From: Luca Toscano Date: Wed, 13 Sep 2017 14:58:58 +0000 (+0000) Subject: Documentation rebuild X-Git-Tag: 2.5.0-alpha~124 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d89685ee939053f999aeef736a71b53bec667087;p=apache Documentation rebuild git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1808250 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en index 4755a6b0f5..2b59a1507d 100644 --- a/docs/manual/mod/directives.html.en +++ b/docs/manual/mod/directives.html.en @@ -456,9 +456,11 @@
  • MDHttpProxy
  • MDMember
  • MDMembers
    • +
  • MDMustStaple
  • MDPortMap
  • MDPrivateKeys
  • MDRenewWindow
    • +
  • MDRequireHttps
  • MDStoreDir
  • MemcacheConnTTL
  • MergeTrailers
    • diff --git a/docs/manual/mod/mod_md.html.en b/docs/manual/mod/mod_md.html.en index f258e4ee4c..ec1df0cffc 100644 --- a/docs/manual/mod/mod_md.html.en +++ b/docs/manual/mod/mod_md.html.en @@ -43,7 +43,7 @@ (RFC Draft) to automate certificate provisioning. These will be configured for managed domains and their virtual hosts automatically. This includes renewal of certificates before they - expire. The most famous Certificate Autority currently implementing the ACME protocol + expire. The most famous Certificate Authority currently implementing the ACME protocol is Let's Encrypt.

    Warning

    @@ -93,9 +93,11 @@
  • MDHttpProxy
  • MDMember
  • MDMembers
    • +
  • MDMustStaple
  • MDPortMap
  • MDPrivateKeys
  • MDRenewWindow
    • +
  • MDRequireHttps
  • MDStoreDir

    • Bugfix checklist

    See also

    @@ -152,7 +154,7 @@ ManagedDomain example.org www.example.org

    There are two special names that you may use in this directive: 'manual' and 'auto'. This determines if a Managed Domain shall have exactly the - name list as is configured ('manual') or offer more convenince. With 'auto' + name list as is configured ('manual') or offer more convenience. With 'auto' all names of a virtual host are added to a MD.

    Example

    ManagedDomain example.org
@@ -251,7 +253,7 @@ ManagedDomain example.org www.example.org mail.example.org
    The URL where the CA offers its service.

    Let's Encrypt offers, right now, two such URLs. One for the real certificates and - one for testing (their staging area, athttps://acme-staging.api.letsencrypt.org/directory). + one for testing (their staging area, at https://acme-staging.api.letsencrypt.org/directory). In order to have mod_md use this testing service, configure your server like this:

    @@ -284,14 +286,14 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2 Module:mod_md

    In 'auto' mode, mod_md will drive a Managed Domain's - properties (e.g. certicate management) whenever necessary. When a MD is not used + properties (e.g. certificate management) whenever necessary. When a MD is not used in any virtual host, the module will do nothing. When a certificate is missing, it will try to get one. When a certificate expires soon (see MDRenewWindow), it will renew it.

    - In 'manual' mode, it is your duty to do all this. The module will provide existing - ceriticate to mod_ssl, if available. But it will not contact the CA for signup/renewal. + In 'manual' mode, it is your duty to do all this. The module will provide the existing + certificate to mod_ssl, if available. But it will not contact the CA for signup/renewal. This can be useful in clustered setups where you want just one node to perform the driving.

    @@ -303,14 +305,15 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2

    top

    MDHttpProxy Directive

    - + -
    Description:The URL of the HTTP proxy to use.
    Description:Define a proxy for outgoing connections.
    Syntax:MDHttpProxy url
    Default:MDHttpProxy
    Context:server config
    Status:Extension
    Module:mod_md
    -

    Use a HTTP proxy to connect to the MDCertificateAuthority url.

    +

    Use a http proxy to connect to the MDCertificateAuthority. Define this + if your webserver can only reach the internet with a forward proxy. +

    top
    @@ -355,6 +358,24 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2 are automatically added to the members of a Managed Domain or not.

    +
    +
    top
    +

    MDMustStaple Directive

    + + + + + + + +
    Description:Control if new certificates carry the OCSP Must Staple flag.
    Syntax:MDMustStaple on|off
    Default:MDMustStaple off
    Context:server config
    Status:Extension
    Module:mod_md
    +

    Defines if newly requested certificate should have the OCSP Must Staple flag + set or not. If a certificate has this flag, the server is required to send a + OCSP stapling response to every client. This only works if you configure + mod_ssl to generate this (see SSLUseStapling + and friends). +

    +
    top

    MDPortMap Directive

    @@ -427,20 +448,68 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2 - +
    Description:Control when a certificate will be renewed.
    Syntax:MDRenewWindow duration
    Default:MDRenewWindow 14d
    Default:MDRenewWindow 33%
    Context:server config
    Status:Extension
    Module:mod_md

    - Tells mod_md when to renew a certificate. The default means 14 days before a - certificate actually expires. If you configure this too short, a CA might - not be reachable in time and your server will show an invalid certificate. If - you do it too long, the CA might think you are a bother and block your requests. - Let's Encrypt has a certificate expiration of 90 days. So, if you configure the - renew window to 89 days, mod_md will renew the certificate - every day and Let's Encrypt will block you. + If the validity of the certificate falls below duration, mod_md will get a + new signed certificate. +

    + Normally, certificates are valid for around 90 days and mod_md will renew + them the earliest 33% of their complete lifetime before they expire (so for + 90 days validity, 30 days before it expires). If you think this is not what + you need, you can specify either the exact time, as in:

    +

    Example

    # 21 days before expiry
+MDRenewWindow 21d 
+# 30 seconds (might be close)
+MDRenewWindow 30s
+# 10% of the cert lifetime
+MDRenewWindow 10%
    +
    +

    When in auto drive mode, the module will check every 12 hours at least + what the status of the managed domains is and if it needs to do something. + On errors, for example when the CA is unreachable, it will initially retry + after some seconds. Should that continue to fail, it will back off to a + maximum interval of hourly checks. +

    + +
    +
    top
    +

    MDRequireHttps Directive

    + + + + + + + +
    Description:Redirects http: traffic to https: for Managed Domains.
    Syntax:MDRequireHttps off|temporary|permanent
    Default:MDRequireHttps off
    Context:server config
    Status:Extension
    Module:mod_md
    +

    This is a convenience directive to ease http: to https: migration of + your Managed Domains. With: +

    +

    Example

    MDRequireHttps temporary
    +
    +

    you announce that you want all traffic via http: URLs to be redirected + to the https: ones, for now. If you want client to no longer use the + http: URLs, configure: +

    +

    Example

    MDRequireHttps permanent
    +
    +

    You can achieve the same with mod_alias and some Redirect configuration, + basically. If you do it yourself, please make sure to exclude the paths + /.well-known/* from your redirection, otherwise mod_md might have trouble + signing on new certificates. +

    +

    If you set this globally, it applies to all managed domains. If you want + it for a specific domain only, use: +

    +

    Example

    <ManagedDomain xxx.yyy>
+  MDRequireHttps permanent
+</ManagedDomain>
    +
    top
    diff --git a/docs/manual/mod/mod_proxy_fcgi.xml.fr b/docs/manual/mod/mod_proxy_fcgi.xml.fr index fa2e4c5696..806447c96e 100644 --- a/docs/manual/mod/mod_proxy_fcgi.xml.fr +++ b/docs/manual/mod/mod_proxy_fcgi.xml.fr @@ -1,7 +1,7 @@ - +