httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject Re: [users@httpd] How to serve https only? Is this correct?
Date Thu, 12 Jul 2012 15:03:44 GMT
On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <mark@catseye.org> wrote:
> On July 12, 2012 8:02 , Tom Browder <tom.browder@gmail.com> wrote:
>> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<nick@webthing.com>  wrote:
>>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
>>>
>>>> I want to have NO http traffic on my site.  Is this the correct way to...
...
> Nick's answer is the correct and literal answer.  The "single solution for
> HTTPS only" that you are looking for is:
>
> - Delete any Listen directive for port 80 and also
> - Delete any VirtualHost stanza for port 80 (for example, your "<VirtualHost
> *:80>" stanza.
...
> The configuration you posted in your original message will accept HTTP
> traffic and redirect all of it to the HTTPS virtual host.  This is the
> "standard" and "user friendly" solution that most sites which want to secure
> all of their pages implement, but note that the initial redirects all occur
> over HTTP and so you are still accepting some small amount of HTTP traffic.
> The reasons you want to have no HTTP traffic on your site are important to
> consider in order to choose the best overall solution:   If port 80 is
> blocked at your firewall, or if you are concerned about people taking
> advantage of some theoretical (and unlikely) security hole in Apache HTTP
> Server that is exploitable over HTTP but not over HTTPS, then you'd want the
> solution Nick presented.

Thanks for the reply, Mark.

I like the "friendly" approach, but I made the statement. "I want to
have NO http traffic on my site," because I saw in a post from a
Mozilla Persona site a reference to another link that there is a
possibility of a man-in-the-middle attack using it.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message