If you want no traffic, don't listen. Block on firewall w/ tcp-reject and don't use Apache to listen to http.
A more "friendly" way is to redirect VIA firewall all --dport 80 to --dport 443. 2012/7/12 Tom Browder <tom.brow...@gmail.com> > On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <m...@catseye.org> wrote: > > On July 12, 2012 8:02 , Tom Browder <tom.brow...@gmail.com> wrote: > >> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<n...@webthing.com> wrote: > >>> On 12 Jul 2012, at 12:02, Tom Browder wrote: > >>> > >>>> I want to have NO http traffic on my site. Is this the correct way > to... > ... > > Nick's answer is the correct and literal answer. The "single solution > for > > HTTPS only" that you are looking for is: > > > > - Delete any Listen directive for port 80 and also > > - Delete any VirtualHost stanza for port 80 (for example, your > "<VirtualHost > > *:80>" stanza. > ... > > The configuration you posted in your original message will accept HTTP > > traffic and redirect all of it to the HTTPS virtual host. This is the > > "standard" and "user friendly" solution that most sites which want to > secure > > all of their pages implement, but note that the initial redirects all > occur > > over HTTP and so you are still accepting some small amount of HTTP > traffic. > > The reasons you want to have no HTTP traffic on your site are important > to > > consider in order to choose the best overall solution: If port 80 is > > blocked at your firewall, or if you are concerned about people taking > > advantage of some theoretical (and unlikely) security hole in Apache HTTP > > Server that is exploitable over HTTP but not over HTTPS, then you'd want > the > > solution Nick presented. > > Thanks for the reply, Mark. > > I like the "friendly" approach, but I made the statement. "I want to > have NO http traffic on my site," because I saw in a post from a > Mozilla Persona site a reference to another link that there is a > possibility of a man-in-the-middle attack using it. > > Best regards, > > -Tom > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- []'s Filipe Cifali Stangler
