Disable HTTP for a Virtual Host

Hello!

Does anyone know if it is possible through VirtualMin to disable HTTP altogether for a single Virtual Host. For example, I have a listener for HTTPS on 443 but I do not want the vhost to respond on 80.

I know I could rewrite to HTTPS but infact I do not want that at all, I don’t want port 80 to work at all for that vhost.

Hope that makes sense!

Regards,

Chris

Thanks for your comments. It is quite a common requirement that content you are serving over a secure HTTPS protocol does not want to be accessible via non-encrypted HTTP for security reasons. Or maybe I am missing the point?

I don’t think Virtualmin directly supports a vserver to have https but not http. You’d need to manually edit the Apache virtual server file and e.g. remove the port 80 section. Can’t say though what effect that has on Virtualmin’s functions.

Why exactly don’t you want that domain to respond to http? You could just leave the port 80 section in and use an empty directory as DocumentRoot. Then anyone requesting the page via http will get a Permission Denied error. That’s just as good as making Apache not react at all. In fact, if you turn off port 80 for that site, Apache will instead serve the default host if a user requests it. You cannot change that behavior.

Yes that’s right, but in that case you WOULD just do a redirect from HTTP to HTTPS. :slight_smile:

What should Apache do exactly in your view if it does receive a request for the domain in question on port 80? It will react and deliver something, except you want to turn off http on port 80 altogether for all domains. And what it delivers is either the requested site, or if that site is not known on port 80, it will deliver the alphabetically first domain in your list that is known on port 80.

That would probably cause even more confusion, if a different site shows up than the requested one. So the best solution is to keep HTTP active for that domain, and either make a custom error page, leave the DocumentRoot empty (causing an “access denied” error), or do a redirect to HTTPS (which is the most comfortable thing for users).

Yes, I understand, it will return the default vhost on 80 - that’s no problem, as long as it doesn’t serve the content for HTTPS over HTTP or redirect.

I specifically do not want to redirect using htaccess, its just another unnecessary port open for that site. I am running HTTPS on a non-standard port that will not be published, so I don’t want anyone finding that by just going to HTTP. I just don’t want that vhost listening on 80, that’s all my requirement is.

I could manually edit the apache config as you say but I expect that could get overridden, or cause issues later on.

I guess I’ll just have to change HTTP away from being standard port 80 to something else, and add the redirect. But that is a bit of a bodge.

Thanks for your thoughts.

I also understand your points for users, but this isn’t for user’s to access, its for security.

In that case, as I said, just modify the DocumentRoot of the port 80 vhost to an empty directory. That is a change which will not interfere with Virtualmin, as opposed to completely removing the vhost. Then you have no redirect, and even though the domain still reacts on port 80, it will not serve the actual site.

A user requesting the site will then get an error, which is just as good as getting delivered the default vhost. The user won’t be able to tell where the result came from.

Interestingly , virtualmin it’s self appears to have a ‘separate’ listener for HTTP on 10000 which says “Bad Request” and gives a link for HTTPS, no redirect. So presumably this could be disabled in the same way.

Virtualmin (or rather Webmin) uses a custom webserver, and not Apache, that’s right. Would be a bad idea to use Apache for a web interface that is/can be used to configure/stop/restart Apache. :slight_smile: In Webmin, you can configure whether to have an HTTP->HTTPS redirect or not. But that has no influence on Apache.

In Apache, you cannot “disable” port 80 for just one site. All you can do is remove the vhost entry, causing it to deliver the default vhost instead. But changing the DocumentRoot, as I said, basically has the same effect of not getting the actual site on port 80, without interfering with Virtualmin’s regular operations. There are other ways of course, e.g. using “Deny from all”, as long as you don’t remove the whole vhost. That would probably quite confuse Virtualmin.

Also, if this is mostly about security (by obscurity) and not comfort, it’s indeed recommended to change both the default HTTPS and HTTP port from 443/80.

Thanks for your help and advice.