Enabling HTTP and HTTPs

--_000_B8E384888845E847AAF71F54C119EDED2D3175BDeeyoreadedial og_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


I am using Apache 2.2 and I am using a test certificate signed by my intern=
al CA. I am not using Virtual Hosts.

Sometime ago I went over a whole set of changes on my server configuration =
to enable HTTPs (SSL).
At that point, I disabled HTTP on the server. Any request on port 80 gets a=
page indicating that HTTPS is required.

Now I want to also enable HTTP without disabling HTTPs. But I can't figure =
how to enable both.

I originally had
SSLOptions +StrictRequire
I commented that out, but no success.

I also had:


SSLRequireSSL


I also commented that out, but again, no success. Apache tells me that I re=
quire HTTPS.

I also have another section as shown below. This segment is be=
fore my Include directive to my http-ssl.conf


Options None
AllowOverride None
Order deny,allow
Deny from all


What else should I look at ? I can't find any other relevant sections of th=
e configuration file that may affect the behavior.


-Jorge








--_000_B8E384888845E847AAF71F54C119EDED2D3175BDeeyoreadedial og_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Re: Enabling HTTP and HTTPs

Hi Jorge.

Something below does not seem to square :

Jorge Medina wrote:
....
> At that point, I disabled HTTP on the server. Any request on port 80 gets a page indicating that HTTPS is required.
>
How do they actually get this page, if HTTP is disabled ?

Maybe to gain some steps :
- the default port for HTTP is 80
- the default port for HTTPS is 443
So your server config, somewhere, should have
Listen 80
Listen 443

If you do not have a "Listen 80", and someone tries to access your
server with a URL like "http://yourserver", they would just get a
"connection refused", but not a HTML page telling them that they need HTTPS.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Enabling HTTP and HTTPs

Right. I have two Listen directives

Listen 80 http
Listen 443 https

The page I would assume that the page I get is generated by the mod_ssl mod=
ule. It looks something like this:

------------------------------------------------------------ --------
Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Hint: https://myserver/
------------------------------------------------------------ ---------
-Jorge

-----Original Message-----
From: Andr=E9 Warnier [mailto:aw@ice-sa.com]=20
Sent: Monday, October 26, 2009 3:03 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Enabling HTTP and HTTPs

Hi Jorge.

Something below does not seem to square :

Jorge Medina wrote:
....
> At that point, I disabled HTTP on the server. Any request on port 80 gets=
a page indicating that HTTPS is required.
>=20
How do they actually get this page, if HTTP is disabled ?

Maybe to gain some steps :
- the default port for HTTP is 80
- the default port for HTTPS is 443
So your server config, somewhere, should have Listen 80 Listen 443

If you do not have a "Listen 80", and someone tries to access your server w=
ith a URL like "http://yourserver", they would just get a "connection refus=
ed", but not a HTML page telling them that they need HTTPS.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

Jorge Medina wrote:
> Right. I have two Listen directives
>
> Listen 80 http
> Listen 443 https
>
> The page I would assume that the page I get is generated by the mod_ssl module. It looks something like this:
>
Allright, that clears one mystery, and I learned something (I did not
know that mod_ssl was doing that; smart little module).

Now the next mystery to me, is how, without VirtualHosts, you can set up
a server to answer different pages under HTTP and HTTPS at the same time.
(That is how you say you had it configured, before you removed HTTP).

Fortunately, there seems to be a HowTo specifically for that.
See http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
(the last one)

The other way I could think of would be to use virtual hosts, like

Listen 80 HTTP
Listen 443 HTTPS

NameVirtualHost *:80

....


NameVirtualHost *:443

.... (SSL-based config)


(But that is really a hack, and works only with 1 single HTTPS VirtualHost).

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Enabling HTTP and HTTPs

Thank you! A colleage just told me the same.
I need VirtualHosts to be able to configure HTTP and HTTPS for the same se=
rver.

