Why rewrite rule for IP address shows "Not secure" whereas domain name works well in Apache2?

Question

I created ssl certificate for myDomain.com Hence I see following 3 files under /etc/apache2/sites-enabled in Ubuntu

example.com-le-ssl.conf  example.com.conf  example.conf

My example.com.conf looks like this

<VirtualHost *:80>
    ServerAdmin admin@example
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    JKMount /* ajp13_worker
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Now, if I enter http://www.example.com it is redirected to https://www.example.com

But if someone finds out my server ip address and enter http://<myIpAddress> the content is served as non-https

So I added this in addition to above virtualHost chunk

<VirtualHost myIpAddr:80>
    ServerAdmin admin@example
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    JKMount /* ajp13_worker
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =myIpAddr [OR]
RewriteCond %{SERVER_NAME} =myIpAddr:80
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

But still when I enter http://myIpAddr:80 or http://myIpAddr I see this

Possible duplicate of [Redirect, Change URLs or Redirect HTTP to HTTPS in Apache - Everything You Ever Wanted to Know About Mod\_Rewrite Rules but Were Afraid to Ask](https://serverfault.com/questions/214512/redirect-change-urls-or-redirect-http-to-https-in-apache-everything-you-ever) — Jenny D, Aug 13 '19 at 07:56

Jenny D · Accepted Answer · 2019-08-13T08:04:35.230

2

That is because your SSL certificate contains your hostname (example.com and www.example.com) but not your IP address. Nor should it - normal clients will only use your actual domain name, not the IP address of your server.

Based on the config you've shown, your redirect should go to the hostname rather than the IP address, and it's not possible to see why this goes wrong based only on your config. But I don't quite see why you think you need to have a separate virtual host for your IP address, or why you need to do a RewriteCond match on the Host header at all.

I should remove the RewriteCond lines from your files and only retain the RewriteRule lines.

Also check the third file you've got - there should normally not be both example.com.conf and example.conf. There may be something in that file that gets read before the config with the IP address.

edited Aug 13 '19 at 08:04

answered Aug 13 '19 at 06:49

Jenny D

27,358
21
74
110

But what if a hacker uses ip address and finds out https is not enabled for ip address and starts hacking. How can I protect it? So, my only solution is to create separate SSL for ip address? – sofs1 Aug 13 '19 at 06:51
HTTPS does not protect against intrusion. The fact that your certificate is invalid for the IP address does not in any way reduce the security of your system. You should read up on basic web server security, which is a far larger topic - a good place to start is https://security.stackexchange.com/questions/77/best-practices-for-apache-server-hardening . – Jenny D Aug 13 '19 at 06:54
Thank you very much for the link. But I check few websites like quora.com (whose ip address is 52.55.163.53 , 34.235.255.157 etc.) where they have fixed the issue that I'm talking about. How do I fix it? Please give me some directions. – sofs1 Aug 13 '19 at 07:02
1

@sofs1 You can redirect from IP to name (quora does something like that) using a dedicated server_name with your IP or by using correct rewrite rules (https://stackoverflow.com/a/24329245/4994025), but really that's not necessary. HTTPS is active regardless of connecting to IP or to name, the only difference is the certificate warning. Don't overthink this. – Lenniey Aug 13 '19 at 07:43
Quora do a redirect to `https://quora.com`, not to `https://IPADRESS`. So should you. – Jenny D Aug 13 '19 at 07:46
Yes, I want `https://IPAddress` or `http://IpAddress` to `https://quora.com`. That's what I'm trying to achieve – sofs1 Aug 13 '19 at 07:52
I modified this ` ServerAdmin admin@example ServerName example.com ServerAlias www.example.com .......... RewriteEngine on RewriteCond %{SERVER_NAME} =www.example.com [OR] RewriteCond %{SERVER_NAME} =example.com [OR] //added [OR] RewriteCond %{HTTP_HOST} ^111\.111\.111\.111 //I modified this RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] ` Still no effect. I tried reloading as well as restarting apache2. Is my RewriteRule correct to handle new RewriteCond ? – sofs1 Aug 13 '19 at 08:25
Ok. It was a browser cache issue which didn't reflect my changes. I ended up wasting 3 hours. How should I prevent this in future? – sofs1 Aug 13 '19 at 10:50

Why rewrite rule for IP address shows "Not secure" whereas domain name works well in Apache2?

1 Answers1