<li><a href="mpm_netware.html#maxthreads">MaxThreads</a></li>
<li><a href="mod_md.html#mdactivationdelay">MDActivationDelay</a></li>
<li><a href="mod_md.html#mdbaseserver">MDBaseServer</a></li>
+<li><a href="mod_md.html#mdcacertificatefile">MDCACertificateFile</a></li>
<li><a href="mod_md.html#mdcachallenges">MDCAChallenges</a></li>
<li><a href="mod_md.html#mdcertificateagreement">MDCertificateAgreement</a></li>
<li><a href="mod_md.html#mdcertificateauthority">MDCertificateAuthority</a></li>
<li><a href="mod_md.html#mddrivemode">MDDriveMode</a></li>
<li><a href="mod_md.html#mdexternalaccountbinding">MDExternalAccountBinding</a></li>
<li><a href="mod_md.html#mdhttpproxy">MDHttpProxy</a></li>
+<li><a href="mod_md.html#mdinitialdelay">MDInitialDelay</a></li>
<li><a href="mod_md.html#mdmatchnames">MDMatchNames</a></li>
<li><a href="mod_md.html#mdmember">MDMember</a></li>
<li><a href="mod_md.html#mdmembers">MDMembers</a></li>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#mdactivationdelay">MDActivationDelay</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdbaseserver">MDBaseServer</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#mdcacertificatefile">MDCACertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcachallenges">MDCAChallenges</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcertificateagreement">MDCertificateAgreement</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdcertificateauthority">MDCertificateAuthority</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mddrivemode">MDDriveMode</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdexternalaccountbinding">MDExternalAccountBinding</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdhttpproxy">MDHttpProxy</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#mdinitialdelay">MDInitialDelay</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdmatchnames">MDMatchNames</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdmember">MDMember</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#mdmembers">MDMembers</a></li>
for all managed domains and do not rely on the global, fallback server configuration.
</p>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="MDCACertificateFile" id="MDCACertificateFile">MDCACertificateFile</a> <a name="mdcacertificatefile" id="mdcacertificatefile">Directive</a> <a title="Permanent link" href="#mdcacertificatefile" class="permalink">¶</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File containing x509 trust anchors to verify ACME servers.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDCACertificateFile <var>file</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDCACertificateFile none</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+</table>
+ <p>
+ This is mainly used in test setups where the module needs to
+ connect to a test ACME server that has its own root certificate.
+ People who run an enterprise wide internal CA can use this when
+ they run their own ACME servers.
+ </p>
+ <p>
+ Use "none" as path to disable explicitly.
+ </p>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="MDCAChallenges" id="MDCAChallenges">MDCAChallenges</a> <a name="mdcachallenges" id="mdcachallenges">Directive</a> <a title="Permanent link" href="#mdcachallenges" class="permalink">¶</a></h2>
if your webserver can only reach the internet with a forward proxy.
</p>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="MDInitialDelay" id="MDInitialDelay">MDInitialDelay</a> <a name="mdinitialdelay" id="mdinitialdelay">Directive</a> <a title="Permanent link" href="#mdinitialdelay" class="permalink">¶</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>How long to delay the first certificate check.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>MDInitialDelay <var>duration</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>MDInitialDelay 0s</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_md</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.66 and later</td></tr>
+</table>
+ <p>
+ The amount of time to wait after the server start to check
+ renewals of certificates. By default this occurs right away.
+ </p>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="MDMatchNames" id="MDMatchNames">MDMatchNames</a> <a name="mdmatchnames" id="mdmatchnames">Directive</a> <a title="Permanent link" href="#mdmatchnames" class="permalink">¶</a></h2>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.5 and later</td></tr>
-</table><p>This directive sets policy applied when checking whether the
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.66 and later</td></tr>
+</table><p>This directive sets the policy applied when checking whether the
<code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>
identified by the <code>Host</code> request header in an HTTP request
is compatible with the <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> identified from the SNI
SSL/TLS configuration under the policy used, an HTTP error response
with status code 421 ("Misdirected Request") will be sent.</p>
+<p>The policy also applies to TLS connections where an SNI extension
+is not sent during the handshake, implicitly using the default or
+first virtual host definition. If the Host header in an HTTP request
+on such a connection identifies any other non-default virtual host,
+the compatibility policy is tested.</p>
+
<p>The <code>strict</code> policy blocks all HTTP requests which are
identified with a different virtual host to that identifed by SNI.
