/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
static md_mod_conf_t *md_mod_conf_get(apr_pool_t *pool, int create)
{ if (mod_md_config) { return mod_md_config; /* reused for lifetime of the pool */
}
/* Save the current settings in this srv_conf and apply+restore at the
* end of this section */
memcpy(&save, sc, sizeof(save));
srv_conf_props_clear(sc);
sc->current = md;
staticconstchar *md_config_sec_add_members(cmd_parms *cmd, void *dc, int argc, char *const argv[])
{
md_srv_conf_t *sc = md_config_get(cmd->server); constchar *err; int i;
(void)dc; if (NULL != (err = md_section_check(cmd))) { if (argc == 1) { /* only these values are allowed outside a section */ return set_transitive(&sc->transitive, argv[0]);
} return err;
}
assert(sc->current); for (i = 0; i < argc; ++i) { if (NULL != set_transitive(&sc->transitive, argv[i])) {
add_domain_name(sc->current->domains, argv[i], cmd->pool);
}
} return NULL;
}
(void)dc; if (err) return err;
retry_failover = atoi(value); if (retry_failover <= 0) { return"invalid argument, must be a number > 0";
}
config->mc->retry_failover = retry_failover; return NULL;
}
if (!strncmp("http:", value, sizeof("http:") - 1)) {
net_port = 80; endp = value + sizeof("http") - 1;
} elseif (!strncmp("https:", value, sizeof("https:") - 1)) {
net_port = 443; endp = value + sizeof("https") - 1;
} else {
net_port = (int)apr_strtoi64(value, (char**)&endp, 10); if (errno) { return"unable to parse first port number";
}
} if (!endp || *endp != ':') { return"no ':' after first port number";
}
++endp; if (*endp == '-') {
local_port = 0;
} else {
local_port = (int)apr_strtoi64(endp, (char**)&endp, 10); if (errno) { return"unable to parse second port number";
} if (local_port <= 0 || local_port > 65535) { return"invalid number for port map, must be in ]0,65535]";
}
} switch (net_port) { case 80:
mc->local_80 = local_port; break; case 443:
mc->local_443 = local_port; break; default: return"mapped port number must be 80 or 443";
} return NULL;
}
(void)dc; if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err;
} if (argc <= 0) { return"needs to specify the private key type";
}
config->pks = md_pkeys_spec_make(cmd->pool); for (i = 0; i < argc; ++i) {
ptype = argv[i]; if (!apr_strnatcasecmp("Default", ptype)) { if (argc > 1) { return"'Default' allows no other parameter";
}
md_pkeys_spec_add_default(config->pks);
} elseif (strlen(ptype) > 3
&& (ptype[0] == 'R' || ptype[0] == 'r')
&& (ptype[1] == 'S' || ptype[1] == 's')
&& (ptype[2] == 'A' || ptype[2] == 'a')
&& isdigit(ptype[3])) {
bits = (int)apr_atoi64(ptype+3); if (bits < MD_PKEY_RSA_BITS_MIN) { return apr_psprintf(cmd->pool, "must be %d or higher in order to be considered safe.",
MD_PKEY_RSA_BITS_MIN);
} if (bits >= INT_MAX) { return apr_psprintf(cmd->pool, "is too large for an RSA key length.");
} if (md_pkeys_spec_contains_rsa(config->pks)) { return"two keys of type 'RSA' are not possible.";
}
md_pkeys_spec_add_rsa(config->pks, (unsignedint)bits);
} elseif (!apr_strnatcasecmp("RSA", ptype)) { if (i+1 >= argc || !isdigit(argv[i+1][0])) {
bits = MD_PKEY_RSA_BITS_DEF;
} else {
++i;
bits = (int)apr_atoi64(argv[i]); if (bits < MD_PKEY_RSA_BITS_MIN) { return apr_psprintf(cmd->pool, "must be %d or higher in order to be considered safe.",
MD_PKEY_RSA_BITS_MIN);
} if (bits >= INT_MAX) { return apr_psprintf(cmd->pool, "is too large for an RSA key length.");
}
} if (md_pkeys_spec_contains_rsa(config->pks)) { return"two keys of type 'RSA' are not possible.";
}
md_pkeys_spec_add_rsa(config->pks, (unsignedint)bits);
} else { if (md_pkeys_spec_contains_ec(config->pks, argv[i])) { return apr_psprintf(cmd->pool, "two keys of type '%s' are not possible.", argv[i]);
