I would first like to first say, this is not good practice and we should endevour to have everything on HTTPS 100% of the time but in this case I had a series of awkward requirements on a system that did not hold sensitive information. I was quite ignorant of how HTTPS/TLS worked when asking this question back when I was more junior but have left it in place to help others as it receives a fair amount of attention. I recommend reading Oreily's TLS 101 if you're interested. You can now get free TLS certificates using Let's Encrypt which I thoroughly recommend. Lastly, if you are using the default Apache config please check out Mozilla's SSL config generator selecting 'Modern' after entering your apache version.
I am hosting a couple of seperate websites on one apache server:
site.com
site.com redirects all users to HTTPS from within the application.
example.com
example.com is an HTTP website and HTTPS requests are redirects to HTTP
In order for accidental requests for https://example.com instead of http://example.com to not get site.com (due to when only one HTTPS vhost is used that becomes the default site) I need to set up an https vhost for example.com but I have to use a self signed cert as there is no reason for the site to use an SSL.
This means when someone visits https://example.com they get a browser warning page that the SSL is self signed and then as soon as they click continue they get redirected to HTTP
Is there any way to redirect HTTPS requests to HTTP without a certificate
This is the current vhost:
<VirtualHost *:443>
ServerName about.example.com:443
DocumentRoot "/directory"
<Directory "/directoy">
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/ExampleCOM.pem
SSLCertificateKeyFile /etc/httpd/ssl/AboutExampleCOM-key.pem
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# Disabled to avoid CRIME attack
SSLCompression off
# this usually compromises perfect forward secrecy
SSLSessionTickets off
# OCSP Stapling, httpd 2.3.3 or later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Fundamentally, that's a problem. When communicating over HTTPS, the TLS communication layer is set up before anything is exchanged, i.e. the warning about the certificate happens before any information about the website is transferred. So a Certificate is needed to allow a browser to connect when https is defined, self signed or not.
Ideally, and for 'best practice' we should really be encouraging people to use HTTPS as default (I realise this is an expense and can be annoying with certificates, and whilst there shouldn't be anything wrong with self signed certificates, there often are problems and browser messages etc).
Even if you have an application server which 'can only do http', best practice is generally to front that application server with a Web Server (such as nginx or lighthttpd or some form of load balancer) which also will provide your https termination. - which is what you seem to have done with your httprewrite which forwards the request to your site.
You might find some cheap SSL-certificate providers which are installed in most browsers though?
Short answer. No there is not a way to do this.
The connection to https happens before any type of redirection happens. The only thing you can do is buy a cert. Regular domain certs are super cheap these days.
You can get a valid domain cert for $4.99/yr. Then do the redirection so that both https and http are covered.
Or you can turn off your 443 vhost but the user will get a 404 or connection error page. If they try https.
Those are your options. Your users will always get that warning page as long as it's self signed and that's by design.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With