From: Kaspar Brand Date: Wed, 26 Dec 2012 10:59:31 +0000 (+0000) Subject: transformations X-Git-Tag: 2.5.0-alpha~5947 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1aa2b07de276b269a7869012d4b4cdda757f0153;p=apache transformations git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425876 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en index a9e70b0261..6ea6458124 100644 --- a/docs/manual/mod/directives.html.en +++ b/docs/manual/mod/directives.html.en @@ -594,6 +594,7 @@
  • SSLProxyCARevocationPath
  • SSLProxyCheckPeerCN
  • SSLProxyCheckPeerExpire
  • +
  • SSLProxyCheckPeerName
  • SSLProxyCipherSuite
  • SSLProxyEngine
  • SSLProxyMachineCertificateChainFile
  • diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 63183962ee..8bb9895ce7 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -77,6 +77,7 @@ to provide the cryptography engine.

  • SSLProxyCARevocationPath
  • SSLProxyCheckPeerCN
  • SSLProxyCheckPeerExpire
  • +
  • SSLProxyCheckPeerName
  • SSLProxyCipherSuite
  • SSLProxyEngine
  • SSLProxyMachineCertificateChainFile
  • @@ -1418,7 +1419,7 @@ SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
    top

    SSLProxyCheckPeerCN Directive

    - @@ -1427,10 +1428,16 @@ SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
    Description:Whether to check the remote server certificates CN field +
    Description:Whether to check the remote server certificate's CN field
    Syntax:SSLProxyCheckPeerCN on|off
    Default:SSLProxyCheckPeerCN on
    Module:mod_ssl

    -This directive sets whether the remote server certificates CN field is +This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a 502 status code (Bad Gateway) is sent.

    +

    +SSLProxyCheckPeerCN has been superseded by +SSLProxyCheckPeerName, and its +setting is only taken into account when +SSLProxyCheckPeerName off is specified at the same time. +

    Example

     SSLProxyCheckPeerCN on
     
    @@ -1458,6 +1465,36 @@ SSLProxyCheckPeerExpire on
    +
    +
    top
    +

    SSLProxyCheckPeerName Directive

    + + + + + + + +
    Description:Configure host name checking for remote server certificates +
    Syntax:SSLProxyCheckPeerName on|off
    Default:SSLProxyCheckPeerName on
    Context:server config, virtual host
    Status:Extension
    Module:mod_ssl
    +

    +This directive configures host name checking for server certificates +when mod_ssl is acting as an SSL client. The check will +succeed if the host name from the request URI is found in +either the subjectAltName extension or (one of) the CN attribute(s) +in the certificate's subject. If the check fails, the SSL request +is aborted and a 502 status code (Bad Gateway) is returned. +The directive supersedes SSLProxyCheckPeerCN, +which only checks for the expected host name in the first CN attribute. +

    +

    +Wildcard matching is supported in one specific flavor: subjectAltName entries +of type dNSName or CN attributes starting with *. will match +for any DNS name with the same number of labels and the same suffix +(i.e., *.example.org matches for foo.example.org, +but not for foo.bar.example.org). +

