<li><a href="mod_macro.html#macro" id="M" name="M"><Macro></a></li>
<li><a href="mod_macro.html#macroignorebadnesting">MacroIgnoreBadNesting</a></li>
<li><a href="mod_macro.html#macroignoreemptyargs">MacroIgnoreEmptyArgs</a></li>
-<li><a href="mod_md.html#manageddomain">ManagedDomain</a></li>
-<li><a href="mod_md.html#manageddomain"><ManagedDomain></a></li>
<li><a href="mpm_common.html#maxconnectionsperchild">MaxConnectionsPerChild</a></li>
<li><a href="core.html#maxkeepaliverequests">MaxKeepAliveRequests</a></li>
<li><a href="mpm_common.html#maxmemfree">MaxMemFree</a></li>
<li><a href="mod_md.html#mdmembers">MDMembers</a></li>
<li><a href="mod_md.html#mdmuststaple">MDMustStaple</a></li>
<li><a href="mod_md.html#mdnotifycmd">MDNotifyCmd</a></li>
+<li><a href="mod_md.html#mdomain">MDomain</a></li>
+<li><a href="mod_md.html#mdomainset"><MDomainSet></a></li>
<li><a href="mod_md.html#mdportmap">MDPortMap</a></li>
<li><a href="mod_md.html#mdprivatekeys">MDPrivateKeys</a></li>
<li><a href="mod_md.html#mdrenewwindow">MDRenewWindow</a></li>
<li><a href="mod_ssl.html#sslopensslconfcmd">SSLOpenSSLConfCmd</a></li>
<li><a href="mod_ssl.html#ssloptions">SSLOptions</a></li>
<li><a href="mod_ssl.html#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
-<li><a href="mod_ssl.html#sslpolicy"><SSLPolicy></a></li>
<li><a href="mod_ssl.html#sslpolicy">SSLPolicy</a></li>
+<li><a href="mod_ssl.html#sslpolicydefine"><SSLPolicyDefine></a></li>
<li><a href="mod_ssl.html#sslprotocol">SSLProtocol</a></li>
<li><a href="mod_ssl.html#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li>
<li><a href="mod_ssl.html#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li>
<p>Simple configuration example:</p>
<div class="note"><h3>TLS in a VirtualHost context</h3>
- <pre class="prettyprint lang-config">ManagedDomain example.org
+ <pre class="prettyprint lang-config">MDomain example.org
<VirtualHost *:443>
ServerName example.org
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
-<li><img alt="" src="../images/down.gif" /> <a href="#manageddomain">ManagedDomain</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#manageddomainsection"><ManagedDomain></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcachallenges">MDCAChallenges</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcertificateagreement">MDCertificateAgreement</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcertificateauthority">MDCertificateAuthority</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdmembers">MDMembers</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdmuststaple">MDMustStaple</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdnotifycmd">MDNotifyCmd</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#mdomain">MDomain</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#mdomainsetsection"><MDomainSet></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdportmap">MDPortMap</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdprivatekeys">MDPrivateKeys</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdrenewwindow">MDRenewWindow</a></li>
<ul class="seealso">
<li><a href="#comments_section">Comments</a></li></ul></div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="ManagedDomain" id="ManagedDomain">ManagedDomain</a> <a name="manageddomain" id="manageddomain">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define list of domain names that belong to one group.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ] [auto|manual]</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
-</table>
- <p>
- All the names in the list are managed as one Managed Domain (MD).
- mod_md will request one single certificate that is valid for all these names. This
- directive uses the global settings (see other MD directives below). If you
- need specific settings for one MD, use
- the <code class="directive"><a href="#manageddomain"><ManagedDomain></a></code>.
- </p><p>
- There are 2 additional settings that are necessary for a Managed Domain:
- <code class="directive"><a href="../mod/core.html#serveradmin">ServerAdmin</a></code>
- and <code class="directive"><a href="#mdcertificateagreement">MDCertificateAgreement</a></code>.
- The mail address of <code class="directive"><a href="../mod/core.html#serveradmin">ServerAdmin</a></code>
- is used to register at the CA (Let's Encrypt by default).
- The CA may use it to notify you about
- changes in its service or status of your certificates.
- </p><p>
- The second setting, <code class="directive"><a href="#mdcertificateagreement">MDCertificateAgreement</a></code>,
- is the URL of the Terms of Service of the CA. When you configure the URL,
- you confirm that you have read and agree to the terms described in the linked
- document. Before you do that, the CA will not hand out certificates to you.
