htaccess - SSLOptions required?

[JonLaliberte]

The Apache docs say:

StdEnvVars: When this option is enabled, the standard set of SSL related CGI/SSI environment variables are created. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation. So one usually enables this option for CGI and SSI requests only.

I researched this a bit, but couldn't figure out if we needed this to be enabled or not.

From the base .htaccess file we have:

<IfModule mod_ssl.c>
############################################
## make HTTPS env vars available for CGI mode

    SSLOptions StdEnvVars
</IfModule>

I tested disabling it and saw no ill-effects, but wanted to be sure I'm not missing something.

[addison74]

According to this resource https://httpd.apache.org/docs/trunk/mod/mod_ssl.xml commenting that line makes those environment variables no longer available in scripts. However their use in logs, headers is possible without SSLOptions directive.

I did not analyze that long list of environment variables but at least one is used in the OM code, HTTPS => HTTPS is used. I would not recommend disabling it without checking what variables from the list are used in OpenMage/Magento, what returns phpinfo() when commenting/uncommenting the line.

As far as I understand it is disabled by default for performance reasons. If it has been enable so far and you have not encountered performance problems you can still leave it like this. I made the change in the open PR related to the content of the new .htaccess to describe better this directive.

An interesting aspect to consider is the case when Apache does not end the SSL connection but this is done before it, for example in HAProxy, Pound, Nginx.

[JonLaliberte]

I did not analyze that long list of environment variables but at least one is used in the OM code, HTTPS => HTTPS is used.

In the docs you linked to it notes:

Except for HTTPS and SSL_TLS_SNI which are always defined...