serving both http and https pages on same site

Asked by Iain Houston on 2009-05-31

I am very happily testing my application on my Jaunty Apache2 server - thanks to many brilliant how-to articles it's been a breeze.
I started with just the http server; then I enabled an additional ssl-enabled server to serve my https pages but I doubt II really need two servers?
When I take this application live - (I think it's destined for an IIS server) - I assume will migrate only one document root directory structure .... whereas I have two servers now - one answering to port 80 https and one answering to port 443 for https requests ... and some pages are on both servers. BTW both servers in /etc/apache2/sites-enabled point to exactly the same document root structure.
Obviously many sites around the world serve some http pages and some https pages. So what is the recommended solution - to have two servers - one ssl-enabled and one not .... then what about index.html which shouldn't require a new visitor to type https://<mysite>.index.html - or even know we have a secure server until we establish a secure connection with her?
Can you spell out clearly what the usual solution is?
(I did read about redirection or rewriting rules but didn't know if they are relevant ... or fully understand the cryptic discussion)

Many many thanks!

FYI I need https files for a) authenticated callbacks from PayPal and for image files that Paypal will use to serve pages for visitors / customers to our e-commerce site and b) encrypted interactions withthe administrator of the site.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Solved by:
Steven Danna
Solved:
2009-06-01
Last query:
2009-06-01
Last reply:
2009-05-31
Steven Danna (ssd7) said : #1
Iain Houston (iainhouston) said : #2

Thanks Steve. Yes, I think I've seen both these articles - or something very similar.
It's really the bit at the end of the first article that raises the questions for me?
Does the poster have two servers? He gives the rewrite rule that 'directs http requests to his https server'.
Or can I disable my current http server; add the rewrite rule and have just the one (sssl-enabled) server serving all the requests?

I am almost there - but still don't fully understand. i.e. Where does the rewrite rule go? He's still a bit cryptic for me. He says:
"Sometimes I want visitors to be able to access the URL and not have to specify "https" or port 443 and be automatically re-routed to the secure site. I use mod_rewrite in an .htaccess file toredirect the user:
=========
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L]
========="

Iain Houston (iainhouston) said : #3

Just to be quite clear. Both my servers are indeed Virtual Servers in the same Ubuntu Jaunty Apache2 image.They both point to exacly the same document root. One server serves port 80; the other 443.
Question is: Are two (virtual) servers necessary or can I disable one and (with the request rewriting rule) serve both http and https requests on the same (virtual, and ssl-enabled) server?

Best Steven Danna (ssd7) said : #4

That snippet is actually from a comment to the article and not the article itself. Basically I believe what that would do is redirect people who don't specify https:// to the ssl site anyway.

I believe if you follow the directions in the first article you can just restart the one server reading the config file it instructs you to make and then no longer start the other one, provided that you have set up two virtual servers as the article instructs.

Iain Houston (iainhouston) said : #5

Thanks again Steve. Was rereading the article again.
If I follow you (and my rereading of the article) then I will have two VirtualHost specifications in the same file in /etc/apache2/sites-enabled ... rather than two separate files in /etc/apache2/sites-enabled as I have right now. In any case it's the same Apache2 managing two virtual hosts ... both setups apparently work. I may stick with what I've got since the contents of my Ubuntu (default-cloned) configuration is amazingly different from the one in the article. So I won't be following the directions in the
I may try this rewriting rule thing but after a bit more research as the Apache documentation says: "Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file." and they recommend against .htaccess files unless you can't get access to the configuration file.
Indeed, my configuration file has "AllowOverride Non" which disables .htaccess files (OK I know that wasn't the main drift of the article ... I think I need to look into this some more.

Iain Houston (iainhouston) said : #6

Steve, Thanks for encouraging me to follow the gist of the article. All working as I want, now.
For the record: I did specify both VirtualHosts in the same file in /etc/apache2/sites-available and enabled it into sites-enabled.
The http VirtualHost on port 80 does nothing except rewrite http requests as http requests according to the rewrite rules specified in the <Directory> directive of the document root (as .htaccess in not allowed by my VirtualHost definitions).
I am happy to post the exact files if anyone's interested as they vary a little from the article's.
For example, most <Directory> and other directives are outside of the VirtualHost definitions.

Iain Houston (iainhouston) said : #7

Thanks Steven Danna, that solved my question.

Linda Poppleton (ljp2) said : #8

Iain, you said you'd "be happy to post the exact file if anyone's interested"? I am trying to set this up on an Apache 2 webserver and I would be very interested in seeing your relevant config files. You can email them directly if you don't want to post them here. <email address hidden>
THANKS.

Iain Houston (iainhouston) said : #9

Linda. I'll email you or post later today. Iain.

Iain Houston (iainhouston) said : #10

In the end I've taken a slightly different approach without needing the rewrite rule.
The application doesn't really need all that many pages to be served https, so I've kept those that do need to be secure in a separate directory completely. And now no page needs to be served both http and https.
For interest this is my configuration:
 ServerAdmin <email address hidden>
 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/ssl_access.log combined
<VirtualHost *:80>
 DocumentRoot /home/iain/websites/<mywebsite>/html
 <Directory /home/iain/websites/<mywebsite>t/html>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
 DocumentRoot /home/iain/websites/<mywebsite>t/ssl-html
 <Directory /home/iain/websites/<mywebsite>/html-ssl>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
 </FilesMatch>
 BrowserMatch ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

</VirtualHost>
</IfModule>

Iain Houston (iainhouston) said : #11

Update:
1) Typo: of course the path of DocumentRoot /home/iain/websites/<mywebsite>t/ssl-html should be the same as the <Directory /home/iain/websites/<mywebsite>/ssl-html>
2) In answer to my question above - if you are going to use the rewrite rule it gets inserted in the <Directory ....> entry from which you wish to redirect the incoming http pages (now to be served as https pages) e.g. in the above example I would insert it in the entry for the Virtual Server serving pages on port 80; namely below the text line: <Directory /home/iain/websites/<mywebsite>/html>
Hope that helps someone.