Redirect HTTP to HTTPS
Date: Tuesday, July 19, 2022
Author: ICS Admin
One of the most significant omissions noticed in the posts on redirecting traffic from HTTP to HTTPS is the exclusion of logs within the Apache web server configuration.
Why is this important? When you log the redirects at the source, you will notice that your SSL access logs were not capturing the traffic. This is a great way to catch bots and hackers probing your website.
As of today, July 19, 2022, every mention of HTTP to HTTPS uses the following syntax in the HTTP host:
What you will see are a lot of 301 and 302 httpd status codes. Why is this important? If you look closer, you will see bot names, HTTP request methods (HEAD, PUT, CONNECT, OPTIONS, etc.) that hackers use to find vulnerabilities, requests for known file vulnerabilities, etc.
In addition, from testing and various forums:
Why is this important? When you log the redirects at the source, you will notice that your SSL access logs were not capturing the traffic. This is a great way to catch bots and hackers probing your website.
As of today, July 19, 2022, every mention of HTTP to HTTPS uses the following syntax in the HTTP host:
<VirtualHost ip_address:80>
ServerName www.yourdomain.com
Redirect / https://www.yourdomain.com
</VirtualHost>
<VirtualHost ip_address:443>
ServerName www.yourdomain.com
DocumentRoot ../yourdomaindirectory/public_html
SSLEngine On
# additional SSL configuration etc...
</VirtualHost>
ServerName www.yourdomain.com
Redirect / https://www.yourdomain.com
</VirtualHost>
<VirtualHost ip_address:443>
ServerName www.yourdomain.com
DocumentRoot ../yourdomaindirectory/public_html
SSLEngine On
# additional SSL configuration etc...
</VirtualHost>
The .conf file should use:
<VirtualHost ip_address:80>
ServerName www.yourdomain.com
Redirect / https://www.yourdomain.com
ErrorLog ../yourdomaindirectory/logs/error.log
CustomLog ../yourdomaindirectory/logs/access.log combined
</VirtualHost>
<VirtualHost ip_address:443>
ServerName www.yourdomain.com
DocumentRoot ../yourdomaindirectory/public_html
SSLEngine On
# additional SSL configuration etc...
</VirtualHost>
ServerName www.yourdomain.com
Redirect / https://www.yourdomain.com
ErrorLog ../yourdomaindirectory/logs/error.log
CustomLog ../yourdomaindirectory/logs/access.log combined
</VirtualHost>
<VirtualHost ip_address:443>
ServerName www.yourdomain.com
DocumentRoot ../yourdomaindirectory/public_html
SSLEngine On
# additional SSL configuration etc...
</VirtualHost>
Redirect vs. RedirectPermanent vs. Redirect Permanent vs. a RewriteRule
The official Apache documentation suggests using redirect directive instead of a RewriteRule (https://httpd.apache.org/docs/trunk/rewrite/avoid.html).In addition, from testing and various forums:
- Redirect returned a lot of 302 moved temporarily status codes
- Redirect Permanent returns a 301 moved permanently status code
- RedirectPermanent returns a 301 moved permanently status code