0

I have a site that does not need https. We do not collect any information at all, nor do we have any forms. This being so we did not set up an SSL certificate.

However, when I go to https://example.com it goes to another site on my server that DOES have an SSL certificate.

We're running a LAMP stack, CentOS6/Apache 2.2. Is there a way to redirect all https requests to my site back to http?

r00tAcc3ss
  • 119
  • 2
  • 3
    This question as been asked and answered many times already. Just search for URLRewrite and SSL on SF. From HTTP to HTTPS is no different than from HTTPS to HTTP - just the reverse. – ETL Feb 10 '14 at 18:39
  • possible duplicate of [Everything You Ever Wanted to Know about Mod\_Rewrite Rules but Were Afraid to Ask?](http://serverfault.com/questions/214512/everything-you-ever-wanted-to-know-about-mod-rewrite-rules-but-were-afraid-to-as) – ETL Feb 10 '14 at 18:42
  • 1
    I tried doing the same things backwards, they don't work. I tried all the suggestions in the other direction with modifications for ssl->non. They don't work. – r00tAcc3ss Feb 10 '14 at 18:44
  • You should use a different IP address for web sites which aren't meant to be accessed via SSL. – Michael Hampton Feb 10 '14 at 21:31

3 Answers3

1

Of course not. If there was, that would be a horrible security flaw. Imagine if you had some super-secure site and someone, without needing to have an SSL certificate for your domain, could make people trying to reach it go to an unsecure site. That would defeat the whole point of secure links.

Without an SSL certificate issued to the name the link goes to, you cannot convince anyone that they should go to the insecure site. In fact, this is exactly what an attacker trying to compromise a secure site would try to do and precisely what SSL and HTTPS prevent.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Perhaps I didn't clarify my question correctly, or maybe I'm not understanding your answer. When I go to `https://mysite.com` it loads `https://anothersite.com` with an SSL warning where anothersite.com is on my server and has an SSL cert. I want anyone going to `https://mysite.com` to go to `http://mysite.com`. Is that not secure? – r00tAcc3ss Feb 10 '14 at 18:37
  • It's only secure if you can *prove* that you are the owner of the domain and want that redirect to happen. Otherwise, it could just as easily be a malicious attacker redirecting a person away from a secure site to an insecure one. Without an SSL certificate issued to the site the user is trying to reach, how can you prove you own the domain? – David Schwartz Feb 10 '14 at 18:38
  • But if it's my server, and I am making the change to the virtual hosts files, and I have my domain pointing to it. How is that not proof that I own the site and domain? – r00tAcc3ss Feb 10 '14 at 18:39
  • 1
    @r00tAcc3ss How can I know that I actually *reached* your server? If I could trust the network, I wouldn't need SSL. The point of the SSL certificate is to prove that my connection went to the right place. – David Schwartz Feb 10 '14 at 18:49
1

I'm fairly certain that you have enabled the other site's SSL cert and https on "all sites" rather than just the site for which it was intended. Go back into your apache configuration for https and limit it to https://yoursecuresite.com rather than all of them.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
0

Well, it is not completely impossible, but you won't be able to override the Security warning that your browser will trigger because the HTTPS website name doesn't match the one you're trying to reach (https://example.com and https://securesite.com)

One way to solve this is to allocate your secure website a dedicated IP address different from the the default address of your server. example.com -> 1.1.1.1 ; securesite.com -> 1.1.1.2

This way there is no possibility that https://example.com and https://securesite.com would create a conflict.

And if you really want user to use https://example.com, then you're stuck with using an SSL certificate.

Bruno Mairlot
  • 411
  • 3
  • 5
  • Thanks! We ended up moving it to a separate IP for this reason. Considering an SSL cert, but as I mentioned, we have no real "need" for one. – r00tAcc3ss Feb 11 '14 at 14:12