You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Thomas Antony <th...@antony.eu> on 2007/12/10 11:29:59 UTC

[users@httpd] plain HTTP to an SSL-enabled server port

Hi,

I bought a Thawte certificate and configured that in Apache 2.2 with a 
IP based virtual host.
SSL is working fine but everytime i open the site with http:// i get 
this error message displayed:

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
  Hint: https://www.example.com

The website should be reachable with http and https and no error message 
should be displayed.
Which directive has to be set to get both working?


regards,
Thomas Antony

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] plain HTTP to an SSL-enabled server port

Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
Strictly speaking you are right about not needing two virtual hosts. One virtual host would be sufficient e.g. for the SSL stuff. Although there may not be any technical reason that requires it, I personally like to do things with virtual hosts rather than at the server config level. I therefore suggested two VH without even thinking...

What I provided was the bare minimum to make it work for you. If you want to log to different log files, it's up to you to add the adequate CustomLog and ErrorLog directives to each of the virtual hosts. You may use a different log format for SSL in which you add information about the ciphersuite if required.

-ascs
 
-----Message d'origine-----
De : Thomas Antony [mailto:thomas@antony.eu] 
Envoyé : lundi 10 décembre 2007 12:30
À : users@httpd.apache.org
Objet : Re: [users@httpd] plain HTTP to an SSL-enabled server port

Hi,

This works.
Is there a technical reason why i need 2 virtual hosts instead of one?
Is it safe that both virtual hosts share the same log files?



>  You need to create 2 virtual hosts: one for port 80 where SSL is NOT enabled, and one on port 443 where SSL is enabled. You will also need two Listen directives: one for each of ports 80 and 443.
> 
> Listen *:80
> Listen *:443
> 
> <VirtualHost *:443>
> 
>    ServerName my.server.com:443   
> 
>    SSLCertificateFile /sslcerts/crt/my.server.com.crt
>    SSLCertificateKeyFile /sslcerts/key/my.server.com.key
>    SSLEngine on
> 
> </VirtualHost>                                  
> 
> <VirtualHost *:80>
> 
>    ServerName my.server.com:80   
> 
>    SSLEngine off
> 
> </VirtualHost>                                  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] plain HTTP to an SSL-enabled server port

Posted by Thomas Antony <th...@antony.eu>.
> Because HTTPS and HTTP are two different protocols.
> 
> HTTPS is a protocol that encapsulates HTTP. That is, when you type in an
> HTTPS URL in a browser, it first tries to establish an SSL-session with
> the server's mod_ssl engine. Once that's up, the browser and server then
> use HTTP in the normal way, but each frame is encrypted and decrypted at
> the interfaces. So at the start of a session, the server listening on
> port 443 is an HTTPS server and cannot receive plain HTTP requests. So
> you need a second VH to listen to HTTP traffic and redirect it to HTTPS.
> 

Hi,

Thank you for the answer.


regards,
Thomas

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] plain HTTP to an SSL-enabled server port

Posted by Boyle Owen <Ow...@swx.com>.
> -----Original Message-----
> From: Thomas Antony [mailto:thomas@antony.eu] 
> Sent: Monday, December 10, 2007 12:30 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] plain HTTP to an SSL-enabled server port
> 
> Hi,
> 
> This works.
> Is there a technical reason why i need 2 virtual hosts instead of one?

Because HTTPS and HTTP are two different protocols.

HTTPS is a protocol that encapsulates HTTP. That is, when you type in an
HTTPS URL in a browser, it first tries to establish an SSL-session with
the server's mod_ssl engine. Once that's up, the browser and server then
use HTTP in the normal way, but each frame is encrypted and decrypted at
the interfaces. So at the start of a session, the server listening on
port 443 is an HTTPS server and cannot receive plain HTTP requests. So
you need a second VH to listen to HTTP traffic and redirect it to HTTPS.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


> Is it safe that both virtual hosts share the same log files?
> 
> 
> 
> >  You need to create 2 virtual hosts: one for port 80 where 
> SSL is NOT enabled, and one on port 443 where SSL is enabled. 
> You will also need two Listen directives: one for each of 
> ports 80 and 443.
> > 
> > Listen *:80
> > Listen *:443
> > 
> > <VirtualHost *:443>
> > 
> >    ServerName my.server.com:443   
> > 
> >    SSLCertificateFile /sslcerts/crt/my.server.com.crt
> >    SSLCertificateKeyFile /sslcerts/key/my.server.com.key
> >    SSLEngine on
> > 
> > </VirtualHost>                                  
> > 
> > <VirtualHost *:80>
> > 
> >    ServerName my.server.com:80   
> > 
> >    SSLEngine off
> > 
> > </VirtualHost>                                  
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] plain HTTP to an SSL-enabled server port

Posted by Thomas Antony <th...@antony.eu>.
Hi,

This works.
Is there a technical reason why i need 2 virtual hosts instead of one?
Is it safe that both virtual hosts share the same log files?



>  You need to create 2 virtual hosts: one for port 80 where SSL is NOT enabled, and one on port 443 where SSL is enabled. You will also need two Listen directives: one for each of ports 80 and 443.
> 
> Listen *:80
> Listen *:443
> 
> <VirtualHost *:443>
> 
>    ServerName my.server.com:443   
> 
>    SSLCertificateFile /sslcerts/crt/my.server.com.crt
>    SSLCertificateKeyFile /sslcerts/key/my.server.com.key
>    SSLEngine on
> 
> </VirtualHost>                                  
> 
> <VirtualHost *:80>
> 
>    ServerName my.server.com:80   
> 
>    SSLEngine off
> 
> </VirtualHost>                                  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] plain HTTP to an SSL-enabled server port

Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
 You need to create 2 virtual hosts: one for port 80 where SSL is NOT enabled, and one on port 443 where SSL is enabled. You will also need two Listen directives: one for each of ports 80 and 443.

Listen *:80
Listen *:443

<VirtualHost *:443>

   ServerName my.server.com:443   

   SSLCertificateFile /sslcerts/crt/my.server.com.crt
   SSLCertificateKeyFile /sslcerts/key/my.server.com.key
   SSLEngine on

</VirtualHost>                                  

<VirtualHost *:80>

   ServerName my.server.com:80   

   SSLEngine off

</VirtualHost>                                  

-ascs
 
-----Message d'origine-----
De : Thomas Antony [mailto:thomas@antony.eu] 
Envoyé : lundi 10 décembre 2007 11:30
À : users@httpd.apache.org
Objet : [users@httpd] plain HTTP to an SSL-enabled server port

Hi,

I bought a Thawte certificate and configured that in Apache 2.2 with a IP based virtual host.
SSL is working fine but everytime i open the site with http:// i get this error message displayed:

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
  Hint: https://www.example.com

The website should be reachable with http and https and no error message should be displayed.
Which directive has to be set to get both working?


regards,
Thomas Antony

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org