Modified %ssl_virtualhost_ip% to %hostname(fqdn)% #461
Conversation
config/apache.vhost.sample
Outdated
| @@ -22,7 +22,7 @@ | |||
| # | |||
| # IMPORTANT: Be sure to comment out the DocumentRoot, ProxyPass and | |||
| # ProxyPassReverse directives above. | |||
| #Redirect permanent / https://%ssl_virtualhost_ip%/ | |||
| #Redirect permanent / https://%hostname(fqdn)%/ | |||
There was a problem hiding this comment.
I'm thinking, if the format is clear enough, that user should replace the whole string... I would maybe chose some form without the brackets. (But consider it just as my opinion.)
config/apache.vhost-ssl.sample
Outdated
| @@ -5,7 +5,7 @@ | |||
| ## This configuration file assumes that mod_ssl package is installed on | |||
| ## RHEL/CentOS hosts and it's configuration has not been modified. | |||
|
|
|||
| <VirtualHost %ssl_virtualhost_ip%:443> | |||
| <VirtualHost %hostname(fqdn)%:443> | |||
There was a problem hiding this comment.
What is the reason to have fqdn here? Based on Apache documentation, the value here might be fqdn, but it is not recommended:
- A fully qualified domain name for the IP address of the virtual host (not recommended);
Since we added the 00_ prefix to the tendrl-ssl.conf file (so it is processed before the default ssl.conf), whouldn't be sufficient to use just * or _default_ here?
I've tried it quickly and it seems to work as expected, with one small warning in error_log:
[ssl:warn] [pid 25283] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
My understanding is, that it might cause some problem for browsers without SNI support (very old versions of commonly used browsers) if there will be more than one website on the same server (which is not our case).
There was a problem hiding this comment.
Just now i talked with @mbukatov, He also suggested using the hostname in redirection only, not here.
There was a problem hiding this comment.
only for the redirection we need to change ip as hostname
There was a problem hiding this comment.
And what about the usage of _default_ (or *) instead of particular IP here?
I see 2 benefits from that:
- the documented ssl configuration will be one step shorter (this part will not need any change against the sample configuration).
- if the Tendrl server will have two or more interfaces, the interface might be available on all of them (unless restricted on some other level).
There was a problem hiding this comment.
I agree but, it is better we support both right? when user don't want to use all IPs then out document won't help much
There was a problem hiding this comment.
I think, that using _default_ might be better default and if user have specific requirements, he should consult it with Apache doc... But it's just my opinion...
There was a problem hiding this comment.
@GowthamShanmugam after quick discussion with @dahorak , I agree with him that using _default_ is better
There was a problem hiding this comment.
@dahorak explained clealry, i am also agree with this change
GowthamShanmugam
force-pushed
the
issues_460
branch
3 times, most recently
from
bafd795 to
9485bb9
Compare
| @@ -22,7 +22,7 @@ | |||
| # | |||
| # IMPORTANT: Be sure to comment out the DocumentRoot, ProxyPass and | |||
| # ProxyPassReverse directives above. | |||
| #Redirect permanent / https://%ssl_virtualhost_ip%/ | |||
| #Redirect permanent / https://%ssl_virtualhost_fqdn%/ | |||
There was a problem hiding this comment.
Here i agree with @dahorak, it is better we use a similar kind of name everywhere align the names, So I have used %ssl_virtualhost_fqdn% instead of %hostname(fqdn)%
tendrl-bug-id: Tendrl#460 bugzilla: 1680576 Signed-off-by: GowthamShanmugasundaram <[email protected]>
GowthamShanmugam
force-pushed
the
issues_460
branch
from
9485bb9 to
7456a89
Compare
|
@shtripat we can merge this PR |
tendrl-bug-id: #460
Signed-off-by: GowthamShanmugasundaram [email protected]