- </p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">ServerAdmin mailto:admin@example.org
-MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
-ManagedDomain example.org www.example.org
-
-<VirtualHost *:443>
- ServerName example.org
- DocumentRoot htdocs/root
-
- SSLEngine on
-</VirtualHost>
-
-<VirtualHost *:443>
- ServerName www.example.org
- DocumentRoot htdocs/www
-
- SSLEngine on
-</VirtualHost></pre>
-</div>
- <p>
- There are two special names that you may use in this directive: 'manual'
- and 'auto'. This determines if a Managed Domain shall have exactly the
- name list as is configured ('manual') or offer more convenience. With 'auto'
- all names of a virtual host are added to a MD. Conventiently, 'auto' is also
- the default.
- </p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">ManagedDomain example.org
-
-<VirtualHost *:443>
- ServerName example.org
- ServerAlias www.example.org
- DocumentRoot htdocs/root
-
- SSLEngine on
-</VirtualHost>
-
-ManagedDomain example2.org auto
-
-<VirtualHost *:443>
- ServerName example2.org
- ServerAlias www.example2.org
- ...
-</VirtualHost></pre>
-</div>
- <p>
- In this example, the domain 'www.example.org' is automatically added to
- the MD 'example.org'. Similarly for 'example2.org' where 'auto' is configured
- explicitly. Whenever you add more ServerAlias names to this
- virtual host, they will be added as well to the Manged Domain.
- </p><p>
- If you prefer to explicitly declare all the domain names, use 'manual' mode.
- An error will be logged if the names do not match with the expected ones.
- </p>
-
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="ManagedDomainsection" id="ManagedDomainsection"><ManagedDomain></a> <a name="manageddomainsection" id="manageddomainsection">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Container for directives applied to the same managed domains.</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ]>...</ManagedDomain></code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
-</table>
- <p>
- This directive allows you to define a Managed Domain (MD) with specific
- settings, different from the global MD* ones. For example, you can have
- such an MD use another CA then Let's Encrypt, have its unique renewal duration
- etc.
- </p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><ManagedDomain sandbox.example.org>
- MDCertificateAuthority https://someotherca.com/ACME
- MDCertificateAgreement https://someotherca.com/terms/v_1.02.pdf
-</ManagedDomain></pre>
-</div>
- <p>This is a specialized version of <code class="directive"><a href="#manageddomain">ManagedDomain</a></code>,
- it should be used only when a fine grained configuration is required.
- <code class="directive"><a href="#manageddomain">ManagedDomain</a></code> is the suggested choice
- for the general use case.</p>
-
-</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="MDCAChallenges" id="MDCAChallenges">MDCAChallenges</a> <a name="mdcachallenges" id="mdcachallenges">Directive</a></h2>
<table class="directive">
<p>In case of Let's Encrypt, their current <a href="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf">Terms of Service are here</a>.
Those terms might (and probably will) change over time. So, the certificate renewal might require you to update this agreement URL.</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
-ManagedDomain example.org www.example.org mail.example.org</pre>
+MDomain example.org www.example.org mail.example.org</pre>
</div>
</div>
<code class="directive"><a href="#mdmember">MDMember</a></code> to add such names
to a managed domain.
</p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><ManagedDomain example.org>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><MDomainSet example.org>
MDMember www.example.org
MDMember mail.example.org
-</ManagedDomain example.org></pre>
+</MDomainSet example.org></pre>
</div>
<p>
If you use it in the global context, outside a specific MD, you can only
specify one value, 'auto' or 'manual' as the default for all other MDs. See
- <code class="directive"><a href="#manageddomain">ManagedDomain</a></code> for a
+ <code class="directive"><a href="#mdomain">MDomain</a></code> for a
description of these special values.
</p>
run successfully.
</p>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="MDomain" id="MDomain">MDomain</a> <a name="mdomain" id="mdomain">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define list of domain names that belong to one group.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDomain <var>dns-name</var> [ <var>other-dns-name</var>... ] [auto|manual]</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+</table>
+ <p>
+ All the names in the list are managed as one Managed Domain (MD).
+ mod_md will request one single certificate that is valid for all these names. This
+ directive uses the global settings (see other MD directives below). If you
+ need specific settings for one MD, use
+ the <code class="directive"><a href="#mdomainset"><MDomainSet></a></code>.
