Apache allowing HTTP access when should be redirected to HTTPS












2















I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



Apache.conf:



<VirtualHost *:80>
ServerName 127.0.0.1

DocumentRoot /var/www/web
</VirtualHost>

<VirtualHost _default_:443>
ServerName example.com

DocumentRoot /var/www/web
SSLEngine On
SSLCertificateFile /etc/ssl/local_certs/example.com.pem
SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key
Header set Access-Control-Allow-Origin "*"
</VirtualHost>

<VirtualHost *:80>
ServerName example.com

Redirect permanent "/" "https://example.com/"
</VirtualHost>


Given the above I'm confused by several points:



1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



What happens when I browse to the site by IP:



In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.










share|improve this question



























    2















    I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



    Apache.conf:



    <VirtualHost *:80>
    ServerName 127.0.0.1

    DocumentRoot /var/www/web
    </VirtualHost>

    <VirtualHost _default_:443>
    ServerName example.com

    DocumentRoot /var/www/web
    SSLEngine On
    SSLCertificateFile /etc/ssl/local_certs/example.com.pem
    SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key
    Header set Access-Control-Allow-Origin "*"
    </VirtualHost>

    <VirtualHost *:80>
    ServerName example.com

    Redirect permanent "/" "https://example.com/"
    </VirtualHost>


    Given the above I'm confused by several points:



    1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



    2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



    To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



    What happens when I browse to the site by IP:



    In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



    I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.










    share|improve this question

























      2












      2








      2








      I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



      Apache.conf:



      <VirtualHost *:80>
      ServerName 127.0.0.1

      DocumentRoot /var/www/web
      </VirtualHost>

      <VirtualHost _default_:443>
      ServerName example.com

      DocumentRoot /var/www/web
      SSLEngine On
      SSLCertificateFile /etc/ssl/local_certs/example.com.pem
      SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key
      Header set Access-Control-Allow-Origin "*"
      </VirtualHost>

      <VirtualHost *:80>
      ServerName example.com

      Redirect permanent "/" "https://example.com/"
      </VirtualHost>


      Given the above I'm confused by several points:



      1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



      2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



      To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



      What happens when I browse to the site by IP:



      In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



      I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.










      share|improve this question














      I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



      Apache.conf:



      <VirtualHost *:80>
      ServerName 127.0.0.1

      DocumentRoot /var/www/web
      </VirtualHost>

      <VirtualHost _default_:443>
      ServerName example.com

      DocumentRoot /var/www/web
      SSLEngine On
      SSLCertificateFile /etc/ssl/local_certs/example.com.pem
      SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key
      Header set Access-Control-Allow-Origin "*"
      </VirtualHost>

      <VirtualHost *:80>
      ServerName example.com

      Redirect permanent "/" "https://example.com/"
      </VirtualHost>


      Given the above I'm confused by several points:



      1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



      2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



      To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



      What happens when I browse to the site by IP:



      In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



      I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.







      apache-2.2 ssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 3 hours ago









      whoaskedwhoasked

      276




      276






















          2 Answers
          2






          active

          oldest

          votes


















          3














          Quote from the documentation:




          If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




          (highlighting not by me).



          In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



          (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






          share|improve this answer
























          • Ok, so move 443 to the top would be safest in my situation?

            – whoasked
            3 hours ago











          • No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

            – Gerald Schneider
            3 hours ago











          • So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

            – whoasked
            3 hours ago











          • No, for every address that is not configured the first virtualhost (with the same port) will be used.

            – Gerald Schneider
            3 hours ago





















          3















          2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




          Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



          You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



          Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



          Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:



          <VirtualHost 127.0.0.1:80>
          ServerName 127.0.0.1
          DocumentRoot /var/www/web
          </VirtualHost>


          <VirtualHost example.com:80>
          ServerName example.com
          Redirect permanent "/" "https://example.com/"
          </VirtualHost>





          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "2"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949512%2fapache-allowing-http-access-when-should-be-redirected-to-https%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            Quote from the documentation:




            If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




            (highlighting not by me).



            In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



            (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






            share|improve this answer
























            • Ok, so move 443 to the top would be safest in my situation?

