This is an example of what I do: <VirtualHost 45.79.96.192:80> ServerName librelamp.com Redirect permanent / https://librelamp.com/ </VirtualHost> <VirtualHost [2600:3c01::f03c:91ff:fee4:310c]:80> ServerName librelamp.com Redirect permanent / https://librelamp.com/ </VirtualHost> <VirtualHost 45.79.96.192:80> ServerName www.librelamp.com Redirect permanent / https://librelamp.com/ </VirtualHost> <VirtualHost [2600:3c01::f03c:91ff:fee4:310c]:80> ServerName www.librelamp.com Redirect permanent / https://librelamp.com/ </VirtualHost>I also send the HSTS header and OCSP stapling and HSTS Preloading in Chrome, Edge, FireFox, and IE so that those clients will only ask for the secure version of any links to the domain.
All you have to do to get HSTS preloading is send the header and then submit the domain to Chrome for HSTS preloading. Once in Chrome, it fairly quickly is added to the others.
That is more secure than an Apache redirect because a request to port 80 and/or the response can be modified by a MITM but if the browser knows to only request the secure version, that is no longer an issue.
On 02/18/2017 12:02 PM, Dr James Smith wrote:
As I only run HTTPS - I have the following on port 80 - (this can't be done with redirect) <VirtualHost *:80> ... ... ... RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L,NE] </VirtualHost> So I only have one port 80 configuration - even tho' I'm running something like 30 sub-domains on one machine and 70 sub-domains on the other... {There is some other stuff associated with this - and I've got HTST headers set - and preloaded where I can - so most browsers won't hit the port 80 anyway!} On 18/02/2017 19:00, Daniel wrote:Yes please, let's stay away of convoluted and most times innecessary mod_rewrite examples to do simpleton configurations. If you are in virtualhost 80, you have specified servername correctly and you just want to redirect to ssl, why not a single Redirect statement? As Yann's refered document says: Redirect / https://something.example.com/ Most people here knows this but there are gazillions web pages refering to bad advice, duck and tape solutions and convolued ways of using mod_rewrite for a simple redirection when placed in proper context, we need to finish with that trend, and the best way is to give simple, straight to the point examples "first". The mod_rewrite example given,lets slice it out: > RewriteCond %{HTTP_HOST} =www.example.com <http://www.example.com/> > RewriteCond %{SERVER_PORT} =80 > RewriteRule ^(.*)$ https://www.example.com/$1 [R] This clearly assumes it is a generic recipe in a .htaccess somewhere which can be read from a non-SSL virtualhost or non-SSL virtualhost (just to be ignored). 1º It checks the host name, but why? if you have defined a VirtualHost with that servername and there are no conflicts the request is already landing there. 2º It checks for port 80. But we are redirecting to SSL, so we are already on port 80, why check it? 3º Can be replaced with a Redirect as mentioned above. So instead of giving out recipes for .htaccess thought out for an aging era or shared virtualhosting, lets recommend the ideal virtualhost context recipe first as Yann proposed earlier: Define the virtualhost with the names you serve. <VirtualHost *:80> ServerName something.example.com <http://something.example.com> Redirect / https://something.example.com/ </VirtualHost> There is no guessing here, no unnecessary directives and it's hard to miss or confuse with other directives and the context where it resides is crystal clear. Later on, when things need to be complicated, then I guess we can use "If" or "mod_rewrite", and recommend it as needed. 2017-02-18 19:38 GMT+01:00 Richard <lists-apache@xxxxxxxxxxxxxxxxxxxxx <mailto:lists-apache@xxxxxxxxxxxxxxxxxxxxx>>: > Date: Saturday, February 18, 2017 11:04:34 -0700 > From: James Moe <jimoe@xxxxxxxxxxxxxx <mailto:jimoe@xxxxxxxxxxxxxx>> > > On 02/18/2017 05:08 AM, Rodrigo Cunha wrote: >> i want redirect all request from port 80 to 443. >> what is better setting for fix this? >> > Better than what? > Fix? Is it broken? > > RewriteCond %{HTTP_HOST} =www.example.com <http://www.example.com> > RewriteCond %{SERVER_PORT} =80 > RewriteRule ^(.*)$ https://www.example.com/$1 [R] Perhaps, better than using a "rewrite"? See the documentation reference, given in an earlier post: <https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect <https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect>> that has this as a specific example of when/why to use a "redirect" rather than a "rewrite". --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx <mailto:users-help@xxxxxxxxxxxxxxxx> -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com <http://gmail.com> linkedin es.linkedin.com/in/danielferradal <http://es.linkedin.com/in/danielferradal>-- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|