-Jorge


-----Original Message-----
From: Andr=E9 Warnier [mailto:aw@ice-sa.com]=20
Sent: Monday, October 26, 2009 4:01 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Enabling HTTP and HTTPs

Jorge Medina wrote:
> Right. I have two Listen directives
>=20
> Listen 80 http
> Listen 443 https
>=20
> The page I would assume that the page I get is generated by the mod_ssl m=
odule. It looks something like this:
>=20
Allright, that clears one mystery, and I learned something (I did not know =
that mod_ssl was doing that; smart little module).

Now the next mystery to me, is how, without VirtualHosts, you can set up a =
server to answer different pages under HTTP and HTTPS at the same time.
(That is how you say you had it configured, before you removed HTTP).

Fortunately, there seems to be a HowTo specifically for that.
See http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
(the last one)

The other way I could think of would be to use virtual hosts, like

Listen 80 HTTP
Listen 443 HTTPS

NameVirtualHost *:80

....


NameVirtualHost *:443

.... (SSL-based config)


(But that is really a hack, and works only with 1 single HTTPS VirtualHost)=
..

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

André Warnier wrote:
....
and there are also some interesting tidbits here :

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html

See for example :
How can I switch between HTTP and HTTPS in relative hyperlinks?

(I did not know this either; it's good to read the fine documentation
sometimes).

Anyway, I think with all these bits, it should not be too hard to work
backwards and find your previous HTTP+HTTPS configuration again (or
maybe invent a brand-new and even better one).



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

On Mon, Oct 26, 2009 at 9:01 PM, Andr=E9 Warnier wrote:
>
> The other way I could think of would be to use virtual hosts, like
>
> Listen 80 HTTP
> Listen 443 HTTPS
>
> NameVirtualHost *:80
>
> ...
>
>
> NameVirtualHost *:443
>
> ... (SSL-based config)
>

You don't need the NameVirtualHost directives.

Krist

--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

Krist van Besien wrote:
> On Mon, Oct 26, 2009 at 9:01 PM, André Warnier wrote:
>> The other way I could think of would be to use virtual hosts, like
>>
>> Listen 80 HTTP
>> Listen 443 HTTPS
>>
>> NameVirtualHost *:80
>>
>> ...
>>
>>
>> NameVirtualHost *:443
>>
>> ... (SSL-based config)
>>
>
> You don't need the NameVirtualHost directives.

Uh ?
"If name-based vhosts should be used a NameVirtualHost directive /must/
appear with the IP address set to be used for the name-based vhosts. In
other words, you must specify the IP address that holds the hostname
aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost
directive in your configuration file."

http://httpd.apache.org/docs/2.2/vhosts/details.html





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

On Tue, Oct 27, 2009 at 7:28 AM, Andr=E9 Warnier wrote:
> Krist van Besien wrote:
>>
>> On Mon, Oct 26, 2009 at 9:01 PM, Andr=E9 Warnier wrote:
>>>
>>> The other way I could think of would be to use virtual hosts, like
>>>
>>> Listen 80 HTTP
>>> Listen 443 HTTPS
>>>
>>> NameVirtualHost *:80
>>>
>>> ...
>>>
>>>
>>> NameVirtualHost *:443
>>>
>>> ... (SSL-based config)
>>>
>>
>> You don't need the NameVirtualHost directives.
>
> Uh ?
> "If name-based vhosts should be used a NameVirtualHost directive /must/
> appear with the IP address set to be used for the name-based vhosts. In
> other words, you must specify the IP address that holds the hostname alia=
ses
> (CNAMEs) for your name-based vhosts via a NameVirtualHost directive in yo=
ur
> configuration file."

But you are not using name based virtualhosts here. Not if you have
only one virtualhost on port 80, and anothre one on port 443.
Namevirtualhosts don't work (yet) for https anyway.

Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

On Tue, 2009-10-27 at 07:28 +0100, André Warnier wrote:
> Krist van Besien wrote:
> > On Mon, Oct 26, 2009 at 9:01 PM, André Warnier wrote:
> >> The other way I could think of would be to use virtual hosts, like
> >>
> >> Listen 80 HTTP
> >> Listen 443 HTTPS
> >>
> >> NameVirtualHost *:80
> >>
> >> ...
> >>
> >>
> >> NameVirtualHost *:443
> >>
> >> ... (SSL-based config)
> >>
> >
> > You don't need the NameVirtualHost directives.
>
> Uh ?
> "If name-based vhosts should be used a NameVirtualHost directive /must/
> appear with the IP address set to be used for the name-based vhosts. In
> other words, you must specify the IP address that holds the hostname
> aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost
> directive in your configuration file."
>
> http://httpd.apache.org/docs/2.2/vhosts/details.html
>
>

But if you only have two vhosts, and each of them on a different port,
then you would not need them to be name based vhosts, and that entire
paragraph is moot :)

Without the NameVirtualHost directives, it is just a simple IP based
virtual host.

Cheers

Tom


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

Tom Evans wrote:
> On Tue, 2009-10-27 at 07:28 +0100, André Warnier wrote:
>> Krist van Besien wrote:
>>> On Mon, Oct 26, 2009 at 9:01 PM, André Warnier wrote:
>>>> The other way I could think of would be to use virtual hosts, like
>>>>
>>>> Listen 80 HTTP
>>>> Listen 443 HTTPS
>>>>
>>>> NameVirtualHost *:80
>>>>
>>>> ...
>>>>
>>>>
>>>> NameVirtualHost *:443
>>>>
>>>> ... (SSL-based config)
>>>>
>>> You don't need the NameVirtualHost directives.
>> Uh ?
>> "If name-based vhosts should be used a NameVirtualHost directive /must/
>> appear with the IP address set to be used for the name-based vhosts. In
>> other words, you must specify the IP address that holds the hostname
>> aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost
>> directive in your configuration file."
>>
>> http://httpd.apache.org/docs/2.2/vhosts/details.html
>>
>>
>
> But if you only have two vhosts, and each of them on a different port,
> then you would not need them to be name based vhosts, and that entire
> paragraph is moot :)
>
> Without the NameVirtualHost directives, it is just a simple IP based
> virtual host.
>
Well, kind of, but one could argue about this. ;-)
It seems to me that we are just at the grey line in-between here.
Maybe I should have added one more HTTP VirtualHost in my example, just
to settle it.

It's not really IP-based virtual hosts either, because there is no
distinction on IP address here. If there were several IPs to this
(physical) host, it would treat requests on any of them equally.

I'm not quite sure about this last paragraph. I think there might be
problems with certificates linked to different IP addresses. But since
I'm no SSL expert either, I'm not even sure if SSL certificates are
linked to IP addresses, or just to hostnames.

To answer Kris :
I know it does not really "work", that's why I mentioned it as a hack.
But it will default for HTTPS to the one and only ,
so it will kinda appear to work for practical purposes.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Enabling HTTP and HTTPs

On Tue, Oct 27, 2009 at 11:15 AM, Andr=E9 Warnier wrote:


> Well, kind of, but one could argue about this. ;-)
> It seems to me that we are just at the grey line in-between here.
> Maybe I should have added one more HTTP VirtualHost in my example, just t=
o
> settle it.

It doesn't harm to have this NameVirtualHost directive. But it isn't
needed either. Hence my remark.

Alls NameVirtualHost does is tell the server to look at the Server
header when receiving requests on the IP/Port combination mentioned,
in order to distinguish between different virtualhosts on the same
IP/Port.
When you only have one virtualhost on the IP/Port combination you
thus don't need this directive.
Since you will normally only have one Virtualhost on the IP/Port
combination you use for HTTPS you don't need the NameVirtualHost
statement. Unless you are bleeding edge re SSL...

Krist

--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org