HTTPS only on OpenBSD 4.9?

Question

I've tried this example from OpenBSD http://www.openbsd.org/faq/faq10.html#HTTPS

it works fine, but with Mozilla Firefox 6.0 it's possible to use both http and https, while I want to force users to use only HTTPS. How can I achieve this?

Thanks!

This makes no sense at all.. can you rephrase your question? — pauska, Aug 17 '11 at 10:24

score 1 · Answer 1 · answered Aug 17 '11 at 11:39

1

You control that in what ever web server you use. You're going to want to 301 redirect to your HTTPS site.

answered Aug 17 '11 at 11:39

Jacob

9,204
4
45
56

score 1 · Answer 2 · answered Sep 27 '11 at 01:18

You can restrict connections to your website to require HTTPS, by using the mod_ssl directive

SSLRequireSSL

This directive forbids access unless HTTP over SSL (that is HTTPS) is enabled for the current
connection. It is very handy inside the SSL-enabled virtual host or directories as a defense 
against configuration errors that expose data that should be protected. When this directive 
is present, all requests that do not use SSL are denied.

The FAQ entry you referenced discusses setting up your website to support SSL, the directive SSLRequireSSL is what you would use to specify restrictions per the whole site (or the specific Alias/Directories within your site.)

curiousguy · Answer 3 · 2012-07-02T17:05:28.690

You can redirect http://example.com/ to https://example.com/, but it means that clear-text HTTP is still being used just to send the HTTP Redirect.

This exposes the user to attacks by tools such as sslstrip, unless he carefully checks every time that the domain is really https://example.com, not http://example.com/, not https://examp1e.com, not https://(insert non-Latin homoglyphs here).com...

In this case, you really want to use HTTP Strict Transport Security:

HTTP Strict Transport Security (HSTS) is a proposed web security policy mechanism where a web server declares that complying user agents (such as a web browser) are to interact with it using secure connections only (such as HTTPS).

score 0 · Answer 4 · answered Jul 16 '13 at 06:25

If a station security issue, you can use this firefox extension to force only https for all sites HTTPS Everywhere.
If a perimeter security issue, you can use a proxy forward server to redirect all http requests to https.
Finally, if you have a web server just make diferent paths for http and https. In https you will put your site and in http you will put just a index.html file using meta refesh. <meta http-equiv="refresh" content="0; url=https://example.com">

HTTPS only on OpenBSD 4.9?

4 Answers4