如何将 HTTPS 请求重定向到没有证书的 HTTP (Apache VirtualHosts) 并避免证书警告 [英] How to redirect HTTPS requests to HTTP without a certificate (Apache VirtualHosts) and avoid a certificate warning
问题描述
我首先要说的是,这不是一个好的做法,我们应该努力让所有东西都 100% 使用 HTTPS,但在这种情况下,我对一个不包含敏感信息的系统有一系列尴尬的要求.当我更年轻的时候问这个问题时,我完全不知道 HTTPS/TLS 是如何工作的,但是因为它受到了相当多的关注,所以把它留在原地帮助其他人.如果您有兴趣,我建议您阅读 Oreily 的 TLS 101.您现在可以使用我强烈推荐的 Let's Encrypt 获得免费的 TLS 证书.最后,如果您使用默认的 Apache 配置,请查看 Mozilla 的 SSL配置生成器 输入您的 apache 版本后选择现代".
I would first like to first say, this is not good practice and we should endevour to have everything on HTTPS 100% of the time but in this case I had a series of awkward requirements on a system that did not hold sensitive information. I was quite ignorant of how HTTPS/TLS worked when asking this question back when I was more junior but have left it in place to help others as it receives a fair amount of attention. I recommend reading Oreily's TLS 101 if you're interested. You can now get free TLS certificates using Let's Encrypt which I thoroughly recommend. Lastly, if you are using the default Apache config please check out Mozilla's SSL config generator selecting 'Modern' after entering your apache version.
我在一个 apache 服务器上托管了几个单独的网站:
I am hosting a couple of seperate websites on one apache server:
site.com
site.com 将所有用户从应用程序内重定向到 HTTPS.
site.com redirects all users to HTTPS from within the application.
example.com
example.com 是一个 HTTP 网站,HTTPS 请求被重定向到 HTTP
example.com is an HTTP website and HTTPS requests are redirects to HTTP
为了意外请求 https://example.com 而不是 http://example.com 不获取 site.com(由于仅使用一个 HTTPS 虚拟主机成为默认站点)我需要设置例如.com 的 https 虚拟主机,但我必须使用自签名证书,因为该站点没有理由使用 SSL.
In order for accidental requests for https://example.com instead of http://example.com to not get site.com (due to when only one HTTPS vhost is used that becomes the default site) I need to set up an https vhost for example.com but I have to use a self signed cert as there is no reason for the site to use an SSL.
这意味着当有人访问 https://example.com 时,他们会收到一个浏览器警告页面,表明 SSL 是自我的签名,然后一旦他们点击继续,他们就会被重定向到 HTTP
This means when someone visits https://example.com they get a browser warning page that the SSL is self signed and then as soon as they click continue they get redirected to HTTP
有什么方法可以在没有证书的情况下将 HTTPS 请求重定向到 HTTP
Is there any way to redirect HTTPS requests to HTTP without a certificate
这是当前的虚拟主机:
<VirtualHost *:443>
ServerName about.example.com:443
DocumentRoot "/directory"
<Directory "/directoy">
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/ExampleCOM.pem
SSLCertificateKeyFile /etc/httpd/ssl/AboutExampleCOM-key.pem
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# Disabled to avoid CRIME attack
SSLCompression off
# this usually compromises perfect forward secrecy
SSLSessionTickets off
# OCSP Stapling, httpd 2.3.3 or later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
推荐答案
从根本上说,这是一个问题.当通过 HTTPS 进行通信时,TLS 通信层在交换任何内容之前设置,即有关证书的警告发生在传输有关网站的任何信息之前.因此,需要一个证书来允许浏览器在定义 https 时进行连接,无论是否自签名.
Fundamentally, that's a problem. When communicating over HTTPS, the TLS communication layer is set up before anything is exchanged, i.e. the warning about the certificate happens before any information about the website is transferred. So a Certificate is needed to allow a browser to connect when https is defined, self signed or not.
理想情况下,为了最佳实践",我们真的应该鼓励人们默认使用 HTTPS(我意识到这是一笔费用,并且可能对证书感到恼火,虽然 self 不应该有任何问题签名证书,通常会出现问题和浏览器消息等).
即使您有一个只能做 http"的应用程序服务器,最佳实践通常是在该应用程序服务器前面安装一个 Web 服务器(例如 nginx 或 lighthttpd 或某种形式的负载平衡器),这也将为您提供 https终止.- 这就是你似乎对你的 httprewrite 所做的,它将请求转发到你的网站.
Even if you have an application server which 'can only do http', best practice is generally to front that application server with a Web Server (such as nginx or lighthttpd or some form of load balancer) which also will provide your https termination. - which is what you seem to have done with your httprewrite which forwards the request to your site.
您可能会发现一些廉价的 SSL 证书提供程序安装在大多数浏览器中?
You might find some cheap SSL-certificate providers which are installed in most browsers though?
这篇关于如何将 HTTPS 请求重定向到没有证书的 HTTP (Apache VirtualHosts) 并避免证书警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