    +
    top

    SSLProxyCipherSuite Directive

    diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en index 2e4293b57a..dba2e5e100 100644 --- a/docs/manual/mod/quickreference.html.en +++ b/docs/manual/mod/quickreference.html.en @@ -962,106 +962,108 @@ Remote Server Auth Remote Server Auth SSLProxyCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for Remote Server Auth -SSLProxyCheckPeerCN on|off on svEWhether to check the remote server certificates CN field +SSLProxyCheckPeerCN on|off on svEWhether to check the remote server certificate's CN field SSLProxyCheckPeerExpire on|off on svEWhether to check if remote server certificate is expired -SSLProxyCipherSuite cipher-spec ALL:!ADH:RC4+RSA:+H +svdhECipher Suite available for negotiation in SSL +SSLProxyCheckPeerName on|off on svEConfigure host name checking for remote server certificates + +SSLProxyCipherSuite cipher-spec ALL:!ADH:RC4+RSA:+H +svdhECipher Suite available for negotiation in SSL proxy handshake -SSLProxyEngine on|off off svESSL Proxy Engine Operation Switch -SSLProxyMachineCertificateChainFile filenamesEFile of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate -SSLProxyMachineCertificateFile filenamesEFile of concatenated PEM-encoded client certificates and keys to be used by the proxy -SSLProxyMachineCertificatePath directorysEDirectory of PEM-encoded client certificates and keys to be used by the proxy -SSLProxyProtocol [+|-]protocol ... all svEConfigure usable SSL protocol flavors for proxy usage -SSLProxyVerify level none svEType of remote server Certificate verification -SSLProxyVerifyDepth number 1 svEMaximum depth of CA Certificates in Remote Server +SSLProxyEngine on|off off svESSL Proxy Engine Operation Switch +SSLProxyMachineCertificateChainFile filenamesEFile of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate +SSLProxyMachineCertificateFile filenamesEFile of concatenated PEM-encoded client certificates and keys to be used by the proxy +SSLProxyMachineCertificatePath directorysEDirectory of PEM-encoded client certificates and keys to be used by the proxy +SSLProxyProtocol [+|-]protocol ... all svEConfigure usable SSL protocol flavors for proxy usage +SSLProxyVerify level none svEType of remote server Certificate verification +SSLProxyVerifyDepth number 1 svEMaximum depth of CA Certificates in Remote Server Certificate verification -SSLRandomSeed context source -[bytes]sEPseudo Random Number Generator (PRNG) seeding +SSLRandomSeed context source +[bytes]sEPseudo Random Number Generator (PRNG) seeding source -SSLRenegBufferSize bytes 131072 dhESet the size for the SSL renegotiation buffer -SSLRequire expressiondhEAllow access only when an arbitrarily complex +SSLRenegBufferSize bytes 131072 dhESet the size for the SSL renegotiation buffer +SSLRequire expressiondhEAllow access only when an arbitrarily complex boolean expression is true -SSLRequireSSLdhEDeny access when SSL is not used for the +SSLRequireSSLdhEDeny access when SSL is not used for the HTTP request -SSLSessionCache type none sEType of the global/inter-process SSL Session +SSLSessionCache type none sEType of the global/inter-process SSL Session Cache -SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires +SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache -SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets -SSLSRPUnknownUserSeed secret-stringsvESRP unknown user seed -SSLSRPVerifierFile file-pathsvEPath to SRP verifier file -SSLStaplingCache typesEConfigures the OCSP stapling cache -SSLStaplingErrorCacheTimeout seconds 600 svENumber of seconds before expiring invalid responses in the OCSP stapling cache -SSLStaplingFakeTryLater on|off on svESynthesize "tryLater" responses for failed OCSP stapling queries -SSLStaplingForceURL urisvEOverride the OCSP responder URI specified in the certificate's AIA extension -SSLStaplingResponderTimeout seconds 10 svETimeout for OCSP stapling queries -SSLStaplingResponseMaxAge seconds -1 svEMaximum allowable age for OCSP stapling responses -SSLStaplingResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP stapling response validation -SSLStaplingReturnResponderErrors on|off on svEPass stapling related OCSP errors on to client -SSLStaplingStandardCacheTimeout seconds 3600 svENumber of seconds before expiring responses in the OCSP stapling cache -SSLStrictSNIVHostCheck on|off off svEWhether to allow non-SNI clients to access a name-based virtual +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSRPUnknownUserSeed secret-stringsvESRP unknown user seed +SSLSRPVerifierFile file-pathsvEPath to SRP verifier file +SSLStaplingCache typesEConfigures the OCSP stapling cache +SSLStaplingErrorCacheTimeout seconds 600 svENumber of seconds before expiring invalid responses in the OCSP stapling cache +SSLStaplingFakeTryLater on|off on svESynthesize "tryLater" responses for failed OCSP stapling queries +SSLStaplingForceURL urisvEOverride the OCSP responder URI specified in the certificate's AIA extension +SSLStaplingResponderTimeout seconds 10 svETimeout for OCSP stapling queries +SSLStaplingResponseMaxAge seconds -1 svEMaximum allowable age for OCSP stapling responses +SSLStaplingResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP stapling response validation +SSLStaplingReturnResponderErrors on|off on svEPass stapling related OCSP errors on to client +SSLStaplingStandardCacheTimeout seconds 3600 svENumber of seconds before expiring responses in the OCSP stapling cache +SSLStrictSNIVHostCheck on|off off svEWhether to allow non-SNI clients to access a name-based virtual host. -SSLUserName varnamesdhEVariable name to determine user name -SSLUseStapling on|off off svEEnable stapling of OCSP responses in the TLS handshake -SSLVerifyClient level none svdhEType of Client Certificate verification -SSLVerifyDepth number 1 svdhEMaximum depth of CA Certificates in Client +SSLUserName varnamesdhEVariable name to determine user name +SSLUseStapling on|off off svEEnable stapling of OCSP responses in the TLS handshake +SSLVerifyClient level none svdhEType of Client Certificate verification +SSLVerifyDepth number 1 svdhEMaximum