
</div>
- <p>When you configure MDRequireHttps permanent, an additional security
- feature is automatically applied: HSTS. This adds the header
- Strict-Transport-Security to responses sent out via https:.
- Basically, this instructs the browser to only perform secure
- communications with that domain. This instruction holds for the
- amount of time specified in the header as 'max-age'.
- This is about half a year as generated by mod_md.
- </p><p>
- It is therefore advisable to first test the MDRequireHttps temporary
- configuration and switch to permanent only once that works satisfactory.
- </p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
</table>
<p><em>x509</em> specifies a component of an X.509 DN; one of
-<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>. In Apache 2.1 and
+<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>. In httpd 2.2.0 and
later, <em>x509</em> may also include a numeric <code>_n</code>
suffix. If the DN in question contains multiple attributes of the
same name, this suffix is used as a zero-based index to select a
first (or only) attribute of any DN is added only under a non-suffixed
name; i.e. no <code>_0</code> suffixed entries are added.</p>
+<p>In httpd 2.5.0 and later, an optional <em>_RAW</em> suffix may be
+added to <em>x509</em> in a DN component, to suppress conversion of
+the attribute value to UTF-8. This must be placed after the index
+suffix (if any). For example, <code>SSL_SERVER_S_DN_OU_RAW</code> or
+<code>SSL_SERVER_S_DN_OU_0_RAW</code> could be used.</p>
+
<p>The format of the <em>*_DN</em> variables has changed in Apache HTTPD
2.3.11. See the <code>LegacyDNStringFormat</code> option for
<code class="directive"><a href="#ssloptions">SSLOptions</a></code> for details.</p>
projects / apache / commitdiff