Re: [users@httpd] How to serve https only? Is this correct?

Thu, 12 Jul 2012 07:09:16 -0700 

On July 12, 2012 8:02 , Tom Browder <tom.brow...@gmail.com> wrote:

On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<n...@webthing.com>  wrote:

On 12 Jul 2012, at 12:02, Tom Browder wrote:


I want to have NO http traffic on my site.  Is this the correct way to

No.

I see lots of mixed http/https setups, but no
single solution for https only is a locked down site.
Nick's answer is the correct and literal answer. The "single solution for HTTPS only" that you are looking for is: 

- Delete any Listen directive for port 80 and also
- Delete any VirtualHost stanza for port 80 (for example, your "<VirtualHost *:80>" stanza.
If you do this, Apache HTTP Server will not use HTTP for any client, and clients that access http://tb.com/ (in your example) will get an error saying that they were unable to establish a connection. The error message will be the same error message they will get if they try to access a machine that is not running a web server at all.
The configuration you posted in your original message will accept HTTP traffic and redirect all of it to the HTTPS virtual host. This is the "standard" and "user friendly" solution that most sites which want to secure all of their pages implement, but note that the initial redirects all occur over HTTP and so you are still accepting some small amount of HTTP traffic. The reasons you want to have no HTTP traffic on your site are important to consider in order to choose the best overall solution: If port 80 is blocked at your firewall, or if you are concerned about people taking advantage of some theoretical (and unlikely) security hole in Apache HTTP Server that is exploitable over HTTP but not over HTTPS, then you'd want the solution Nick presented. But if you simply want to ensure that all actual content is served securely while not making your site difficult to access by non-technical users (e.g., those who omit typing "https://"; at the start of the URL in their web browser's location bar) then you probably are asking the wrong question -- you probably DO want your web server to accept HTTP, but use the configuration that you had in your original message to redirect all HTTP request to HTTPS. 

--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to