+ </p><p>
+ There are 2 additional settings that are necessary for a Managed Domain:
+ <code class="directive"><a href="../mod/core.html#serveradmin">ServerAdmin</a></code>
+ and <code class="directive"><a href="#mdcertificateagreement">MDCertificateAgreement</a></code>.
+ The mail address of <code class="directive"><a href="../mod/core.html#serveradmin">ServerAdmin</a></code>
+ is used to register at the CA (Let's Encrypt by default).
+ The CA may use it to notify you about
+ changes in its service or status of your certificates.
+ </p><p>
+ The second setting, <code class="directive"><a href="#mdcertificateagreement">MDCertificateAgreement</a></code>,
+ is the URL of the Terms of Service of the CA. When you configure the URL,
+ you confirm that you have read and agree to the terms described in the linked
+ document. Before you do that, the CA will not hand out certificates to you.
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">ServerAdmin mailto:admin@example.org
+MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
+MDomain example.org www.example.org
+
+<VirtualHost *:443>
+ ServerName example.org
+ DocumentRoot htdocs/root
+
+ SSLEngine on
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName www.example.org
+ DocumentRoot htdocs/www
+
+ SSLEngine on
+</VirtualHost></pre>
+</div>
+ <p>
+ There are two special names that you may use in this directive: 'manual'
+ and 'auto'. This determines if a Managed Domain shall have exactly the
+ name list as is configured ('manual') or offer more convenience. With 'auto'
+ all names of a virtual host are added to a MD. Conventiently, 'auto' is also
+ the default.
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDomain example.org
+
+<VirtualHost *:443>
+ ServerName example.org
+ ServerAlias www.example.org
+ DocumentRoot htdocs/root
+
+ SSLEngine on
+</VirtualHost>
+
+MDomain example2.org auto
+
+<VirtualHost *:443>
+ ServerName example2.org
+ ServerAlias www.example2.org
+ ...
+</VirtualHost></pre>
+</div>
+ <p>
+ In this example, the domain 'www.example.org' is automatically added to
+ the MD 'example.org'. Similarly for 'example2.org' where 'auto' is configured
+ explicitly. Whenever you add more ServerAlias names to this
+ virtual host, they will be added as well to the Manged Domain.
+ </p><p>
+ If you prefer to explicitly declare all the domain names, use 'manual' mode.
+ An error will be logged if the names do not match with the expected ones.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="MDomainSetsection" id="MDomainSetsection"><MDomainSet></a> <a name="mdomainsetsection" id="mdomainsetsection">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Container for directives applied to the same managed domains.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><MDomainSet <var>dns-name</var> [ <var>other-dns-name</var>... ]>...</MDomainSet></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+</table>
+ <p>
+ This directive allows you to define a Managed Domain (MD) with specific
+ settings, different from the global MD* ones. For example, you can have
+ such an MD use another CA then Let's Encrypt, have its unique renewal duration
+ etc.
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><MDomainSet sandbox.example.org>
+ MDCertificateAuthority https://someotherca.com/ACME
+ MDCertificateAgreement https://someotherca.com/terms/v_1.02.pdf
+</MDomainSet></pre>
+</div>
+ <p>This is a specialized version of <code class="directive"><a href="#mdomain">MDomain</a></code>,
+ it should be used only when a fine grained configuration is required.
