Implementing HTTPS-Only Sitewide

On 5 September 2012 07:32, Carla Schroder <carla> wrote:

[Hide Quoted Text]
> howdy techtalkers,
> I need to figure out the best way to implement HTTPS for a client's site, and
> it's driving me buggy. It's Drupal 7 on Apache on CentOS 6. We have an SSL
> cert already installed. The problem I'm struggling with is how to
> implement it in a way that doesn't get in the way of site visitors; I have actually
> seen suggestions to force HTTPS only by closing port 80, and to serve up an
> error page for all HTTP requests that tells the user to type HTTPS. That is
> definitely not an option; it must be handled by the server.
> I'm thinking the cleanest way, from the perspective of site visitors, is to
> redirect all HTTP requests to HTTPS. Just force HTTPS sitewide. Then I
> don't have to worry about accidentally missing a page or a form. So how do I do
> this? In Apache? Drupal? I've seen many different suggestions, and most of
> them look bizarre, and it seems odd that something this important is so poorly-
> documented. So help plz.
> thanks in advance,
> Carla
> btw I am developing great dislike for CPanel and other "helpful" frontends.
> They make a gawdawful mess sometimes!
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carla Schroder
> ace Linux nerd
> author of Linux Cookbook,
> Linux Networking Cookbook,
> Book of Audacity
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk

I have a private webserver set up with Ubuntu and Apache2.
I do pretty much what you're asking (I think). This is how I do it:

I have this bit added to /etc/apache2/sites-available/default

<Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This redirects all requests to Https.

Techtalk mailing list

To redirect the entire site, you could use a redirect

Redirect permanent /

However, SSL can be slow so I wouldn't run an entire site over SSL unless it was necessary or had low traffic.

On my server, I create the following rules  for redirecting admin areas to https
(the paths and file structure are Ubuntu-based so YMMV since the default Apache layout is different from other distros)

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.

    Listen 443
    NameVirtualHost *:443
    SSLStrictSNIVHostCheck on

In my VirtualHost configuration, I've got the following

<VirtualHost *:443>
DocumentRoot /var/www/domain/dev
SSLEngine on
SSLCertificateFile /etc/ssl/crt/domain.crt
SSLCertificateKeyFile /etc/ssl/crt/domain.key

<IfModule mod_rewrite.c>
           RewriteEngine On
           RewriteRule !^/admin/(.*) - [C]
           RewriteRule ^/(.*)$1 [QSA,L]

hope that helps
Which reminds me to point out that if you do URL rewriting at the
application level you should make sure your server never sets cookies
over a non-secure connection, and that it sets the secure attribute on
cookies so that a browser connecting over HTTP will not transmit the
cookie in cleartext. Even if you use HTTPS only, you might still be
leaking if you don't do that.

Wim De Smet <kromagg>

On Mon, Sep 10, 2012 at 10:25 PM,  <adric> wrote:
[Hide Quoted Text]
> On 09/05/2012 08:47 PM, chris wrote:
> Hi,
> To redirect the entire site, you could use a
> redirect   Redirect permanent /
>  However, SSL can be slow
> so I wouldn't run an entire site over SSL unless it was
> necessary or had low traffic.  [snip ap[ache configs]
> hope that helps
> chris
> This is a good idea for performance and sanity but there are
> security concerns to having HTTP and HTTPS content on the
> same site.  Last year's BEAST attack tool takes
> advantage of that, for instance, and there are some
> cross-site scripting, session stealing, and other
> malfeasance made easier by having secure and insecure
> content both.
> Security experts have been urging the big site providers to go
> all-SSL for some time and they are reluctantly following this advice
> after the hullabaloo over Firesheep. Google has been big on
> pushing ahead with this.
> BEAST: (links about
>   BEAST abound, no ref to HTTP usage in any..)
> Firesheep: (home page)
> Google blog:
> hth,
> adric

About samehramzylabib

See About on
This entry was posted in Configure My Systems. Bookmark the permalink.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s