1

How do I give a Connection Reset error to the user if the user accesses the website like http://example.com:443, instead of giving the following error:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

The above error is provided by Apache to the user which I do not want. I instead just want to stop the connection, and not give a text response. Is this possible, it should be, because many websites have this feature. Thanks in advance. (Also, I couldn't try anything myself because I don't have any clue about how this works, so that I can implement it myself if I can).

Similar in a way, but doesn't answer my question anyways: Serving port 443 over http creates 400 Bad Request Error instead of redirect, but mentioned: "If you try such requests with other servers then they would either close the connection without any error at all or just hang because they are still hoping to get a TLS handshake from the client", so my question is on how to close the connection if the user accesses http://example.com:443.

Just in case:

Please note that I want to close the connection when an user accesses port 443 on http:// instead of https://. I don't want apache to display the Bad Request message. I want to close the connection because, it is mentioned that it is not possible to redirect 443 on http:// to https://. If there is any method to do that, let me know (except for HSTS, which I am not willing to trust). I think this will be done using a firewall (not sure). I have also seen cPanel do this, but I am not using cPanel for some other purpose, so kindly don't ask me to.

Also:

It is not possible to change the 400 bad request page unless you modify Apache's source code, so a redirect from http to https there will not be possible. I don't think I am permitted to modify Apache's source code.

I also saw that running curl http://www.google.com:443 says curl: (52) Empty reply from server, so sending an empty reply should be enough to stop the connection right? I am not sure. But maybe yes, if so, how? (Don't answer this question if there is a different method of doing the connection cut thingy).

To be clear: I am asking for something like sudo ufw deny out 443 http (might be invalid) or something.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Hi, I locked the question as you had one bounty gave for it, erasing it would not be fair for the one that took time to answer you. If you have element you want to remove for privacy, ping me back, we can discuss that without problem, else, I will have to ask a CM to dissasociate you from the question if you really need to not be associated with it (as a bounty was gave) – yagmoth555 Feb 28 '20 at 13:14
  • @yagmoth555 would they lose the bounty if the question is deleted? I awarded them the bounty just to delete the question, because I find there is something wrong here. –  Feb 29 '20 at 12:16
  • Yes, its why the system block you to delete the question, or if a upvoted answer exist too, you can’t delete. If you want to be removed from that question I can ask the staff. its only to dissasociate you from the question the best way. It will be shown like a deleted user that asked the question after. – yagmoth555 Feb 29 '20 at 17:15
  • @yagmoth555 Is there a way to remove the bounty, because I didn't award it to really praise the persion, I awarded it to delete the question, because it didn't allow me (I don't need the reputation, but I don't want to keep the awarded bounty, or atleast remove the badge on the bounty). please? I am not really feeling well with the bounty awarded, so any help? (Also, this is not related) I am surprised to see that you can ask the staff ! :O Atlast, this is all going to the sentence "Remove the bounty I have awarded." –  Feb 29 '20 at 17:37

2 Answers2

0

Interesting. What about something like this:

<VirtualHost *:443>
    <Location />
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    </Location>

This will deny traffic to port 443 for anything except localhost.

But really I think what you probably want to do (?) is just redirect all http requests to https. The 443 would be redundant after the redirect.

Jason Cotman
  • 132
  • 2
  • 7
  • Welcome to ServerFault! I am asking about how to deny traffic from http on 443, not https. And, on a production server, so it is publicly accessible. I have seen cPanel do this, but I am not sure. –  Feb 27 '20 at 08:46
  • Exactly. I suggested the beginning of two methods. One denies the traffic, the other denies it *to http* by redirecting it to https. – Jason Cotman Feb 27 '20 at 08:53
  • How do you redirect it to https on port 443 from http to https when the user accesses it from http? It is not possible, 400 is an error directly generated from apache's source code. You cannot modify that page at all. Even if you have custom error document, except changing apache's source code, which I am not sure if I am permitted to do so. –  Feb 27 '20 at 08:56
  • @Chi.C.J.RajeevaLochana In fact you can customize error pages, they are not hardcoded. https://httpd.apache.org/docs/2.4/custom-error.html – Vitauts Stočka Feb 27 '20 at 09:01
  • @VitautsStočka you don't understand about this properly. To know more about what I am speaking, try adding ```ErrorDocument 414 /somefile``` to your httpd.conf file. And then type a long url to your webpage like ```https://www.yourtestwebpage.com/somethingtoolong....``` and see if your error page appears. You will understand after, that the pages are hardcoded. This is not related to my question, but just in case –  Feb 27 '20 at 09:05
  • Well, this is not related to your question, but I know exatcly how this works. And YES, my error page apperas it I add it with `ErrorDocument` directive. – Vitauts Stočka Feb 27 '20 at 14:02
  • @VitautsStočka That doesn't happen with me lol –  Feb 28 '20 at 07:37
  • @VitautsStočka I think you did not type url long enough, it should be atleast 9000 chars –  Feb 28 '20 at 08:08
  • @Chi.C.J.RajeevaLochana Maybe you should put your error documents in proper directory for `ErrorDocument` to work. Or maybe you have some other settings messing it up. Or whatever. My error pages are shown as expected (or redirects are made, if `ErrorDocument` has URL) for 414 errors (url too long) as well as for any other error code. Doubt it if you like so, your choice. – Vitauts Stočka Feb 28 '20 at 08:42
  • @VitautsStočka, it worked for me too now lol. But mod_rewrite doesn't work with 400 bad request –  Feb 28 '20 at 09:36
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/104990/discussion-between-chi-c-j-rajeeva-lochana-and-vitauts-stocka). –  Feb 28 '20 at 09:37
0

I edit a file in the Apache source code in the directory ./modules/ssl/ssl_engine_kernel.so.

In that file, you can find a line saying:

    if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
        apr_table_setn(r->notes, "error-notes",
                       "Reason: You're speaking plain HTTP to an SSL-enabled "
                       "server port.<br />\n Instead use the HTTPS scheme to "
                       "access this URL, please.<br />\n");

        /* Now that we have caught this error, forget it. we are done
         * with using SSL on this request.
         */
        sslconn->non_ssl_request = NON_SSL_OK;

        return HTTP_BAD_REQUEST;
    }

Instead use the HTTPS scheme to access this URL, please.....`.

Change it to this:

    if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
        /*
        apr_table_setn(r->notes, "error-notes",
                       "Reason: You're speaking plain HTTP to an SSL-enabled "
                       "server port.<br />\n Instead use the HTTPS scheme to "
                       "access this URL, please.<br />\n");
        */
        /* Now that we have caught this error, forget it. we are done
         * with using SSL on this request.
         */
        sslconn->non_ssl_request = NON_SSL_OK;

        return apr_pstrcat(NULL);
    }

And then, re-compile Apache. And you should be good :)