On the trunk:

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.5.0

  *) mod_ssl: add SSLPolicy (define/use) and SSLProxyPolicy directives plus documentation. Add

     core definitions for policies 'modern', 'intermediate' and 'old', as defined by Mozilla

     in <https://wiki.mozilla.org/Security/Server_Side_TLS>. [Stefan Eissing]

  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]

  *) mod_md: new module for managing domains across VirtualHosts with ACME protocol 

##  the main server and all SSL-enabled virtual hosts.

##

#   SSL Policy:

#   Choose from a pre-defined setting of SSL* configurations, based on 

#   the Mozilla recommendations from:

#      https://wiki.mozilla.org/Security/Server_Side_TLS 

#   These policies will be updated over time in new releases to keep

#   settings compatible and secure with "modern" browser, or if you

#   need to support legacy installtions, "intermediate" might be your

#   choice.

#   If you run the following command on your installation, the exact

#   contents of the defined SSL policies will be listed:

#

#     > httpd -t -D DUMP_SSL_POLICIES

#

#   Worth noting, a SSLPolicy defines the ground rules. What ever is

#   configured beside it, is added "on top". If a configuration has

#   a SSLPolicy *and* a SSLCipherSuite, any cipher suite in the policy

#   will be overwritten in this context.

#

#   If your OpenSSL library does not support TLSv1.2 (OpenSSL 1.0.2

#   and later), "modern" will not be available.

#   If you enable one of the policies below, we recommend that you

#   refrain from configuring any of the following, unless you are

#   certain that you want to override: 

#      SSLCipherSuite, SSLProxyCipherSuite, SSLHonorCipherOrder,

#      SSLProtocol, SSLProxyProtocol

#SSLPolicy intermediate

#SSLPolicy modern

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate,

#   and that httpd will negotiate as the client of a proxied server.

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLPolicySection</name>

<description></description>

<syntax>&lt;SSLPolicy <em>name</em>&gt;</syntax>

<contextlist><context>server config</context></contextlist>

<compatibility>Available in httpd 2.4.28 and later</compatibility>

<usage>

<p>This directive defines a set of SSL* configurations under

and gives it a name. This name can be used in the directives

<directive>SSLPolicy</directive> and <directive>SSLProxyPolicy</directive>

to apply this configuration set in the current context.</p>

<example><title>Examples</title>

<highlight language="config">

<SSLPolicy safe-stapling>

   SSLUseStapling on

   SSLStaplingResponderTimeout 2

   SSLStaplingReturnResponderErrors off

   SSLStaplingFakeTryLater off

   SSLStaplingStandardCacheTimeout 86400

</SSLPolicy>

   ...

   <VirtualHost...>

      SSLPolicy safe-stapling

      ...

</highlight>

</example>

<p>On the one hand, this can make server configurations easier to 

<em>read</em> and <em>maintain</em>. On the other hand, it is 

intended to make SSL easier and safer to <em>use</em>. For the 

latter, Apache httpd ships with a set of pre-defined policies

that reflect good open source practise. The policy "modern",

for example, carries the settings to make your server work

compatible and securely with current browsers.</p>

<p>The list of predefined policies in your Apache can be obtained

by running the following command. This list shows you the 

detailed configurations each policy is made of:</p>

<example><title>Examples</title>

<highlight language="sh">

> httpd -t -D DUMP_SSL_POLICIES

</highlight>

</example>

<p>The directive can only be used in the server config (global context), so 

there cannot be two policies with the same name. However, policies can

be redefined:</p>

<example><title>Examples</title>

<highlight language="config">

<SSLPolicy proxy-trust>

   SSLProxyVerify require

</SSLPolicy>

   ...

<SSLPolicy proxy-trust>

   SSLProxyVerify none

</SSLPolicy>

</highlight>

</example>

<p>Policy definitions are <em>added</em> in the order they appear, but are

<em>applied</em> when the whole configuration is read. This means that any

use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition

has no effect at all. You can replace policy definitions that have been

pre-installed without the need to disable them.</p>

<p>Additional to replacing policies, redefinitions may just alter

an aspect of a policy:</p>

<example><title>Examples</title>

<highlight language="config">

<SSLPolicy proxy-trust>

   SSLProxyVerify require

</SSLPolicy>

   ...

