Geek Answers Handbook

How to make SNA hosts for Apache without redirecting certificates to http?

I have an Apache server with several named hosts that work fine for port 80 HTTP traffic. (VPS with a single unique IP address)

I have one domain that has SSL certificate, and this domain is configured to handle http and https traffic.

However, if someone accidentally adds https to the beginning of an un configured SSL URL, I get a typical certificate warning error (expected), and then, if the user accepts the error (depending on the browser), it displays the SSL site, which I configured instead of the source domain other than ssl.

I got a little familiar with SNI, but I do not have certificates for each of the other domains, and most likely the server will not respond to the SSL request for anything other than one specific domain or redirect to the http version of the site.

Suggestions, please, how I approach this.

Regards, Spencer

+4
source share
1 answer

For security reasons, what you are trying to achieve cannot work.

The browser (which implements certificate verification mechanisms) cannot know if the user typed https:// instead of http:// accidentally or intentionally. Since ultimately users can verify that https:// used when they consider it necessary, browsers should simply perform the actions requested by users.

Redirects from https:// to http:// should always start with a valid https:// connection. SNI will not help you if you cannot have valid certificates for the initial connection.

Otherwise, it would be fair for browsers to assume that a MITM attack could occur. Entering the https:// explicitly (or using HSTS) is the only reliable mechanism for MITM tools, such as SSLstrip, which could otherwise downgrade (or prevent an upgrade from http:// to https:// ).

0
source

More articles:


All Articles