              – whoasked
              3 hours ago











            • No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

              – Gerald Schneider
              3 hours ago











            • So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

              – whoasked
              3 hours ago











            • No, for every address that is not configured the first virtualhost (with the same port) will be used.

              – Gerald Schneider
              3 hours ago


















            3














            Quote from the documentation:




            If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




            (highlighting not by me).



            In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



            (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






            share|improve this answer
























            • Ok, so move 443 to the top would be safest in my situation?

              – whoasked
              3 hours ago











            • No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

              – Gerald Schneider
              3 hours ago











            • So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

              – whoasked
              3 hours ago











            • No, for every address that is not configured the first virtualhost (with the same port) will be used.

              – Gerald Schneider
              3 hours ago
















            3












            3








            3







            Quote from the documentation:




            If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




            (highlighting not by me).



            In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



            (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






            share|improve this answer













            Quote from the documentation:




            If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




            (highlighting not by me).



            In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



            (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 3 hours ago









            Gerald SchneiderGerald Schneider

            6,10312345




            6,10312345













            • Ok, so move 443 to the top would be safest in my situation?

              – whoasked
              3 hours ago











            • No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

              – Gerald Schneider
              3 hours ago











            • So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

              – whoasked
              3 hours ago











            • No, for every address that is not configured the first virtualhost (with the same port) will be used.

              – Gerald Schneider
              3 hours ago





















            • Ok, so move 443 to the top would be safest in my situation?

              – whoasked
              3 hours ago











            • No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

              – Gerald Schneider
              3 hours ago











            • So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

              – whoasked
              3 hours ago











            • No, for every address that is not configured the first virtualhost (with the same port) will be used.

              – Gerald Schneider
              3 hours ago



















            Ok, so move 443 to the top would be safest in my situation?

            – whoasked
            3 hours ago





            Ok, so move 443 to the top would be safest in my situation?

            – whoasked
            3 hours ago













            No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

            – Gerald Schneider
            3 hours ago





            No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

            – Gerald Schneider
            3 hours ago













            So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

            – whoasked
            3 hours ago





            So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

            – whoasked
            3 hours ago













            No, for every address that is not configured the first virtualhost (with the same port) will be used.

            – Gerald Schneider
            3 hours ago







            No, for every address that is not configured the first virtualhost (with the same port) will be used.

            – Gerald Schneider
            3 hours ago















            3















            2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




            Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



            You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



            Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



            Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:



            <VirtualHost 127.0.0.1:80>
            ServerName 127.0.0.1
            DocumentRoot /var/www/web
            </VirtualHost>


            <VirtualHost example.com:80>
            ServerName example.com
            Redirect permanent "/" "https://example.com/"
            </VirtualHost>





            share|improve this answer




























              3















              2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




              Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



              You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



              Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



              Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:



              <VirtualHost 127.0.0.1:80>
              ServerName 127.0.0.1
              DocumentRoot /var/www/web
              </VirtualHost>


              <VirtualHost example.com:80>
              ServerName example.com
              Redirect permanent "/" "https://example.com/"
              </VirtualHost>





              share|improve this answer


























                3












                3








                3








                2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




                Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



                You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



                Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



                Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:



                <VirtualHost 127.0.0.1:80>
                ServerName 127.0.0.1
                DocumentRoot /var/www/web
                </VirtualHost>


                <VirtualHost example.com:80>
                ServerName example.com
                Redirect permanent "/" "https://example.com/"
                </VirtualHost>





                share|improve this answer














                2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




                Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



                You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



                Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



                Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them:



                <VirtualHost 127.0.0.1:80>
                ServerName 127.0.0.1
                DocumentRoot /var/www/web
                </VirtualHost>


                <VirtualHost example.com:80>
                ServerName example.com
                Redirect permanent "/" "https://example.com/"
                </VirtualHost>






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 hours ago









                HBruijnHBruijn

                53.1k1087144




                53.1k1087144






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949512%2fapache-allowing-http-access-when-should-be-redirected-to-https%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Magento 2 controller redirect on button click in phtml file

                    Polycentropodidae