<SSLPolicy proxy-trust>

   SSLPolicy proxy-trust

   SSLProxyVerifyDepth 10

</SSLPolicy>

</highlight>

</example>

<p>This re-uses all settings from the previous 'proxy-trust' and adds

one directive on top of it. All others still apply. This is very handy

when pre-defined policies (from Apache itself or a distributor)

that <em>almost</em> fit ones needs. Previously, such definitions were

(copied and) edited. This made updating them difficult. Now they can

be setup like this:</p>

<example><title>Examples</title>

<highlight language="config">

Include ssl-policies.conf

<SSLPolicy modern>

   SSLPolicy modern

   SSLProxyVerify none

</SSLPolicy>

</highlight>

</example>

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLPolicy</name>

<description></description>

<syntax>SSLPolicy <em>name</em></syntax>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Available in httpd 2.4.28 and later</compatibility>

<usage>

<p>This directive applies the set of SSL* directives defined

under 'name' (see <directive>SSLPolicySection</directive>) as the <em>base</em>

settings in the current context. That means that any other SSL* directives

you make in the same context remain effective. So, the effective

<directive>SSLProtocol</directive> value in the following settings are:</p>

<example><title>Examples</title>

<highlight language="config">

   <VirtualHost...> # effective: 'all'

      SSLPolicy modern

      SSLProtocol all

   </VirtualHost>

   <VirtualHost...> # effective: 'all'

      SSLProtocol all

      SSLPolicy modern

   </VirtualHost>

   SSLPolicy modern

   <VirtualHost...> # effective: 'all'

      SSLProtocol all

   </VirtualHost>

   SSLProtocol all

   <VirtualHost...> # effective: '+TLSv1.2'

     SSLPolicy modern

   </VirtualHost>

</highlight>

</example>

<p>There can be more than one policy applied in a context. The

later ones overshadowing the earlier ones:</p>

<example><title>Examples</title>

<highlight language="config">

   <VirtualHost...> # effective: 'intermediate > modern'

      SSLPolicy modern

      SSLPolicy intermediate

   </VirtualHost>

   <VirtualHost...> # effective: 'modern > intermediate'

      SSLPolicy intermediate

      SSLPolicy modern

   </VirtualHost>

</highlight>

</example>

</usage>

</directivesynopsis>

<directivesynopsis>

<name>SSLProxyPolicy</name>

<description></description>

<syntax>SSLProxyPolicy <em>name</em></syntax>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Available in httpd 2.4.28 and later</compatibility>

<usage>

<p>This directive is similar to <directive>SSLPolicy</directive>, but 

applies only the SSLProxy* directives defined in the policy. This helps

when you need different policies for front and backends:</p>

<example><title>Examples</title>

<highlight language="config">

SSLPolicy modern

SSLProxyPolicy intermediate

</highlight>

</example>

</usage>

</directivesynopsis>

</modulesynopsis>

    AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,

      "SSLLogLevel directive is no longer supported - use LogLevel."),

    AP_INIT_TAKE1("<SSLPolicy", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF, 

                "Define a set of SSL* configurations under a new name. Such a policy may "

                "be used in any location where the SSL* directives are viable. The policy "

                "may contain both SSL* and SSLProxy* specific settings. Which one is applied "

                "depends on the use."),

    AP_INIT_TAKE1("SSLPolicy", ssl_cmd_SSLPolicyApply, NULL, RSRC_CONF, 

                "Use the SSL* (not the SSLProxy*) settings from the policy with the given name."),

    AP_INIT_TAKE1("SSLProxyPolicy", ssl_cmd_SSLProxyPolicyApply, NULL, RSRC_CONF|PROXY_CONF, 

                "Use the SSLProxy* settings from the policy with the given name."),

    AP_END_CMD

};