Commit 9f3f5dd1 authored by Luca Toscano's avatar Luca Toscano
Browse files

Documentation rebuild 

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1812519 13f79535-47bb-0310-9956-ffa450edef68
parent 5fda548a

docs/manual/mod/mod_md.html.en

+24 −15
Original line number Diff line number Diff line
@@ -510,11 +510,31 @@ MDRenewWindow 10%</pre> 
            <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDRequireHttps temporary</pre>

</div>

            <p>you announce that you want all traffic via http: URLs to be redirected 

            to the https: ones, for now. If you want client to no longer use the

            to the https: ones, for now. This is safe and you can remove this again at

            any time.

            </p><p>

                <strong>The following has consequences: </strong>if you want client to <strong>no longer</strong> use the

             http: URLs, configure:

            </p>

            <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">MDRequireHttps permanent</pre>

            <div class="example"><h3>Permanent (for at least half a year!)</h3><pre class="prettyprint lang-config">MDRequireHttps permanent</pre>

</div>

            <p>This does two things:

            </p>

            <ol>

                <li>All request to the <code>http:</code> resources are redirected to the

                    same url with the <code>https:</code> scheme using the <code>301</code>

                status code. This tells clients that this is intended to be forever and

                the should update any links they have accordingly.

                </li>

                <li>All answers to <code>https:</code> requests will carry the header

                    <code>Strict-Transport-Security</code> with a life time of half a year.

                    This tells the browser that it <strong>never</strong> (for half a year) shall use <code>http:</code>

                    when talking to this domain name. Browsers will, after having seen this, refuse

                    to contact your unencrypted site. This prevents malicious middleware to

                    downgrade connections and listen/manipulate the traffic. Which is good. But

                    you cannot simply take it back again.

                </li>

            </ol>

            <p>You can achieve the same with mod_alias and some Redirect configuration,

            basically. If you do it yourself, please make sure to exclude the paths 

            /.well-known/* from your redirection, otherwise mod_md might have trouble
@@ -524,20 +544,9 @@ MDRenewWindow 10%</pre> 
            it for a specific domain only, use:

            </p>

            <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">&lt;ManagedDomain xxx.yyy&gt;

  MDRequireHttps permanent

  MDRequireHttps temporary

&lt;/ManagedDomain&gt;</pre>

</div>

            <p>When you configure MDRequireHttps permanent, an additional security 

            feature is automatically applied: HSTS. This adds the header 

            Strict-Transport-Security to responses sent out via https:. 

            Basically, this instructs the browser to only perform secure 

            communications with that domain. This instruction holds for the 

            amount of time specified in the header as 'max-age'. 

            This is about half a year as generated by mod_md.

            </p><p>

            It is therefore advisable to first test the MDRequireHttps temporary 

            configuration and switch to permanent only once that works satisfactory.

            </p>

        

</div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>

docs/manual/mod/mod_ssl.html.en

+7 −1
Original line number Diff line number Diff line
@@ -201,7 +201,7 @@ compatibility variables.</p> 
</table>



<p><em>x509</em> specifies a component of an X.509 DN; one of

<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>.  In Apache 2.1 and

<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>.  In httpd 2.2.0 and

later, <em>x509</em> may also include a numeric <code>_n</code>

suffix.  If the DN in question contains multiple attributes of the

same name, this suffix is used as a zero-based index to select a
@@ -217,6 +217,12 @@ the <code class="directive"><a href="#ssloptions">SSLOptions</a></code> directiv 
first (or only) attribute of any DN is added only under a non-suffixed

name; i.e. no <code>_0</code> suffixed entries are added.</p>



<p>In httpd 2.5.0 and later, an optional <em>_RAW</em> suffix may be

added to <em>x509</em> in a DN component, to suppress conversion of

the attribute value to UTF-8. This must be placed after the index

suffix (if any). For example, <code>SSL_SERVER_S_DN_OU_RAW</code> or

<code>SSL_SERVER_S_DN_OU_0_RAW</code> could be used.</p>



<p>The format of the <em>*_DN</em> variables has changed in Apache HTTPD

2.3.11. See the <code>LegacyDNStringFormat</code> option for

<code class="directive"><a href="#ssloptions">SSLOptions</a></code> for details.</p>

docs/manual/mod/mod_ssl.xml.fr

+1 −1
Original line number Diff line number Diff line 
<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">

<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>

<!-- English Revision: 1807869 -->

<!-- English Revision: 1807869:1811976 (outdated) -->

<!-- French translation : Lucien GENTIS -->



<!--

docs/manual/mod/mod_ssl.xml.meta

+1 −1
Original line number Diff line number Diff line
@@ -8,6 +8,6 @@ 


  <variants>

    <variant>en</variant>

    <variant>fr</variant>

    <variant outdated="yes">fr</variant>

  </variants>

</metafile>