From: Richard Bowen Date: Thu, 25 Jul 2002 00:26:22 +0000 (+0000) Subject: Conversion of patches submitted by Daniel X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=02a05fc91286a4b93ec9d7b2d766a3b711051977;p=apache Conversion of patches submitted by Daniel Submitted by: Daniel Lopez git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96183 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_proxy.html.en b/docs/manual/mod/mod_proxy.html.en index 643fe65f4a..bf79f2c964 100644 --- a/docs/manual/mod/mod_proxy.html.en +++ b/docs/manual/mod/mod_proxy.html.en @@ -29,6 +29,9 @@ and filter support was enabled.

mod_proxy up to Apache v1.3.x has been removed from mod_proxy and will be incorporated into a new module, mod_cache.

+

If you need to use SSL when contacting remote servers, have a look at the +SSLProxy* directives in mod_ssl.

+

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

@@ -64,7 +67,7 @@ forward proxy and the remote webserver.

Apache's mod_proxy can be figured to behave like a forward proxy using the ProxyRemote directive. In addition, caching of data can be achieved by configuring -Apache mod_cache. Other dedicated forward proxy +Apache mod_cache. Other dedicated forward proxy packages include Squid.

A reverse proxy is a webserver system that is capable of serving webpages @@ -102,7 +105,7 @@ Allow from 192.168.0

When configuring a reverse proxy, access control takes on the -attributes of the normal server <directory> configuration.

+attributes of the normal server <directory> configuration.

@@ -226,7 +229,7 @@ disable keepalives?

For circumstances where you have a application server which doesn't implement keepalives or HTTP/1.1 properly, there are 2 environment variables which when -set send a HTTP/1.0 with no keepalive. These are set via the SetEnv directive.

+set send a HTTP/1.0 with no keepalive. These are set via the SetEnv directive.

These are the 'force-proxy-request-1.0' and 'proxy-nokeepalive' notes.

@@ -474,11 +477,11 @@ a subdirectory. eg.

NB: order is important. you need to put the exclusions BEFORE the general proxypass directive
-

When used inside a <Location> section, the first argument is -ommitted and the local directory is obtained from the <Location>.

+

When used inside a <Location> section, the first argument is +ommitted and the local directory is obtained from the <Location>.

If you require a more flexible reverse-proxy configuration, see -the RewriteRule directive +the RewriteRule directive with the [P] flag.

ProxyPassReverse Directive

Description: Adjusts the URL in HTTP response headers sent from @@ -512,12 +515,12 @@ redirect response to the client.

Note that this ProxyPassReverse directive can also be used in conjunction with the proxy pass-through feature ("RewriteRule ... [P]") from -mod_rewrite because its doesn't depend on a +mod_rewrite because its doesn't depend on a corresponding ProxyPass directive.

-

When used inside a <Location> section, the first argument is -ommitted and the local directory is obtained from the <Location>.

+

When used inside a <Location> section, the first argument is +ommitted and the local directory is obtained from the <Location>.

ProxyPreserveHost Directive

Description: Use incoming Host HTTP request header for proxy request
Syntax:ProxyPreserveHost on|off
Default:ProxyPreserveHost Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 5087689fea..5fb4cbbcd0 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -13,7 +13,7 @@ to provide the cryptography engine.

Further details, discussion, and examples are provided in the SSL documentation.

-

Directives

Environment Variables

+

Directives

Environment Variables

This module provides a lot of SSL information as additional environment variables to the SSI and CGI namespace. The generated variables are listed in @@ -73,9 +73,9 @@ compatibility variables.

Custom Log Formats

-

When mod_ssl is built into Apache or at least +

When mod_ssl is built into Apache or at least loaded (under DSO situation) additional functions exist for the Custom Log Format of -mod_log_config. First there is an +mod_log_config. First there is an additional ``%{varname}x'' eXtension format function which can be used to expand any variables provided by any module, especially those provided by mod_ssl which can @@ -142,7 +142,7 @@ hash filenames. So usually you have not only to place the CRL files there. Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links. Use the Makefile which -comes with mod_ssl to accomplish this task.

+comes with mod_ssl to accomplish this task.