+ <code class="directive"><a href="#mdomain">MDomain</a></code> is the suggested choice
+ for the general use case.</p>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="MDPortMap" id="MDPortMap">MDPortMap</a> <a name="mdportmap" id="mdportmap">Directive</a></h2>
<p>If you set this globally, it applies to all managed domains. If you want
it for a specific domain only, use:
</p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><ManagedDomain xxx.yyy>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><MDomainSet xxx.yyy>
MDRequireHttps temporary
-</ManagedDomain></pre>
+</MDomainSet></pre>
</div>
</div>
<li><img alt="" src="../images/down.gif" /> <a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicysection"><SSLPolicy></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicy">SSLPolicy</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicydefinesection"><SSLPolicyDefine></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The <code>addr:port</code> parameter is available in Apache 2.4.28 and later.</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The <code>addr:port</code> parameter is available in Apache 2.4.30 and later.</td></tr>
</table>
<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. Values 'on',
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SSLPolicysection" id="SSLPolicysection"><SSLPolicy></a> <a name="sslpolicysection" id="sslpolicysection">Directive</a></h2>
+<div class="directive-section"><h2><a name="SSLPolicy" id="SSLPolicy">SSLPolicy</a> <a name="sslpolicy" id="sslpolicy">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Apply a SSLPolicy by name</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLPolicy <em>name</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr>
+</table>
+<p>This directive applies the set of SSL* directives defined
+under 'name' (see <code class="directive"><SSLPolicyDefine></code>) as the <em>base</em>
+settings in the current context. Apache comes with the following pre-defined policies from
+Mozilla, the makers of the Firefox browser
+(<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">see here
+for a detailed description by them.</a>):
+</p>
+<ul>
+ <li><code>modern</code>: recommended when your server is accessible on the open Internet. Works with all modern browsers, but old devices might be unable to connect.</li>
+ <li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li>
+ <li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li>
+</ul>
+
+<p>You can check the detailed description of all defined policies via the command line:</p>
+<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
+</div>
+
+<p>A SSLPolicy defines the baseline for the context it is used in. That means that any
+other SSL* directives in the same context override it. As an example of this, see the effective
+<code class="directive">SSLProtocol</code> value in the following settings:</p>
+
+<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective: 'all'
+ SSLPolicy modern
+ SSLProtocol all
+</VirtualHost>
+
+<VirtualHost...> # effective: 'all'
+ SSLProtocol all
+ SSLPolicy modern
+</VirtualHost>
+
+SSLPolicy modern
+<VirtualHost...> # effective: 'all'
+ SSLProtocol all
+</VirtualHost>
+
+SSLProtocol all
+<VirtualHost...> # effective: '+TLSv1.2'
+ SSLPolicy modern
+</VirtualHost></pre>
+</div>
+
+<p>There can be more than one policy applied in a context. The
+later ones overshadowing the earlier ones:</p>
+
+<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective protocol: 'all -SSLv3'
+ SSLPolicy modern
+ SSLPolicy intermediate
+</VirtualHost>
+
+<VirtualHost...> # effective protocol: '+TLSv1.2'
+ SSLPolicy intermediate
+ SSLPolicy modern
+</VirtualHost></pre>
+</div>
+
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLPolicyDefinesection" id="SSLPolicyDefinesection"><SSLPolicyDefine></a> <a name="sslpolicydefinesection" id="sslpolicydefinesection">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a named set of SSL configurations</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><SSLPolicy <em>name</em>></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.28 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr>
</table>
<p>This directive defines a set of SSL* configurations under
and gives it a name. This name can be used in the directives
<code class="directive">SSLPolicy</code> and <code class="directive">SSLProxyPolicy</code>
to apply this configuration set in the current context.</p>
-<div class="example"><h3>Define and Use of a Policy</h3><pre class="prettyprint lang-config"><SSLPolicy safe-stapling>
+<div class="example"><h3>Define and Use of a Policy</h3><pre class="prettyprint lang-config"><SSLPolicyDefine safe-stapling>
SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400
-</SSLPolicy>
+</SSLPolicyDefine>
...
<VirtualHost...>
<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
</div>
-<p>The directive can only be used in the server config (global context), so
-there cannot be two policies with the same name. However, policies can
+<p>The directive can only be used in the server config (global context). It can take
+most SSL* directives, however a few can only be set once and are not allowed inside
+policy defintions. These are <code class="directive">SSLCryptoDevice</code>,
+<code class="directive">SSLRandomSeed</code>,
+<code class="directive">SSLSessionCache</code> and
+<code class="directive">SSLStaplingCache</code>.