The <code>insecure</code> policy allows all HTTP requests regardless
<p>The (default) <code>secure</code>, and <code>authonly</code>
policies compare specific aspects of the SSL configuration for the two
-virtual hosts, which are grouped into two categories:
+virtual hosts, which are grouped into two categories:</p>
<ul>
- <li><strong>client vertification and authentication
- settings</strong>: directives which affect TLS client certificate
- verification or authentication, such as <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code>, <code class="directive"><a href="#sslverifymode">SSLVerifyMode</a></code>, <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>, <code class="directive"><a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></code>; any use of <code class="directive"><a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></code></li>
-
<li><strong>server certificate/key, or protocol/cipher
restrictions</strong>: directives which determine the server
certificate or key (<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> etc), cipher or
protocol restrictions (<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> and <code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>)</li>
+
+ <li><strong>client vertification and authentication
+ settings</strong>: directives which affect TLS client certificate
+ verification or authentication, such as <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code>, <code class="directive"><a href="#sslverifymode">SSLVerifyMode</a></code>, <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>, <code class="directive"><a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></code>; any use of <code class="directive"><a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></code></li>
</ul>
-This table illustrates whether an HTTP request will be blocked or
+<p>This table illustrates whether an HTTP request will be blocked or
allowed when the virtual host configurations differ as described,
-under each different policy setting:
+under each different policy setting:</p>
<table class="bordered"><tr class="header">
<th>Policy mode</th>
<th>Any VirtualHost mismatch</th>
- <th>Client verification/<br />authentication settings</th>
<th>Server certificate/key, <br />or protocol/cipher restrictions</th>
+ <th>Client verification/<br />authentication settings</th>
</tr>
<tr>
- <td><code>strict</code><td>blocked</td><td>blocked</td><td>blocked</td></td>
+ <td><code>strict</code></td><td>blocked</td><td>blocked</td><td>blocked</td>
</tr>
<tr class="odd">
- <td><code>secure</code><td>allowed</td><td>blocked</td><td>blocked</td></td>
+ <td><code>secure</code></td><td>allowed</td><td>blocked</td><td>blocked</td>
</tr>
<tr>
- <td><code>authonly</code><td>allowed</td><td>blocked</td><td>allowed</td></td>
+ <td><code>authonly</code></td><td>allowed</td><td>allowed</td><td>blocked</td>
</tr>
<tr class="odd">
- <td><code>insecure</code><td>allowed</td><td>allowed</td><td>allowed</td></td>
+ <td><code>insecure</code></td><td>allowed</td><td>allowed</td><td>allowed</td>
</tr>
</table>
-</p>
+
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVHostSNIPolicy authonly</pre>
</div>
<tr class="odd"><td><a href="mpm_netware.html#maxthreads">MaxThreads <var>number</var></a></td><td> 2048 </td><td>s</td><td>M</td></tr><tr class="odd"><td class="descr" colspan="4">Set the maximum number of worker threads</td></tr>
<tr><td><a href="mod_md.html#mdactivationdelay">MDActivationDelay <var>duration</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">How long to delay activation of new certificates</td></tr>
<tr class="odd"><td><a href="mod_md.html#mdbaseserver">MDBaseServer on|off</a></td><td> off </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Control if base server may be managed or only virtual hosts.</td></tr>
-<tr><td><a href="mod_md.html#mdcachallenges">MDCAChallenges <var>name</var> [ <var>name</var> ... ]</a></td><td> tls-alpn-01 http-01 +</td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Type of ACME challenge used to prove domain ownership.</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdcertificateagreement">MDCertificateAgreement accepted</a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">You confirm that you accepted the Terms of Service of the Certificate
+<tr><td><a href="mod_md.html#mdcacertificatefile">MDCACertificateFile <var>file</var></a></td><td> none </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">File containing x509 trust anchors to verify ACME servers.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcachallenges">MDCAChallenges <var>name</var> [ <var>name</var> ... ]</a></td><td> tls-alpn-01 http-01 +</td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Type of ACME challenge used to prove domain ownership.</td></tr>
+<tr><td><a href="mod_md.html#mdcertificateagreement">MDCertificateAgreement accepted</a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">You confirm that you accepted the Terms of Service of the Certificate
Authority.</td></tr>
-<tr><td><a href="mod_md.html#mdcertificateauthority">MDCertificateAuthority <var>url</var></a></td><td> letsencrypt </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">The URL(s) of the ACME Certificate Authority to use.</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdcertificatecheck">MDCertificateCheck <var>name</var> <var>url</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Set name and URL pattern for a certificate monitoring site.</td></tr>
-<tr><td><a href="mod_md.html#mdcertificatefile">MDCertificateFile <var>path-to-pem-file</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Specify a static certificate file for the MD.</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdcertificatekeyfile">MDCertificateKeyFile <var>path-to-file</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Specify a static private key for for the static cerrtificate.</td></tr>
