I have a CentOS 6.5 server running Apache 2, and hosting a number of sites. The config is via cpanel.
One of the sites has a SSL key with a redirect from HTTP to HTTPS. Other sites are all accessible via HTTP only. This is working fine.
However, if I try to access any non-SSL site using HTTPS, I get directed to the SSL site. I have tried adding
RewriteCond %{SERVER_PORT} ^443$ RewriteRule ^(.*)$ http://www.nonsslsite.com [R=301,L]
To the htaccess file for the non SSL sites, but this has no effect.
Any ideas how I can either redirect HTTPS requests for non SSL sites to a 404 error page, or just redirect to the HTTP site instead?
On 3 February 2014 12:05, Stuart Bailey stuart@linusoft.co.uk wrote:
However, if I try to access any non-SSL site using HTTPS, I get directed to the SSL site.
The "problem" with https is that the "conversation" between the browser and the server is encrypted.
For http, the browser connects to the server's IP address and asks for www.nonsslsite.com. But for https the browser cannot ask for www.nonsslsite.com until it has established the encrypted connection, so at that point in the conversation Apache does not (and cannot) know which site the browser is trying to access. It will establish the connection using the credentials of the only SSL site you have (and indeed you can only have one per IP address, unlike http where you can have multiple virtual hosts sharing one IP address).
I suspect your only solution may be to have an extra IP address, which is allocated to your SSL site, so that it is kept separate. If there is a more elegant solution I'd like to hear about it.
There is a Server Name extension to TLS which may help you but I'm out of my depth there...
On 3 February 2014 14:27, Mark Rogers mark@quarella.co.uk wrote:
There is a Server Name extension to TLS which may help you but I'm out of my depth there...
It would help if I could type correctly, I meant to say there is a Server Name Indication (or SNI) extension to TLS which may help you. It's not something I've ever used but from a quick check it looks like pretty much all browsers not support it (notable exceptions being Android 2.x and IE on XP).
On Monday 03 Feb 2014 14:32:00 Mark Rogers wrote:
On 3 February 2014 14:27, Mark Rogers mark@quarella.co.uk wrote:
There is a Server Name extension to TLS which may help you but I'm out of my depth there...
It would help if I could type correctly, I meant to say there is a Server Name Indication (or SNI) extension to TLS which may help you. It's not something I've ever used but from a quick check it looks like pretty much all browsers not support it (notable exceptions being Android 2.x and IE on XP).
Thanks, we've added another IP address just for HTTPS sites.
Stuart
On 13 February 2014 17:59, Stuart Bailey stuart@linusoft.co.uk wrote:
Thanks, we've added another IP address just for HTTPS sites.
Just to be clear, you will need another IP address for each HTTPS site (same problem applies: your browser can't say which site it wants until it has gone through the encryption step, and in a VirtualHost environment Apache needs to know which site it's looking at in order to work out which SSL keys it needs to handle the encryption, so it's catch-22 again).
We've just accepted it in the past: lots of http hosts on one IP but each https host on its own. That said, if I was to look into this now I'd probably go with SNI (it would prevent access from users using IE on XP but they must surely be pretty thin on the ground by now?)
Mark
-
Mark Rogers -
Stuart Bailey