How do I redirect all HTTP requests to HTTPS when ISP blocks port 80?

2

1

I am running a HTTPS web server at home but it has one key flaw: you can't connect to it using port 80. My ISP (Cox) blocked (incoming) port 80, there is nothing I can do about it, but luckily for me they did not block port 443. So, I have opted to use a pure HTTPS server, but this is not quite working, since I have a few things I want to redirect to my (HTTPS) server:

http://www.example.com/ redirects to https://www.example.com/

http://example.com/ redirects to https://www.example.com/

https://example.com/ redirects to https://www.example.com/

And finally, the roadblock: https://www.example.com/ points to (CNAME) powe.ddns.net, which is my dynamic DNS. I tried, but I cannot mix URL and CNAME records or make a CNAME only point towards a single port on an IP.

So far I have made all the redirects go to https://ww2.example.com/ and have that point at my home server, but with this I cannot make https://www.example.com/ redirect to https://ww2.example.com/ because I cannot do HTTPS to HTTPS redirects.

All the solutions I have found thus far rely on port 80 being open, which I cannot do. So, what can I do? Possible solutions include HTTPS to HTTPS redirects, port specific DNS, and from-HTTPS URL forwarding (I have only found HTTP to HTTP or HTTP to HTTPS URL forwarding). Thank you!

BoomBoomPowe

Posted 2017-07-13T21:14:28.370

Reputation: 33

The kind of response expected by applications when connecting to an HTTP server is very different from the kind of response given by an HTTPS server. Thus, simply redirecting HTTP requests to HTTPS via port redirection is never going to work. My recommendation is to rent a cheap VPS so you can host your Web contents properly without having to resort to hacks. If you don't want to go this route, you will have to tell your potential visitors to access your Web server via HTTPS. Their Web browsers will then automatically send the requests via port 443 by default. – Larssend – 2017-07-15T05:14:06.240

Yeah, I noticed that when using HSTS it forces https://*** which is great for me! What I wanted to do is have people who visit the site go to port 80 and be redirected to the https:// version of the site. I know a reverse proxy can do what DNS does just with ports instead of IP addresses, so it would work, but I don't know of any "reverse proxy providers."

– BoomBoomPowe – 2017-08-04T16:23:45.130

Answers

1

Well, it turns out that it is possible. Using CloudFlare's CDN, you can do an automatic HTTPS redirect at the network level using the "Always Use HTTPS" feature, shown here.

Cloudflare HTTPS Rewrite

This happens even before the request reaches your server, and is available for the free tier. You can also turn on HSTS if you want to avoid rewriting every time.

BoomBoomPowe

Posted 2017-07-13T21:14:28.370

Reputation: 33

1Glad to hear you got it working. I haven't used CloudFlare but it makes sense as a CDN they could possibly do this. Good to know! – Anaksunaman – 2017-09-24T20:55:00.857

1You can also do a rewrite from http://www.example.net/page_here to http://www.example.net:8080/page_here if you want, but either way, it is pretty useful! – BoomBoomPowe – 2017-09-25T21:38:22.627

What are they odds they can do this in reverse? My ISP is blocking port 443, not 80. – Jersh – 2017-11-25T20:20:17.300

0

I would recommend investigate some low-cost hosting, since what you are detailing isn't generally possible with port 80 blocked without a third-party involved anyway.

This isn't mandatory - you can still host the site - but you will almost certainly be using one of the two options below.

Using A DNS Service With A Separate Dynamic DNS Provider Subdomain

On the question of redirecting HTTP requests to HTTPS, from the details of your post, I am assuming your DNS provider for example.com facilitates this. Assuming you wish to redirect these to https://powe.ddns.net I would do so directly via URL Redirection:

    www.example.com --> https://powe.ddns.net

    example.com --> https://powe.ddns.net

Further HTTPS redirection should be unnecessary.

Using Domains Directly With A Dynamic DNS Provider

Dynamic DNS services which allocate subdomains are useful, but you may wish to investigate a DNS provider (either your current registrar or a third-party) that has a dynamic DNS client and allows you to use your domain (e.g. https://example.com) directly with those services.

While normally possible with port 80 available, HTTP to HTTPS redirection (e.g. http://example.com --> https://example.com) in your case isn't possible without third-party intervention, since URL redirection records and basic DNS A records will create an issue regarding the IP address(es) for a given entry (so this would cut-off using non-HTTPS URLs).

