On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <mark@xxxxxxxxxxx> wrote:>>>> I want to have NO http traffic on my site. Is this the correct way to...
> On July 12, 2012 8:02 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
>> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<nick@xxxxxxxxxxxx> wrote:
>>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
>>>
...
> Nick's answer is the correct and literal answer. The "single solution for...
> HTTPS only" that you are looking for is:
>
> - Delete any Listen directive for port 80 and also
> - Delete any VirtualHost stanza for port 80 (for example, your "<VirtualHost
> *:80>" stanza.
> The configuration you posted in your original message will accept HTTPThanks for the reply, Mark.
> traffic and redirect all of it to the HTTPS virtual host. This is the
> "standard" and "user friendly" solution that most sites which want to secure
> all of their pages implement, but note that the initial redirects all occur
> over HTTP and so you are still accepting some small amount of HTTP traffic.
> The reasons you want to have no HTTP traffic on your site are important to
> consider in order to choose the best overall solution: If port 80 is
> blocked at your firewall, or if you are concerned about people taking
> advantage of some theoretical (and unlikely) security hole in Apache HTTP
> Server that is exploitable over HTTP but not over HTTPS, then you'd want the
> solution Nick presented.
I like the "friendly" approach, but I made the statement. "I want to
have NO http traffic on my site," because I saw in a post from a
Mozilla Persona site a reference to another link that there is a
possibility of a man-in-the-middle attack using it.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|