}
md_pkeys_spec_add_ec(config->pks, argv[i]);
}
} return NULL;
}
rv = md_json_readf(&json, cmd->pool, fpath); if (APR_SUCCESS != rv) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": error reading JSON file ", fpath, NULL);
}
keyid = md_json_gets(json, MD_KEY_KID, NULL); if (!keyid || !*keyid) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": JSON does not contain '", MD_KEY_KID, "' element in file ", fpath, NULL);
}
hmac = md_json_gets(json, MD_KEY_HMAC, NULL); if (!hmac || !*hmac) { return apr_pstrcat(cmd->pool, cmd->cmd->name, ": JSON does not contain '", MD_KEY_HMAC, "' element in file ", fpath, NULL);
}
}
}
leave:
sc->ca_eab_kid = keyid;
sc->ca_eab_hmac = hmac; return NULL;
}
const command_rec md_cmds[] = {
AP_INIT_TAKE_ARGV("MDCertificateAuthority", md_config_set_ca, NULL, RSRC_CONF, "URL(s) or known name(s) of CA issuing the certificates"),
AP_INIT_TAKE1("MDCertificateAgreement", md_config_set_agreement, NULL, RSRC_CONF, "either 'accepted' or the URL of CA Terms-of-Service agreement you accept"),
AP_INIT_TAKE_ARGV("MDCAChallenges", md_config_set_cha_tyes, NULL, RSRC_CONF, "A list of challenge types to be used."),
AP_INIT_TAKE1("MDCertificateProtocol", md_config_set_ca_proto, NULL, RSRC_CONF, "Protocol used to obtain/renew certificates"),
AP_INIT_TAKE1("MDContactEmail", md_config_set_contact, NULL, RSRC_CONF, "Email address used for account registration"),
AP_INIT_TAKE1("MDDriveMode", md_config_set_renew_mode, NULL, RSRC_CONF, "deprecated, older name for MDRenewMode"),
AP_INIT_TAKE1("MDRenewMode", md_config_set_renew_mode, NULL, RSRC_CONF, "Controls how renewal of Managed Domain certificates shall be handled."),
AP_INIT_TAKE_ARGV("MDomain", md_config_set_names, NULL, RSRC_CONF, "A group of server names with one certificate"),
AP_INIT_RAW_ARGS(MD_CMD_MD_SECTION, md_config_sec_start, NULL, RSRC_CONF, "Container for a managed domain with common settings and certificate."),
AP_INIT_RAW_ARGS(MD_CMD_MD2_SECTION, md_config_sec_start, NULL, RSRC_CONF, "Short form for container."),
AP_INIT_TAKE_ARGV("MDMember", md_config_sec_add_members, NULL, RSRC_CONF, "Define domain name(s) part of the Managed Domain. Use 'auto' or " "'manual' to enable/disable auto adding names from virtual hosts."),
AP_INIT_TAKE_ARGV("MDMembers", md_config_sec_add_members, NULL, RSRC_CONF, "Define domain name(s) part of the Managed Domain. Use 'auto' or " "'manual' to enable/disable auto adding names from virtual hosts."),
AP_INIT_TAKE1("MDMustStaple", md_config_set_must_staple, NULL, RSRC_CONF, "Enable/Disable the Must-Staple flag for new certificates."),
AP_INIT_TAKE12("MDPortMap", md_config_set_port_map, NULL, RSRC_CONF, "Declare the mapped ports 80 and 443 on the local server. E.g. 80:8000 " "to indicate that the server port 8000 is reachable as port 80 from the " "internet. Use 80:- to indicate that port 80 is not reachable from " "the outside."),
AP_INIT_TAKE_ARGV("MDPrivateKeys", md_config_set_pkeys, NULL, RSRC_CONF, "set the type and parameters for private key generation"),
AP_INIT_TAKE1("MDHttpProxy", md_config_set_proxy, NULL, RSRC_CONF, "URL of a HTTP(S) proxy to use for outgoing connections"),
AP_INIT_TAKE1("MDStoreDir", md_config_set_store_dir, NULL, RSRC_CONF, "the directory for file system storage of managed domain data."),
AP_INIT_TAKE1("MDRenewWindow", md_config_set_renew_window, NULL, RSRC_CONF, "Time length for renewal before certificate expires (defaults to days)."),
AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF|OR_AUTHCFG, "Redirect non-secure requests to the https: equivalent."),