UPDATE: Per OPs own accepted answer, apparently CloudFlare will intercept requests for port 80 and redirect them to port 443. They also apparently have a dynamic DNS client.

Regardless of using CloudFlare, it's possible to still use the HTTPS versions of a domain normally either way.

Regarding redirection of https://example.com to https://www.example.com without CloudFlare, the solution would be to point both at your server IP directly and sort non-www requests and www requests on the server itself.

If you haven't already done so, simply create two A records as normal directly pointing the correct IP of your server e.g.

    example.com.   IN A   99.100.101.102

    www            IN A   99.100.101.102

and use HTTPS to access them. Consult your DNS provider on exact formats for these records.

Note that you will likely need to make any Dynamic DNS client aware that you wish to update the IP for both these entries.

Next, in Apache, redirect https://example.com to https://www.example.com. Again, for simplicity, you can use:

    Redirect / https://www.example.com

inside an HTTPS virtual host for https://example.com, although you may want to use other redirect options (i.e. 301, 302), especially for SEO purposes.

Certificates

As a brief caveat about certificates, remember that https://www.example.com is a subdomain of https://example.com and if you want to work with both without a browser error, you need either:

If you need free certificates that aren't self-signed, a possible choice is one issued by Let's Encrypt. Their website doesn't have a direct interface for certificate requests or management but ZeroSSL has a both a web interface and command-line client (both as a Perl script and Windows binary). There are other clients available too.

The only drawbacks to Let's Encrypt certificates is they are short (only 90 days) and they currently do not issue wild card certificates. There are some rate limits on certificate issuance but they are currently fairly reasonable.

In-Browser URLs

While it is possible to "mask" URLs so they do not change at all in the browser address bar, this often requires either a separate server loading content in a frame or some creative uses of mod_rewrite which may or may not work depending on a number of factors.

In the case of HTTPS, masking potentially can undermine the HTTPS working as intended (primarily for security). In short, if you can be happy with minimal changes to the URL (e.g. http:// becoming https:// or possibly redirecting https://example.com to https://www.example.com server side), I would use choose that route, using example.com directly with a Dynamic DNS provider as outlined above.

SEO Considerations

Note that both the www and non-www versions of your site will likely be considered separate domains with duplicate content for SEO purposes (indexing with search engines). So you may want to take steps accordingly if you want your content indexed correctly e.g. by Google)

Anaksunaman

Posted 2017-07-13T21:14:28.370

Reputation: 9 278

This is what I used to use, however I do not want to use a URL redirect since that changes the URL to something other than what it was to start with. Either way, it forces the URL to change to something other than what it was to start with, which is unwanted. I already use freedns.afraid.org for DNS which is how I got the setup I have now, but it is annoying to have the URL change every time you access the site. Is it possible to avoid this? – BoomBoomPowe – 2017-07-20T02:08:31.353

I tried doing this but apparently using a URL record and an A or AAAA record in conjunction is impossible. The problem here is that when I create a URL record, it forwards all the traffic to a dummy web server that sends an HTTP 301. This means that it essentially points to another IP address and server, so unless it is possible to send some ports to one server and some to another using DNS, this isn't an option. – BoomBoomPowe – 2017-07-23T05:27:26.603

By the way, I have SSL certificates under control and know when I need a new certificate. I already use Let's Encrypt, but I haven't heard of ZeroSSL: do they offer wildcard certificates? – BoomBoomPowe – 2017-07-23T05:35:29.477

About ZeroSSL, no unfortunately they don't. They simply act as an interface to Let's Encrypt's servers and Let's Encrypt apparently doesn't plan to issue wild card certificates until sometime in 2018. – Anaksunaman – 2017-07-24T05:55:01.513

A URL change is not a big deal as long as it is not a very large change: however, I have tried to do this in the past, before I'd use this: http://example.com --> https://ww2.example.com, http://www.example.com --> https://ww2.example.com, ww2.example.com [A RECORD] my_ip_address_here, but if you type http://ww2.example.com it doesn't work. Every time I find a solution another hole opens up! – BoomBoomPowe – 2017-07-25T02:01:46.440

Well that stinks. It might be possible to use a reverse proxy that doesn't have port 80 blocked, but I don't think that is will be that big of a deal. Thanks anyways! – BoomBoomPowe – 2017-07-26T03:50:17.740

No problem. Good luck. =) – Anaksunaman – 2017-07-26T07:24:03.767

Asked: 2017-07-13T21:14:28.370

Viewed: 3 999 times

Active: 2017-09-24T21:53:41.173