-<tr><td><a href="mod_md.html#mdcertificatemonitor">MDCertificateMonitor name url</a></td><td> crt.sh https://crt. +</td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">The URL of a certificate log monitor.</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdcertificateprotocol">MDCertificateProtocol <var>protocol</var></a></td><td> ACME </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">The protocol to use with the Certificate Authority.</td></tr>
-<tr><td><a href="mod_md.html#mdcertificatestatus">MDCertificateStatus on|off</a></td><td> on </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Exposes public certificate information in JSON.</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdchallengedns01">MDChallengeDns01 <var>path-to-command</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Set the command for setup/teardown of dns-01 challenges</td></tr>
-<tr><td><a href="mod_md.html#mdchallengedns01version">MDChallengeDns01Version 1|2</a></td><td> 1 </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Set the type of arguments to call MDChallengeDns01 with</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdcheckinterval">MDCheckInterval <var>duration</var></a></td><td> 12h </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Determines how often certificates are checked</td></tr>
-<tr><td><a href="mod_md.html#mdcontactemail">MDContactEmail <var>address</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Email address used for account registration</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mddrivemode">MDDriveMode always|auto|manual</a></td><td> auto </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">former name of MDRenewMode.</td></tr>
-<tr><td><a href="mod_md.html#mdexternalaccountbinding">MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var> | none | <var>file</var></a></td><td> none </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Set the external account binding keyid and hmac values to use at CA</td></tr>
-<tr class="odd"><td><a href="mod_md.html#mdhttpproxy">MDHttpProxy <var>url</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Define a proxy for outgoing connections.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcertificateauthority">MDCertificateAuthority <var>url</var></a></td><td> letsencrypt </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">The URL(s) of the ACME Certificate Authority to use.</td></tr>
+<tr><td><a href="mod_md.html#mdcertificatecheck">MDCertificateCheck <var>name</var> <var>url</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Set name and URL pattern for a certificate monitoring site.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcertificatefile">MDCertificateFile <var>path-to-pem-file</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Specify a static certificate file for the MD.</td></tr>
+<tr><td><a href="mod_md.html#mdcertificatekeyfile">MDCertificateKeyFile <var>path-to-file</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Specify a static private key for for the static cerrtificate.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcertificatemonitor">MDCertificateMonitor name url</a></td><td> crt.sh https://crt. +</td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">The URL of a certificate log monitor.</td></tr>
+<tr><td><a href="mod_md.html#mdcertificateprotocol">MDCertificateProtocol <var>protocol</var></a></td><td> ACME </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">The protocol to use with the Certificate Authority.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcertificatestatus">MDCertificateStatus on|off</a></td><td> on </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Exposes public certificate information in JSON.</td></tr>
+<tr><td><a href="mod_md.html#mdchallengedns01">MDChallengeDns01 <var>path-to-command</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Set the command for setup/teardown of dns-01 challenges</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdchallengedns01version">MDChallengeDns01Version 1|2</a></td><td> 1 </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Set the type of arguments to call MDChallengeDns01 with</td></tr>
+<tr><td><a href="mod_md.html#mdcheckinterval">MDCheckInterval <var>duration</var></a></td><td> 12h </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Determines how often certificates are checked</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdcontactemail">MDContactEmail <var>address</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Email address used for account registration</td></tr>
+<tr><td><a href="mod_md.html#mddrivemode">MDDriveMode always|auto|manual</a></td><td> auto </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">former name of MDRenewMode.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdexternalaccountbinding">MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var> | none | <var>file</var></a></td><td> none </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Set the external account binding keyid and hmac values to use at CA</td></tr>
+<tr><td><a href="mod_md.html#mdhttpproxy">MDHttpProxy <var>url</var></a></td><td></td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Define a proxy for outgoing connections.</td></tr>
+<tr class="odd"><td><a href="mod_md.html#mdinitialdelay">MDInitialDelay <var>duration</var></a></td><td> 0s </td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">How long to delay the first certificate check.</td></tr>
<tr><td><a href="mod_md.html#mdmatchnames">MDMatchNames all|servernames</a></td><td> all </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Determines how DNS names are matched to vhosts</td></tr>
<tr class="odd"><td><a href="mod_md.html#mdmember">MDMember <var>hostname</var></a></td><td></td><td>s</td><td>X</td></tr><tr class="odd"><td class="descr" colspan="4">Additional hostname for the managed domain.</td></tr>
<tr><td><a href="mod_md.html#mdmembers">MDMembers auto|manual</a></td><td> auto </td><td>s</td><td>X</td></tr><tr><td class="descr" colspan="4">Control if the alias domain names are automatically added.</td></tr>
projects / thirdparty / apache / httpd.git / commitdiff