depth of CA Certificates in Client Certificate verification -StartServers numbersMNumber of child server processes created at startup -StartThreads numbersMNumber of threads created on startup -Substitute s/pattern/substitution/[infq]dhEPattern to filter the response content -Suexec On|OffsBEnable or disable the suEXEC feature -SuexecUserGroup User GroupsvEUser and group for CGI programs to run as -ThreadLimit numbersMSets the upper limit on the configurable number of threads +StartServers numbersMNumber of child server processes created at startup +StartThreads numbersMNumber of threads created on startup +Substitute s/pattern/substitution/[infq]dhEPattern to filter the response content +Suexec On|OffsBEnable or disable the suEXEC feature +SuexecUserGroup User GroupsvEUser and group for CGI programs to run as +ThreadLimit numbersMSets the upper limit on the configurable number of threads per child process -ThreadsPerChild numbersMNumber of threads created by each child process -ThreadStackSize sizesMThe size in bytes of the stack used by threads handling +ThreadsPerChild numbersMNumber of threads created by each child process +ThreadStackSize sizesMThe size in bytes of the stack used by threads handling client connections -TimeOut seconds 60 svCAmount of time the server will wait for +TimeOut seconds 60 svCAmount of time the server will wait for certain events before failing a request -TraceEnable [on|off|extended] on svCDetermines the behavior on TRACE requests -TransferLog file|pipesvBSpecify location of a log file -TypesConfig file-path conf/mime.types sBThe location of the mime.types file -UnDefine parameter-namesCUndefine the existence of a variable -UnsetEnv env-variable [env-variable] -...svdhBRemoves variables from the environment -UseCanonicalName On|Off|DNS Off svdCConfigures how the server determines its own name and +TraceEnable [on|off|extended] on svCDetermines the behavior on TRACE requests +TransferLog file|pipesvBSpecify location of a log file +TypesConfig file-path conf/mime.types sBThe location of the mime.types file +UnDefine parameter-namesCUndefine the existence of a variable +UnsetEnv env-variable [env-variable] +...svdhBRemoves variables from the environment +UseCanonicalName On|Off|DNS Off svdCConfigures how the server determines its own name and port -UseCanonicalPhysicalPort On|Off Off svdCConfigures how the server determines its own port -User unix-userid #-1 sBThe userid under which the server will answer +UseCanonicalPhysicalPort On|Off Off svdCConfigures how the server determines its own port +User unix-userid #-1 sBThe userid under which the server will answer requests -UserDir directory-filename [directory-filename] ... -svBLocation of the user-specific directories -VHostCGIMode On|Off|Secure On vXDetermines whether the virtualhost can run +UserDir directory-filename [directory-filename] ... +svBLocation of the user-specific directories +VHostCGIMode On|Off|Secure On vXDetermines whether the virtualhost can run subprocesses, and the privileges available to subprocesses. -VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to subprocesses created +VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to subprocesses created by a virtual host. -VHostGroup unix-groupidvXSets the Group ID under which a virtual host runs. -VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to a virtual host. -VHostSecure On|Off On vXDetermines whether the server runs with enhanced security +VHostGroup unix-groupidvXSets the Group ID under which a virtual host runs. +VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to a virtual host. +VHostSecure On|Off On vXDetermines whether the server runs with enhanced security for the virtualhost. -VHostUser unix-useridvXSets the User ID under which a virtual host runs. -VirtualDocumentRoot interpolated-directory|none none svEDynamically configure the location of the document root +VHostUser unix-useridvXSets the User ID under which a virtual host runs. +VirtualDocumentRoot interpolated-directory|none none svEDynamically configure the location of the document root for a given virtual host -VirtualDocumentRootIP interpolated-directory|none none svEDynamically configure the location of the document root +VirtualDocumentRootIP interpolated-directory|none none svEDynamically configure the location of the document root for a given virtual host -<VirtualHost +<VirtualHost addr[:port] [addr[:port]] - ...> ... </VirtualHost>sCContains directives that apply only to a specific + ...> ... </VirtualHost>sCContains directives that apply only to a specific hostname or IP address -VirtualScriptAlias interpolated-directory|none none svEDynamically configure the location of the CGI directory for +VirtualScriptAlias interpolated-directory|none none svEDynamically configure the location of the CGI directory for a given virtual host -VirtualScriptAliasIP interpolated-directory|none none svEDynamically configure the location of the CGI directory for +VirtualScriptAliasIP interpolated-directory|none none svEDynamically configure the location of the CGI directory for a given virtual host -Warning messagesvdhCWarn from configuration parsing with a custom message -WatchdogInterval number-of-seconds 1 sBWatchdog interval in seconds -XBitHack on|off|full off svdhBParse SSI directives in files with the execute bit +Warning messagesvdhCWarn from configuration parsing with a custom message +WatchdogInterval number-of-seconds 1 sBWatchdog interval in seconds +XBitHack on|off|full off svdhBParse SSI directives in files with the execute bit set -xml2EncAlias charset alias [alias ...]sBRecognise Aliases for encoding values -xml2EncDefault namesvdhBSets a default encoding to assume when absolutely no information +xml2EncAlias charset alias [alias ...]sBRecognise Aliases for encoding values +xml2EncDefault namesvdhBSets a default encoding to assume when absolutely no information can be automatically detected -xml2StartParse element [element ...]svdhBAdvise the parser to skip leading junk. +xml2StartParse element [element ...]svdhBAdvise the parser to skip leading junk.

    Available Languages:  de  |