+</p>
+<p>Two policies cannot have the same name. However, policies can
be redefined:</p>
-<div class="example"><h3>Policy Overwrite</h3><pre class="prettyprint lang-config"><SSLPolicy proxy-trust>
+<div class="example"><h3>Policy Overwrite</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify none
-</SSLPolicy></pre>
+</SSLPolicyDefine></pre>
</div>
<p>Policy definitions are <em>added</em> in the order they appear, but are
<p>Additional to replacing policies, redefinitions may just alter
an aspect of a policy:</p>
-<div class="example"><h3>Policy Redefine</h3><pre class="prettyprint lang-config"><SSLPolicy proxy-trust>
+<div class="example"><h3>Policy Redefine</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLPolicy proxy-trust
SSLProxyVerifyDepth 10
-</SSLPolicy></pre>
+</SSLPolicyDefine></pre>
</div>
<p>This re-uses all settings from the previous 'proxy-trust' and adds
<div class="example"><h3>Tweak a Pre-Defined Policy</h3><pre class="prettyprint lang-config">Include ssl-policies.conf
-<SSLPolicy modern>
+<SSLPolicyDefine modern>
SSLPolicy modern
SSLProxyVerify none
-</SSLPolicy></pre>
-</div>
-
-
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SSLPolicy" id="SSLPolicy">SSLPolicy</a> <a name="sslpolicy" id="sslpolicy">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Apply a SSLPolicy by name</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLPolicy <em>name</em></code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.28 and later</td></tr>
-</table>
-<p>This directive applies the set of SSL* directives defined
-under 'name' (see <code class="directive"><SSLPolicy></code>) as the <em>base</em>
-settings in the current context. Apache comes with the following pre-defined policies from
-Mozilla, the makers of the Firefox browser
-(<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">see here
-for a detailed description by them.</a>):
-</p>
-<ul>
- <li><code>modern</code>: recommended when your server is accessible on the open Internet. Works with all modern browsers, but old devices might be unable to connect.</li>
- <li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li>
- <li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li>
-</ul>
-
-<p>You can check the detailed description of all defined policies via the command line:</p>
-<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
-</div>
-
-<p>A SSLPolicy defines the baseline for the context it is used in. That means that any
-other SSL* directives in the same context override it. As an example of this, see the effective
-<code class="directive">SSLProtocol</code> value in the following settings:</p>
-
-<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective: 'all'
- SSLPolicy modern
- SSLProtocol all
-</VirtualHost>
-
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
- SSLPolicy modern
-</VirtualHost>
-
-SSLPolicy modern
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
-</VirtualHost>
-
-SSLProtocol all
-<VirtualHost...> # effective: '+TLSv1.2'
- SSLPolicy modern
-</VirtualHost></pre>
-</div>
-
-<p>There can be more than one policy applied in a context. The
-later ones overshadowing the earlier ones:</p>
-
-<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective protocol: 'all -SSLv3'
- SSLPolicy modern
- SSLPolicy intermediate
-</VirtualHost>
-
-<VirtualHost...> # effective protocol: '+TLSv1.2'
- SSLPolicy intermediate
- SSLPolicy modern
-</VirtualHost></pre>
+</SSLPolicyDefine></pre>
</div>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.28 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr>
</table>
<p>This directive is similar to <code class="directive">SSLPolicy</code>, but
applies only the SSLProxy* directives defined in the policy. This helps
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision: 1815599 -->
+<!-- English Revision: 1815599:1817381 (outdated) -->
<!-- French translation : Lucien GENTIS -->
<!--
<variants>
<variant>en</variant>
- <variant>fr</variant>
+ <variant outdated="yes">fr</variant>
</variants>
</metafile>
... </Macro></a></td><td></td><td>svd</td><td>B</td></tr><tr><td class="descr" colspan="4">Define a configuration file macro</td></tr>
<tr class="odd"><td><a href="mod_macro.html#macroignorebadnesting">MacroIgnoreBadNesting</a></td><td></td><td>svd</td><td>B</td></tr><tr class="odd"><td class="descr" colspan="4">Ignore warnings, and does not log, about bad nesting of Macros</td></tr>
<tr><td><a href="mod_macro.html#macroignoreemptyargs">MacroIgnoreEmptyArgs</a></td><td></td><td>svd</td><td>B</td></tr><tr><td class="descr" colspan="4">Ignore warnings, and does not log, about empty Macro argument(s)</td></tr>
