From 483c751b71b767b4b15e62b5accf84210716ab49 Mon Sep 17 00:00:00 2001 From: Luca Toscano Date: Wed, 18 Oct 2017 14:22:44 +0000 Subject: [PATCH] Documentation rebuild git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1812519 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_md.html.en | 39 ++++++++++++++++++++------------ docs/manual/mod/mod_ssl.html.en | 8 ++++++- docs/manual/mod/mod_ssl.xml.fr | 2 +- docs/manual/mod/mod_ssl.xml.meta | 2 +- 4 files changed, 33 insertions(+), 18 deletions(-) diff --git a/docs/manual/mod/mod_md.html.en b/docs/manual/mod/mod_md.html.en index f854372d54..d57f90d2cc 100644 --- a/docs/manual/mod/mod_md.html.en +++ b/docs/manual/mod/mod_md.html.en @@ -510,12 +510,32 @@ MDRenewWindow 10%

Example

MDRequireHttps temporary

you announce that you want all traffic via http: URLs to be redirected - to the https: ones, for now. If you want client to no longer use the + to the https: ones, for now. This is safe and you can remove this again at + any time. +

+ The following has consequences: if you want client to no longer use the http: URLs, configure:

-

Example

MDRequireHttps permanent
+

Permanent (for at least half a year!)

MDRequireHttps permanent
-

You can achieve the same with mod_alias and some Redirect configuration, +

This does two things: +

+
    +
  1. All request to the http: resources are redirected to the + same url with the https: scheme using the 301 + status code. This tells clients that this is intended to be forever and + the should update any links they have accordingly. +
    2. +
  2. All answers to https: requests will carry the header + Strict-Transport-Security with a life time of half a year. + This tells the browser that it never (for half a year) shall use http: + when talking to this domain name. Browsers will, after having seen this, refuse + to contact your unencrypted site. This prevents malicious middleware to + downgrade connections and listen/manipulate the traffic. Which is good. But + you cannot simply take it back again. +
    3. +
+

You can achieve the same with mod_alias and some Redirect configuration, basically. If you do it yourself, please make sure to exclude the paths /.well-known/* from your redirection, otherwise mod_md might have trouble signing on new certificates. @@ -524,20 +544,9 @@ MDRenewWindow 10% it for a specific domain only, use:

Example

<ManagedDomain xxx.yyy>
-  MDRequireHttps permanent
+  MDRequireHttps temporary
 </ManagedDomain>
-

When you configure MDRequireHttps permanent, an additional security - feature is automatically applied: HSTS. This adds the header - Strict-Transport-Security to responses sent out via https:. - Basically, this instructs the browser to only perform secure - communications with that domain. This instruction holds for the - amount of time specified in the header as 'max-age'. - This is about half a year as generated by mod_md. -

- It is therefore advisable to first test the MDRequireHttps temporary - configuration and switch to permanent only once that works satisfactory. -

top
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 180ef3861d..e7eaf12fd0 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -201,7 +201,7 @@ compatibility variables.

x509 specifies a component of an X.509 DN; one of -C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email. In Apache 2.1 and +C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email. In httpd 2.2.0 and later, x509 may also include a numeric _n suffix. If the DN in question contains multiple attributes of the same name, this suffix is used as a zero-based index to select a @@ -217,6 +217,12 @@ the SSLOptions directiv first (or only) attribute of any DN is added only under a non-suffixed name; i.e. no _0 suffixed entries are added.

+

In httpd 2.5.0 and later, an optional _RAW suffix may be +added to x509 in a DN component, to suppress conversion of +the attribute value to UTF-8. This must be placed after the index +suffix (if any). For example, SSL_SERVER_S_DN_OU_RAW or +SSL_SERVER_S_DN_OU_0_RAW could be used.

+

The format of the *_DN variables has changed in Apache HTTPD 2.3.11. See the LegacyDNStringFormat option for SSLOptions for details.

diff --git a/docs/manual/mod/mod_ssl.xml.fr b/docs/manual/mod/mod_ssl.xml.fr index 7dfe0027f2..59e466f9a0 100644 --- a/docs/manual/mod/mod_ssl.xml.fr +++ b/docs/manual/mod/mod_ssl.xml.fr @@ -1,7 +1,7 @@ - +