On July 12, 2012 8:02 , Tom Browder <tom.brow...@gmail.com> wrote:
On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<n...@webthing.com> wrote:
On 12 Jul 2012, at 12:02, Tom Browder wrote:
I want to have NO http traffic on my site. Is this the correct way to
No.
I see lots of mixed http/https setups, but no
single solution for https only is a locked down site.
Nick's answer is the correct and literal answer. The "single solution
for HTTPS only" that you are looking for is:
- Delete any Listen directive for port 80 and also
- Delete any VirtualHost stanza for port 80 (for example, your
"<VirtualHost *:80>" stanza.
If you do this, Apache HTTP Server will not use HTTP for any client, and
clients that access http://tb.com/ (in your example) will get an error
saying that they were unable to establish a connection. The error
message will be the same error message they will get if they try to
access a machine that is not running a web server at all.
The configuration you posted in your original message will accept HTTP
traffic and redirect all of it to the HTTPS virtual host. This is the
"standard" and "user friendly" solution that most sites which want to
secure all of their pages implement, but note that the initial redirects
all occur over HTTP and so you are still accepting some small amount of
HTTP traffic.
The reasons you want to have no HTTP traffic on your site are important
to consider in order to choose the best overall solution: If port 80
is blocked at your firewall, or if you are concerned about people taking
advantage of some theoretical (and unlikely) security hole in Apache
HTTP Server that is exploitable over HTTP but not over HTTPS, then you'd
want the solution Nick presented. But if you simply want to ensure
that all actual content is served securely while not making your site
difficult to access by non-technical users (e.g., those who omit typing
"https://" at the start of the URL in their web browser's location bar)
then you probably are asking the wrong question -- you probably DO want
your web server to accept HTTP, but use the configuration that you had
in your original message to redirect all HTTP request to HTTPS.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org