-<tr class="odd"><td><a href="mod_md.html#manageddomain">ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ] [auto|manual]<ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ]>...</ManagedDomain></a></td><td></td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Define list of domain names that belong to one group.Container for directives applied to the same managed domains.</td></tr>
-<tr><td><a href="mod_md.html#manageddomain">ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ] [auto|manual]<ManagedDomain <var>dns-name</var> [ <var>other-dns-name</var>... ]>...</ManagedDomain></a></td><td></td><td>s</td><td>E</td></tr><tr><td class="descr" colspan="4">Define list of domain names that belong to one group.Container for directives applied to the same managed domains.</td></tr>
<tr class="odd"><td><a href="mpm_common.html#maxconnectionsperchild">MaxConnectionsPerChild <var>number</var></a></td><td> 0 </td><td>s</td><td>M</td></tr><tr class="odd"><td class="descr" colspan="4">Limit on the number of connections that an individual child server
will handle during its life</td></tr>
<tr><td><a href="core.html#maxkeepaliverequests">MaxKeepAliveRequests <var>number</var></a></td><td> 100 </td><td>sv</td><td>C</td></tr><tr><td class="descr" colspan="4">Number of requests allowed on a persistent
<tr><td><a href="mod_md.html#mdmembers">MDMembers auto|manual</a></td><td> auto </td><td>s</td><td>E</td></tr><tr><td class="descr" colspan="4">Control if the alias domain names are automatically added.</td></tr>
<tr class="odd"><td><a href="mod_md.html#mdmuststaple">MDMustStaple on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Control if new certificates carry the OCSP Must Staple flag.</td></tr>
<tr><td><a href="mod_md.html#mdnotifycmd">MDNotifyCmd path</a></td><td></td><td>s</td><td>E</td></tr><tr><td class="descr" colspan="4">Run a program when Managed Domain are ready.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdomain">MDomain <var>dns-name</var> [ <var>other-dns-name</var>... ] [auto|manual]</a></td><td></td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Define list of domain names that belong to one group.</td></tr>
+<tr><td><a href="mod_md.html#mdomainset"><MDomainSet <var>dns-name</var> [ <var>other-dns-name</var>... ]>...</MDomainSet></a></td><td></td><td>s</td><td>E</td></tr><tr><td class="descr" colspan="4">Container for directives applied to the same managed domains.</td></tr>
<tr class="odd"><td><a href="mod_md.html#mdportmap">MDPortMap map1 [ map2 ]</a></td><td> 80:80 443:443 </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Map external to internal ports for domain ownership verification.</td></tr>
<tr><td><a href="mod_md.html#mdprivatekeys">MDPrivateKeys type [ params... ]</a></td><td> RSA 2048 </td><td>s</td><td>E</td></tr><tr><td class="descr" colspan="4">Set type and size of the private keys generated.</td></tr>
<tr class="odd"><td><a href="mod_md.html#mdrenewwindow">MDRenewWindow duration</a></td><td> 33% </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Control when a certificate will be renewed.</td></tr>
<tr><td><a href="mod_ssl.html#ssloptions">SSLOptions [+|-]<em>option</em> ...</a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">Configure various SSL engine run-time options</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslpassphrasedialog">SSLPassPhraseDialog <em>type</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Type of pass phrase dialog for encrypted private
keys</td></tr>
-<tr><td><a href="mod_ssl.html#sslpolicy"><SSLPolicy <em>name</em>>SSLPolicy <em>name</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Define a named set of SSL configurationsApply a SSLPolicy by name</td></tr>
-<tr class="odd"><td><a href="mod_ssl.html#sslpolicy"><SSLPolicy <em>name</em>>SSLPolicy <em>name</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Define a named set of SSL configurationsApply a SSLPolicy by name</td></tr>
+<tr><td><a href="mod_ssl.html#sslpolicy">SSLPolicy <em>name</em></a></td><td></td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Apply a SSLPolicy by name</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslpolicydefine"><SSLPolicy <em>name</em>></a></td><td></td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Define a named set of SSL configurations</td></tr>
<tr><td><a href="mod_ssl.html#sslprotocol">SSLProtocol [+|-]<em>protocol</em> ...</a></td><td> all -SSLv3 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Configure usable SSL/TLS protocol versions</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslproxycacertificatefile">SSLProxyCACertificateFile <em>file-path</em></a></td><td></td><td>svp</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">File of concatenated PEM-encoded CA Certificates
for Remote Server Auth</td></tr>
<div class="section">
<h2><a name="types" id="types">Types of Configuration Section Containers</a></h2>