Example

SSLCARevocationPath /usr/local/apache/conf/ssl.crl/
@@ -366,7 +366,7 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

SSLEngine Directive

Description: SSL Engine Operation Switch
Syntax:SSLEngine on|off
Default:SSLEngine off
Context:server config, virtual host
Status:Extension
Module:mod_ssl

This directive toggles the usage of the SSL/TLS Protocol Engine. This -is usually used inside a <VirtualHost> section to enable SSL/TLS for a +is usually used inside a <VirtualHost> section to enable SSL/TLS for a particular virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

Example

@@ -597,6 +597,172 @@ The available (case-insensitive) protocols are:

# enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
+

SSLProxyCACertificateFile Directive

Description: File of concatenated PEM-encoded CA Certificates +for Remote Server Auth
Syntax:SSLProxyCACertificateFile file-path
Context:server config, virtual host
Status:Extension
Module:mod_ssl
+

+This directive sets the all-in-one file where you can assemble the +Certificates of Certification Authorities (CA) whose remote servers you deal +with. These are used for Remote Server Authentication. Such a file is simply the +concatenation of the various PEM-encoded Certificate files, in order of +preference. This can be used alternatively and/or additionally to +SSLProxyCACertificatePath.

+

Example

+SSLProxyCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle-remote-server.crt +
+

SSLProxyCACertificatePath Directive

Description: Directory of PEM-encoded CA Certificates for +Remote Server Auth
Syntax:SSLProxyCACertificatePath directory-path
Context:server config, virtual host
Status:Extension
Module:mod_ssl
+

+This directive sets the directory where you keep the Certificates of +Certification Authorities (CAs) whose remote servers you deal with. These are used to +verify the remote server certificate on Remote Server Authentication.

+

+The files in this directory have to be PEM-encoded and are accessed through +hash filenames. So usually you can't just place the Certificate files +there: you also have to create symbolic links named +hash-value.N. And you should always make sure this directory +contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task.

+

Example

+SSLProxyCACertificatePath /usr/local/apache/conf/ssl.crt/ +
+

SSLProxyCARevocationFile Directive

Description: File of concatenated PEM-encoded CA CRLs for +Remote Server Auth
Syntax:SSLProxyCARevocationFile file-path
Context:server config, virtual host
Status:Extension
Module:mod_ssl
+

+This directive sets the all-in-one file where you can +assemble the Certificate Revocation Lists (CRL) of Certification +Authorities (CA) whose remote servers you deal with. These are used +for Remote Server Authentication. Such a file is simply the concatenation of +the various PEM-encoded CRL files, in order of preference. This can be +used alternatively and/or additionally to SSLProxyCARevocationPath.

+

Example

+SSLProxyCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle-remote-server.crl +
+

SSLProxyCARevocationPath Directive

Description: Directory of PEM-encoded CA CRLs for +Remote Server Auth
Syntax:SSLProxyCARevocationPath directory-path
Context:server config, virtual host
Status:Extension
Module:mod_ssl
+

+This directive sets the directory where you keep the Certificate Revocation +Lists (CRL) of Certification Authorities (CAs) whose remote servers you deal with. +These are used to revoke the remote server certificate on Remote Server Authentication.

+

+The files in this directory have to be PEM-encoded and are accessed through +hash filenames. So usually you have not only to place the CRL files there. +Additionally you have to create symbolic links named +hash-value.rN. And you should always make sure this directory +contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task.

+

Example

+SSLProxyCARevocationPath /usr/local/apache/conf/ssl.crl/ +
+

SSLProxyCipherSuite Directive

Description: Cipher Suite available for negotiation in SSL +proxy handshake
Syntax:SSLProxyCipherSuite cipher-spec
Default:SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Context:server config, virtual host, directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_ssl
+

Equivalent to SSLCipherSuite, but for the proxy connection. +Please refer to SSLCipherSuite +for additional information.

+

SSLProxyEngine Directive

Description: SSL Proxy Engine Operation Switch
Syntax:SSLProxyEngine on|off
Default:SSLProxyEngine off
Context:server config, virtual host
Status:Extension
Module:mod_ssl
+

+This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This +is usually used inside a <VirtualHost> section to enable SSL/TLS for proxy +usage in a particular virtual host. By default the SSL/TLS Protocol Engine is +disabled for proxy image both for the main server and all configured virtual hosts.

