Redirect default HTTPS request (port 443) to a different port with HTTPS

Hallo everybody,

today I’ve been experiencing this problem.

I have cca 10 domains sharing one self-signed SSL certificate. This morning I decided to create virtualhost with non shared certificate, signed by CA. As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port. The different port was a way I decided to try…

So I set port 444 instead of 443, I got free signed certificate and installed via Virtualmin’s enviroment ‘Manage SSL Certificate’. Everything is fine and working well. My URL https://www.example.com:444 reports signed and verified certificate. But…

The problem I want solve is, when somebody try https://www.example.com (without specified port), he is transffered to the first SSL enabled virtualhost with self-signed cert which means in some browsers ‘red error’ :confused: He is still on domain https://www.example.com, but he views the content of the other virtualhost. So my first idea (and I guess yours too) is simply redirect all request @https://www.example.com TO https://www.example.com:444 – seems like a easy job :-), but…

I didn’t figured out, how to get this work properly, so I want to ask you, please, don’t you know how to?

I TRIED:

  1. Adding virtualhost listening on 443 to apache conf of this new virtual, and via RewriteRules redirect all requests to URL with :444 port. It ‘works’ at half, because the browser first asks on self-signed cert = error. No clean way.
  2. Adding redirect rules to the first SSL enabled virtualhost, this works the same way like the 1)

I have some suspicion that this might solve some proxying, but I have absolutely no skills with it, so thanks for any help.

(+little question for the end, is somehow available to show https://example.com:444 content without being port visible?)

Howdy,

Yeah, the problem is that using an alternate port for SSL isn’t the best way to handle that, using a dedicated IP is the best way to provide SSL for a domain.

The trouble is that the SSL connection is negotiated before any content or configuration is read – so it’s not actually possible to solve the problem you’re describing.

That is, if someone connects to https://example.com, you could add in a .htaccess file or similar to redirect the user to port 444, but they will always receive an SSL warning before that redirect occurs.

Now, you could add a redirect so that someone connecting to port 80 for that domain is redirected to port 444, but it’s not possible to do that with port 443 in a way that prevents a warning from popping up.

My suggestion would be to splurge on a new IP address for this particular domain, that would solve all the problems you’re describing above :slight_smile:

-Eric

I’m thinking about one possible solution:

  1. disable all ‘shared’ SSL

  2. set only one virtual with SSL on port 443 with signed cert!

  3. on this one virtual set the all other redirects (eg. https://example.com to https://example.com:444)

  4. every other virtual, where we want SSL and we have no private IP available, we set some unique port for SSL

This I guess can work without any errors. But the point still is: is there any other way, how to redirect the https request before it gets on the apache conf?

Another thing that should be considered: Is better to have self-signed HTTPS on the default port 443, or have signed by CA on non-standard port? (I suppose the unavailability of IP addresses) What is more secure (no matter how difficult setting is)?

Thank you for your opinions…

I don’t think what you try can be done.

But regarding your statement:

“As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port.”

this is not correct. Newer version of apache come with mod_ssl version that supports SNI (“name-based SSL”), which works pretty much with all modern browsers. Maybe sufficient in your case?