Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to redirect HTTPS requests to HTTP without a certificate (Apache VirtualHosts) and avoid a certificate warning

I would first like to first say, this is not good practice and we should endevour to have everything on HTTPS 100% of the time but in this case I had a series of awkward requirements on a system that did not hold sensitive information. I was quite ignorant of how HTTPS/TLS worked when asking this question back when I was more junior but have left it in place to help others as it receives a fair amount of attention. I recommend reading Oreily's TLS 101 if you're interested. You can now get free TLS certificates using Let's Encrypt which I thoroughly recommend. Lastly, if you are using the default Apache config please check out Mozilla's SSL config generator selecting 'Modern' after entering your apache version.

I am hosting a couple of seperate websites on one apache server:

site.com

site.com redirects all users to HTTPS from within the application.

example.com

example.com is an HTTP website and HTTPS requests are redirects to HTTP


In order for accidental requests for https://example.com instead of http://example.com to not get site.com (due to when only one HTTPS vhost is used that becomes the default site) I need to set up an https vhost for example.com but I have to use a self signed cert as there is no reason for the site to use an SSL.

This means when someone visits https://example.com they get a browser warning page that the SSL is self signed and then as soon as they click continue they get redirected to HTTP

Is there any way to redirect HTTPS requests to HTTP without a certificate

This is the current vhost:

<VirtualHost *:443>
        ServerName about.example.com:443

        DocumentRoot "/directory"
        <Directory "/directoy">
                AllowOverride All
                Require all granted
        </Directory>

        RewriteEngine On
        RewriteCond %{HTTPS} on
        RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/ExampleCOM.pem
        SSLCertificateKeyFile /etc/httpd/ssl/AboutExampleCOM-key.pem
        Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on

# Disabled to avoid CRIME attack
SSLCompression          off

# this usually compromises perfect forward secrecy
SSLSessionTickets       off

# OCSP Stapling, httpd 2.3.3 or later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
like image 739
ZZ9 Avatar asked Aug 21 '15 14:08

ZZ9


2 Answers

Fundamentally, that's a problem. When communicating over HTTPS, the TLS communication layer is set up before anything is exchanged, i.e. the warning about the certificate happens before any information about the website is transferred. So a Certificate is needed to allow a browser to connect when https is defined, self signed or not.

Ideally, and for 'best practice' we should really be encouraging people to use HTTPS as default (I realise this is an expense and can be annoying with certificates, and whilst there shouldn't be anything wrong with self signed certificates, there often are problems and browser messages etc).

Even if you have an application server which 'can only do http', best practice is generally to front that application server with a Web Server (such as nginx or lighthttpd or some form of load balancer) which also will provide your https termination. - which is what you seem to have done with your httprewrite which forwards the request to your site.

You might find some cheap SSL-certificate providers which are installed in most browsers though?

like image 70
Jmons Avatar answered Sep 21 '22 07:09

Jmons


Short answer. No there is not a way to do this.

The connection to https happens before any type of redirection happens. The only thing you can do is buy a cert. Regular domain certs are super cheap these days.

You can get a valid domain cert for $4.99/yr. Then do the redirection so that both https and http are covered.

Or you can turn off your 443 vhost but the user will get a 404 or connection error page. If they try https.

Those are your options. Your users will always get that warning page as long as it's self signed and that's by design.

like image 42
Panama Jack Avatar answered Sep 23 '22 07:09

Panama Jack