AP_INIT_RAW_ARGS("MDNotifyCmd", md_config_set_notify_cmd, NULL, RSRC_CONF, "Set the command to run when signup/renew of domain is complete."),
AP_INIT_TAKE1("MDBaseServer", md_config_set_base_server, NULL, RSRC_CONF, "Allow managing of base server outside virtual hosts."),
AP_INIT_RAW_ARGS("MDChallengeDns01", md_config_set_dns01_cmd, NULL, RSRC_CONF, "Set the command for setup/teardown of dns-01 challenges"),
AP_INIT_TAKE1("MDChallengeDns01Version", md_config_set_dns01_version, NULL, RSRC_CONF, "Set the type of arguments to call `MDChallengeDns01` with"),
AP_INIT_TAKE1("MDCertificateFile", md_config_add_cert_file, NULL, RSRC_CONF, "set the static certificate (chain) file to use for this domain."),
AP_INIT_TAKE1("MDCertificateKeyFile", md_config_add_key_file, NULL, RSRC_CONF, "set the static private key file to use for this domain."),
AP_INIT_TAKE1("MDServerStatus", md_config_set_server_status, NULL, RSRC_CONF, "On to see Managed Domains in server-status."),
AP_INIT_TAKE1("MDCertificateStatus", md_config_set_certificate_status, NULL, RSRC_CONF, "On to see Managed Domain expose /.httpd/certificate-status."),
AP_INIT_TAKE1("MDWarnWindow", md_config_set_warn_window, NULL, RSRC_CONF, "When less time remains for a certificate, send our/log a warning (defaults to days)"),
AP_INIT_RAW_ARGS("MDMessageCmd", md_config_set_msg_cmd, NULL, RSRC_CONF, "Set the command run when a message about a domain is issued."),
AP_INIT_TAKE1("MDStapling", md_config_set_stapling, NULL, RSRC_CONF, "Enable/Disable OCSP Stapling for this/all Managed Domain(s)."),
AP_INIT_TAKE1("MDStapleOthers", md_config_set_staple_others, NULL, RSRC_CONF, "Enable/Disable OCSP Stapling for certificates not in Managed Domains."),
AP_INIT_TAKE1("MDStaplingKeepResponse", md_config_set_ocsp_keep_window, NULL, RSRC_CONF, "The amount of time to keep an OCSP response in the store."),
AP_INIT_TAKE1("MDStaplingRenewWindow", md_config_set_ocsp_renew_window, NULL, RSRC_CONF, "Time length for renewal before OCSP responses expire (defaults to days)."),
AP_INIT_TAKE2("MDCertificateCheck", md_config_set_cert_check, NULL, RSRC_CONF, "Set name and URL pattern for a certificate monitoring site."),
AP_INIT_TAKE1("MDActivationDelay", md_config_set_activation_delay, NULL, RSRC_CONF, "How long to delay activation of new certificates"),
AP_INIT_TAKE1("MDCACertificateFile", md_config_set_ca_certs, NULL, RSRC_CONF, "Set the CA file to use for connections"),
AP_INIT_TAKE12("MDExternalAccountBinding", md_config_set_eab, NULL, RSRC_CONF, "Set the external account binding keyid and hmac values to use at CA"),
AP_INIT_TAKE1("MDRetryDelay", md_config_set_min_delay, NULL, RSRC_CONF, "Time length for first retry, doubled on every consecutive error."),
AP_INIT_TAKE1("MDRetryFailover", md_config_set_retry_failover, NULL, RSRC_CONF, "The number of errors before a failover to another CA is triggered."),
AP_INIT_TAKE1("MDStoreLocks", md_config_set_store_locks, NULL, RSRC_CONF, "Configure locking of store for updates."),
AP_INIT_TAKE1("MDMatchNames", md_config_set_match_mode, NULL, RSRC_CONF, "Determines how DNS names are matched to vhosts."),
AP_INIT_TAKE1("MDCheckInterval", md_config_set_check_interval, NULL, RSRC_CONF, "Time between certificate checks."),
AP_INIT_TAKE1("MDProfile", md_config_set_profile, NULL, RSRC_CONF, "The name of an CA profile to order certificates for."),
AP_INIT_TAKE1("MDProfileMandatory", md_config_set_profile_mandatory, NULL, RSRC_CONF, "Determines if a configured CA profile is mandatory."),
AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL)
};
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
