I am setting up apache to do url rewriting. What I want to do is that if the user type the address of my website, say, http://mysite49.com, I wish the browser automatically change the url to https://mysite49.com. I have following questions:
1)Do I have to open two ports, both 80 and 443(for https)? 2)How to do this functionality?
I think that is a redirection rather than a URL rewritting question. (My understanding is that the term 'URL writing' does not apply to the protocol and server name portion of a URL.)
This is important in your context because if the initial connection to the server from the client is with HTTP then it cannot be internally switched by httpd to HTTPS. Why? Because the client will need to initiate a new HTTPS connection to get all that SSL stuff done first before httpd can start reading headers and stuff.
The rediction can be accomplished quickly with simple HTML file with redirection meta tags. Or you could have a script on your web server that does an HTTP redirection. I'd recommend the later because it is arguable more effeciant to do so at a lower level.
Hope that helps.
Stu [ September 21, 2006: Message edited by: Stu Thompson ]
"This is not to say that design is unnecessary. But after a certain point, design is just speculation." --Philip Chu
Joined: Jul 20, 2001
Sorry, I might not make my problem clear. What I am trying to discuss is that I want to put "RewriteEngine" directive in my config of apache, so that if somebody type: http://my_website_name.com , the url will be automatically changed to https://my_website_name.com, thus I want to force user to use https instead of http.
Here is what I put in the config httpd.conf of apache(It is working):
Actually, the mod_rewrite module which is used here can do either redirect or rewrite, so, yes, it is possible to change from HTTP to HTTPS in this way. As far as HTTP is concerned, that is a client-side redirect, though.
And, like Stu says, both ports need to be open, because how would Apache ever see the HTTP request if port 80 wasn't open?
Not saying I don't believe you but pllease explain how it would work. Everything I know about HTTP, HTTPS, and URL rewriting says it is not possible.
(Then again, i am weak on URL rewritting.) Specifically, how does the protocolol negotiation take place?
If I have it wrong I will gladly eat my boot. _p
Joined: Mar 22, 2005
I'm not up on the internals of mod_rewrite (i.e., how it works internally), but it can do either a rewrite (kind of like a forward) or a redirect (roundtrip to the client and back). The latter can be used to catch HTTP URLs and redirect to the appropriate HTTPS URL (but as far as Apache/mod_rewrite is concerned, it would still be a "rewrite", because that's what mod_rewrite does).
Like you suggest, I think there would be difficulties forwarding an HTTP request to an HTTPS address. But actually, come to think of it, mod_rewrite might just send an HTTPS request, and then return its results to the client via HTTP, thus completely masquerading the use of HTTPS. I'm not sure if that's really possible, though.
Joined: Jun 14, 2006
OK, if the mod_rewrite can force a roundtrip to the client then it would work. But that would really a redirection...based on a rewritten URL, yes, but a redirection none the less.
If mod_rewrite were to proxy the request to https and send the response back to the client over http...then, well...that sorta defeats the purpose. :p What benefit would there be to do this? It is definitely not secure.
David: The S in HTTPS is for secure (duh). The security is implemented via SSL. SSL sits just below HTTP on the network stack. That is important because the SSL negotiation (public and then private key exchange) must occur before the HTTP request and response(s) are read and written. Also note that the client must initiate the negotiation. The server cannot decide, after receiving a client HTTP request, that it suddenly wants everything encrypted.
Again, if I have any of this wrong then I'll eat my boot. [ September 22, 2006: Message edited by: Stu Thompson ]
Joined: Jun 14, 2006
PS: I gather www.boh.com is exactly what David wants to do.
Matt, Please start a new thread with your question. Most people aren't going to scroll all the way to the bottom of an old thread to look for a new question. Also, if this discussion is still active, asking another question would be considered thread hijacking; a very rude thing to do.