-<table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="./mod/core.html">core</a></code></li><li><code class="module"><a href="./mod/mod_version.html">mod_version</a></code></li><li><code class="module"><a href="./mod/mod_proxy.html">mod_proxy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="./mod/core.html#directory"><Directory></a></code></li><li><code class="directive"><a href="./mod/core.html#directorymatch"><DirectoryMatch></a></code></li><li><code class="directive"><a href="./mod/core.html#files"><Files></a></code></li><li><code class="directive"><a href="./mod/core.html#filesmatch"><FilesMatch></a></code></li><li><code class="directive"><a href="./mod/core.html#if"><If></a></code></li><li><code class="directive"><a href="./mod/core.html#ifdefine"><IfDefine></a></code></li><li><code class="directive"><a href="./mod/core.html#ifmodule"><IfModule></a></code></li><li><code class="directive"><a href="./mod/mod_version.html#ifversion"><IfVersion></a></code></li><li><code class="directive"><a href="./mod/core.html#location"><Location></a></code></li><li><code class="directive"><a href="./mod/core.html#locationmatch"><LocationMatch></a></code></li><li><code class="directive"><a href="./mod/mod_md.html#m
anageddomainsection"><ManagedDomain></a></code></li><li><code class="directive"><a href="./mod/mod_proxy.html#proxy"><Proxy></a></code></li><li><code class="directive"><a href="./mod/mod_proxy.html#proxymatch"><ProxyMatch></a></code></li><li><code class="directive"><a href="./mod/mod_ssl.html#sslpolicysection"><SSLPolicy></a></code></li><li><code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code></li></ul></td></tr></table>
+<table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="./mod/core.html">core</a></code></li><li><code class="module"><a href="./mod/mod_version.html">mod_version</a></code></li><li><code class="module"><a href="./mod/mod_proxy.html">mod_proxy</a></code></li></ul></td><td><ul><li><code class="directive"><a href="./mod/core.html#directory"><Directory></a></code></li><li><code class="directive"><a href="./mod/core.html#directorymatch"><DirectoryMatch></a></code></li><li><code class="directive"><a href="./mod/core.html#files"><Files></a></code></li><li><code class="directive"><a href="./mod/core.html#filesmatch"><FilesMatch></a></code></li><li><code class="directive"><a href="./mod/core.html#if"><If></a></code></li><li><code class="directive"><a href="./mod/core.html#ifdefine"><IfDefine></a></code></li><li><code class="directive"><a href="./mod/core.html#ifmodule"><IfModule></a></code></li><li><code class="directive"><a href="./mod/mod_version.html#ifversion"><IfVersion></a></code></li><li><code class="directive"><a href="./mod/core.html#location"><Location></a></code></li><li><code class="directive"><a href="./mod/core.html#locationmatch"><LocationMatch></a></code></li><li><code class="directive"><a href="./mod/mod_md.html#m
domainsetsection"><MDomainSet></a></code></li><li><code class="directive"><a href="./mod/mod_proxy.html#proxy"><Proxy></a></code></li><li><code class="directive"><a href="./mod/mod_proxy.html#proxymatch"><ProxyMatch></a></code></li><li><code class="directive"><a href="./mod/mod_ssl.html#sslpolicydefinesection"><SSLPolicyDefine></a></code></li><li><code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code></li></ul></td></tr></table>
<p>There are two basic types of containers. Most containers are
evaluated for each request. The enclosed directives are applied only
<?xml-stylesheet type="text/xsl" href="./style/manual.fr.xsl"?>
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
-<!-- English Revision: 1805381 -->
+<!-- English Revision: 1805381:1817785 (outdated) -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="./style/manual.ja.xsl"?>
-<!-- English Revision: 420990:1805381 (outdated) -->
+<!-- English Revision: 420990:1817785 (outdated) -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
<?xml version="1.0" encoding="EUC-KR" ?>
<!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="./style/manual.ko.xsl"?>
-<!-- English Revision: 105989:1805381 (outdated) -->
+<!-- English Revision: 105989:1817785 (outdated) -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
<variants>
<variant>en</variant>
- <variant>fr</variant>
+ <variant outdated="yes">fr</variant>
<variant outdated="yes">ja</variant>
<variant outdated="yes">ko</variant>
<variant outdated="yes">tr</variant>
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="./style/manual.tr.xsl"?>
-<!-- English Revision: 1300910:1805381 (outdated) -->
+<!-- English Revision: 1300910:1817785 (outdated) -->
<!-- =====================================================
Translated by: Nilgün Belma Bugüner <nilgun belgeler.org>
Reviewed by: Orhan Berent <berent belgeler.org>
projects / thirdparty / apache / httpd.git / commitdiff