+

Example

+<VirtualHost _default_:443>
+SSLProxyEngine on
+...
+</VirtualHost> +
+

SSLProxyMachineCertificateFile Directive

Description: File of concatenated PEM-encoded CA certificates for proxy server client certificates
Syntax:SSLProxyMachineCertificateFile filename
Default:None
Context:server config
Override:Not applicable
Status:Extension
Module:mod_ssl
+

+This directive sets the directory where you keep the certificates of +Certification Authorities (CAs) whose proxy client certificates are used for +authentication of the proxy server to remote servers. +

+

+This referenced file is simply the concatenation of the various PEM-encoded +certificate files, in order of preference. Use this directive alternatively +or additionally to SSLProxyMachineCertificatePath. +

+

+Example:

+
+SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/ +
+

SSLProxyMachineCertificatePath Directive

Description: Directory of PEM-encoded CA certificates for proxy server client certificates
Syntax:SSLProxyMachineCertificatePath directory
Default:None
Context:server config
Override:Not applicable
Status:Extension
Module:mod_ssl
+

+This directive sets the directory where you keep the certificates of +Certification Authorities (CAs) whose proxy client certificates are used for +authentication of the proxy server to remote servers. +

+

The files in this directory must be PEM-encoded and are accessed through +hash filenames. Additionally, you must create symbolic links named +hash-value.N. And you should always make sure this +directory contains the appropriate symbolic links. Use the Makefile which +comes with mod_ssl to accomplish this task. +

+

+Example:

+
+SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/ +
+

SSLProxyProtocol Directive

Description: Configure usable SSL protocol flavors for proxy usage
Syntax:SSLProxyProtocol [+|-]protocol ...
Default:SSLProxyProtocol all
Context:server config, virtual host
Override:Options
Status:Extension
Module:mod_ssl
+ +

+This directive can be used to control the SSL protocol flavors mod_ssl should +use when establishing its server environment for proxy . It will only connect +to servers using one of the provided protocols.

+

Please refer to SSLProtocol +for additional information. +

+

SSLProxyVerify Directive

Description: Type of remote server Certificate verification
Syntax:SSLProxyVerify level
Default:SSLProxyVerify none
Context:server config, virtual host, directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_ssl
+

+This directive sets the Certificate verification level for the remote server +Authentication. Notice that this directive can be used both in per-server and +per-directory context. In per-server context it applies to the remote server +authentication process used in the standard SSL handshake when a connection is +established. In per-directory context it forces a SSL renegotation with the +reconfigured remote server verification level after the HTTP request was read but +before the HTTP response is sent.

+

+The following levels are available for level:

+
    +
  • none: + no remote server Certificate is required at all
    • +
  • optional: + the remote server may present a valid Certificate
    • +
  • require: + the remote server has to present a valid Certificate
    • +
  • optional_no_ca: + the remote server may present a valid Certificate
    + but it need not to be (successfully) verifiable.
    • +
+

In practice only levels none and +require are really interesting, because level +optional doesn't work with all servers and level +optional_no_ca is actually against the idea of +authentication (but can be used to establish SSL test pages, etc.)

+

Example

+SSLProxyVerify require +
+

SSLProxyVerifyDepth Directive

Description: Maximum depth of CA Certificates in Remote Server +Certificate verification
Syntax:SSLVerifyDepth number
Default:SSLVerifyDepth 1
Context:server config, virtual host, directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_ssl
+

+This directive sets how deeply mod_ssl should verify before deciding that the +remote server does not have a valid certificate. Notice that this directive can be +used both in per-server and per-directory context. In per-server context it +applies to the client authentication process used in the standard SSL +handshake when a connection is established. In per-directory context it forces +a SSL renegotation with the reconfigured remote server verification depth after the +HTTP request was read but before the HTTP response is sent.

+

+The depth actually is the maximum number of intermediate certificate issuers, +i.e. the number of CA certificates which are max allowed to be followed while +verifying the remote server certificate. A depth of 0 means that self-signed +remote server certificates are accepted only, the default depth of 1 means +the remote server certificate can be self-signed or has to be signed by a CA +which is directly known to the server (i.e. the CA's certificate is under +SSLProxyCACertificatePath), etc.

+

Example

+SSLProxyVerifyDepth 10 +

SSLRandomSeed Directive

Description: Pseudo Random Number Generator (PRNG) seeding source
Syntax:SSLRandomSeed context source [bytes]
Context:server config
Status:Extension
Module:mod_ssl