I have a CentOS 6.5 server running Apache 2, and hosting a number of sites. The config is via cpanel. One of the sites has a SSL key with a redirect from HTTP to HTTPS. Other sites are all accessible via HTTP only. This is working fine. However, if I try to access any non-SSL site using HTTPS, I get directed to the SSL site. I have tried adding RewriteCond %{SERVER_PORT} ^443$ RewriteRule ^(.*)$ http://www.nonsslsite.com [R=301,L] To the htaccess file for the non SSL sites, but this has no effect. Any ideas how I can either redirect HTTPS requests for non SSL sites to a 404 error page, or just redirect to the HTTP site instead? -- Stuart Bailey BSc (hons) CEng CITP MBCS LinuSoft (Managing Director) Linux Specialist & Software Developer ~~~~~~~~~~~~~~~~~~~~~~~ Phone: (0845) 658 3563 Direct: +44 (0) 1953 601294 Fax: +44 (0) 1603 858583 ~~~~~~~~~~~~~~~~~~~~~~~ http://www.linusoft.co.uk __________ Information from ESET Mail Security, version of virus signature database 9373 (20140203) __________ The message was checked by ESET Mail Security. http://www.eset.com
On 3 February 2014 12:05, Stuart Bailey <stuart@linusoft.co.uk> wrote:
However, if I try to access any non-SSL site using HTTPS, I get directed to the SSL site.
The "problem" with https is that the "conversation" between the browser and the server is encrypted. For http, the browser connects to the server's IP address and asks for www.nonsslsite.com. But for https the browser cannot ask for www.nonsslsite.com until it has established the encrypted connection, so at that point in the conversation Apache does not (and cannot) know which site the browser is trying to access. It will establish the connection using the credentials of the only SSL site you have (and indeed you can only have one per IP address, unlike http where you can have multiple virtual hosts sharing one IP address). I suspect your only solution may be to have an extra IP address, which is allocated to your SSL site, so that it is kept separate. If there is a more elegant solution I'd like to hear about it. There is a Server Name extension to TLS which may help you but I'm out of my depth there... -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG
On 3 February 2014 14:27, Mark Rogers <mark@quarella.co.uk> wrote:
There is a Server Name extension to TLS which may help you but I'm out of my depth there...
It would help if I could type correctly, I meant to say there is a Server Name Indication (or SNI) extension to TLS which may help you. It's not something I've ever used but from a quick check it looks like pretty much all browsers not support it (notable exceptions being Android 2.x and IE on XP). -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG
On Monday 03 Feb 2014 14:32:00 Mark Rogers wrote:
On 3 February 2014 14:27, Mark Rogers <mark@quarella.co.uk> wrote:
There is a Server Name extension to TLS which may help you but I'm out of my depth there...
It would help if I could type correctly, I meant to say there is a Server Name Indication (or SNI) extension to TLS which may help you. It's not something I've ever used but from a quick check it looks like pretty much all browsers not support it (notable exceptions being Android 2.x and IE on XP).
Thanks, we've added another IP address just for HTTPS sites. Stuart -- Stuart Bailey BSc (hons) CEng CITP MBCS LinuSoft (Managing Director) Linux Specialist & Software Developer ~~~~~~~~~~~~~~~~~~~~~~~ Phone: (0845) 658 3563 Direct: +44 (0) 1953 601294 Fax: +44 (0) 1603 858583 ~~~~~~~~~~~~~~~~~~~~~~~ http://www.linusoft.co.uk __________ Information from ESET Mail Security, version of virus signature database 9419 (20140213) __________ The message was checked by ESET Mail Security. http://www.eset.com
On 13 February 2014 17:59, Stuart Bailey <stuart@linusoft.co.uk> wrote:
Thanks, we've added another IP address just for HTTPS sites.
Just to be clear, you will need another IP address for each HTTPS site (same problem applies: your browser can't say which site it wants until it has gone through the encryption step, and in a VirtualHost environment Apache needs to know which site it's looking at in order to work out which SSL keys it needs to handle the encryption, so it's catch-22 again). We've just accepted it in the past: lots of http hosts on one IP but each https host on its own. That said, if I was to look into this now I'd probably go with SNI (it would prevent access from users using IE on XP but they must surely be pretty thin on the ground by now?) Mark -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG
participants (2)
-
Mark Rogers -
Stuart Bailey