On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <mark@xxxxxxxxxxx> wrote: > On July 12, 2012 8:02 , Tom Browder <tom.browder@xxxxxxxxx> wrote: >> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<nick@xxxxxxxxxxxx> wrote: >>> On 12 Jul 2012, at 12:02, Tom Browder wrote: >>> >>>> I want to have NO http traffic on my site. Is this the correct way to... ... > Nick's answer is the correct and literal answer. The "single solution for > HTTPS only" that you are looking for is: > > - Delete any Listen directive for port 80 and also > - Delete any VirtualHost stanza for port 80 (for example, your "<VirtualHost > *:80>" stanza. ... > The configuration you posted in your original message will accept HTTP > traffic and redirect all of it to the HTTPS virtual host. This is the > "standard" and "user friendly" solution that most sites which want to secure > all of their pages implement, but note that the initial redirects all occur > over HTTP and so you are still accepting some small amount of HTTP traffic. > The reasons you want to have no HTTP traffic on your site are important to > consider in order to choose the best overall solution: If port 80 is > blocked at your firewall, or if you are concerned about people taking > advantage of some theoretical (and unlikely) security hole in Apache HTTP > Server that is exploitable over HTTP but not over HTTPS, then you'd want the > solution Nick presented. Thanks for the reply, Mark. I like the "friendly" approach, but I made the statement. "I want to have NO http traffic on my site," because I saw in a post from a Mozilla Persona site a reference to another link that there is a possibility of a man-in-the-middle attack using it. Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|