Redirect default HTTPS request (port 443) to a different port with HTTPS

4 posts / 0 new
Last post
#1 Thu, 11/24/2011 - 14:58
Nikos

Redirect default HTTPS request (port 443) to a different port with HTTPS

Hallo everybody,

today I've been experiencing this problem.

I have cca 10 domains sharing one self-signed SSL certificate. This morning I decided to create virtualhost with non shared certificate, signed by CA. As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port. The different port was a way I decided to try... So I set port 444 instead of 443, I got free signed certificate and installed via Virtualmin's enviroment 'Manage SSL Certificate'. Everything is fine and working well. My URL https://www.example.com:444 reports signed and verified certificate. But..

The problem I want solve is, when somebody try https://www.example.com (without specified port), he is transffered to the first SSL enabled virtualhost with self-signed cert which means in some browsers 'red error' :/ He is still on domain https://www.example.com, but he views the content of the other virtualhost. So my first idea (and I guess yours too) is simply redirect all request @https://www.example.com TO https://www.example.com:444 -- seems like a easy job :-), but..

I didn't figured out, how to get this work properly, so I want to ask you, please, don't you know how to?

I TRIED: 1) Adding virtualhost listening on 443 to apache conf of this new virtual, and via RewriteRules redirect all requests to URL with :444 port. It 'works' at half, because the browser first asks on self-signed cert = error. No clean way. 2) Adding redirect rules to the first SSL enabled virtualhost, this works the same way like the 1)

I have some suspicion that this might solve some proxying, but I have absolutely no skills with it, so thanks for any help.

(+little question for the end, is somehow available to show https://example.com:444 content without being port visible?)

Thu, 11/24/2011 - 17:35
andreychek

Howdy,

Yeah, the problem is that using an alternate port for SSL isn't the best way to handle that, using a dedicated IP is the best way to provide SSL for a domain.

The trouble is that the SSL connection is negotiated before any content or configuration is read -- so it's not actually possible to solve the problem you're describing.

That is, if someone connects to https://example.com, you could add in a .htaccess file or similar to redirect the user to port 444, but they will always receive an SSL warning before that redirect occurs.

Now, you could add a redirect so that someone connecting to port 80 for that domain is redirected to port 444, but it's not possible to do that with port 443 in a way that prevents a warning from popping up.

My suggestion would be to splurge on a new IP address for this particular domain, that would solve all the problems you're describing above :-)

-Eric

Fri, 11/25/2011 - 04:06
Nikos

I'm thinking about one possible solution:

1) disable all 'shared' SSL

2) set only one virtual with SSL on port 443 with signed cert!

3) on this one virtual set the all other redirects (eg. https://example.com to https://example.com:444)

4) every other virtual, where we want SSL and we have no private IP available, we set some unique port for SSL

This I guess can work without any errors. But the point still is: is there any other way, how to redirect the https request before it gets on the apache conf?

Another thing that should be considered: Is better to have self-signed HTTPS on the default port 443, or have signed by CA on non-standard port? (I suppose the unavailability of IP addresses) What is more secure (no matter how difficult setting is)?

Thank you for your opinions..

Fri, 11/25/2011 - 11:26
helpmin

I don't think what you try can be done.

But regarding your statement:

"As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port."

this is not correct. Newer version of apache come with mod_ssl version that supports SNI ("name-based SSL"), which works pretty much with all modern browsers. Maybe sufficient in your case?

Topic locked