Https to http redirect for only one of multiple sites on the same server

Question

I have several sites on a single server, and an SSL certificate.

The problem is that i need to redirect all sites from https to http except one, which should be the only site using https. Say, https-subsite.mainsite.ru for example.

There are some links on this site that appear in search for sites that shouldn't use https, like https://https-subsite.mainsite.ru?eee=11&sd=1 and https://other-non-https.mainsite.ru for example), which follow to nowhere.

I think they follow to port 443 which has DocumentRoot for 443 /var/www/blah/data/www/https-subsite.mainsite.ru - its DocumentRoot for only one site that should use https. (See config below.)

I tried to redirect a single site from https to http manually, like this:

<VirtualHost *:443 > 
    ServerName other-non-https.mainsite.ru
    ServerAlias *.other-non-https.mainsite.ru
    Redirect 301 / other-non-https.mainsite.ru
</VirtualHost>

and it works, so that https://other-non-https.mainsite.ru goes to http://other-non-https.mainsite.ru and all is OK. I can copy this for another sites, but seems like a a bad idea.

Is there another, better way to redirect non https sites to their http addresses? (Like with a single rule, instead of a different virtual host for each site.)

My httpd.conf:

<Directory /var/www/blah/data/www/mainsite.ru>
    Options -ExecCGI -Includes
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_flag engine on
</Directory>

<Directory /var/www/blah/data/www/https-subsite.mainsite.ru>
    Options -ExecCGI -Includes
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_flag engine on
</Directory>

<Directory /var/www/blah/data/www/other-non-https.mainsite.ru>
    Options -ExecCGI -Includes
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_flag engine on
</Directory>

<Directory /var/www/blah/data/www/othernonhttps.ru>
    Options -ExecCGI -Includes
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_flag engine on
</Directory>

NameVirtualHost *:80
NameVirtualHost *:443

#first site with https

<VirtualHost *:443 >
    SSLCertificateChainFile /var/www/httpd-cert/blah/https-subsite.mainsite.ru.bundle
    SSLCertificateFile /var/www/httpd-cert/blah/https-subsite.mainsite.ru.crt
    SSLCertificateKeyFile /var/www/httpd-cert/blah/https-subsite.mainsite.ru.key
    SSLEngine on
    ServerName https-subsite.mainsite.ru
    CustomLog /var/www/httpd-logs/https-subsite.mainsite.ru.access.log combined
    DocumentRoot /var/www/blah/data/www/https-subsite.mainsite.ru
    ErrorLog /var/www/httpd-logs/https-subsite.mainsite.ru.error.log
    ServerAdmin webmaster@https-subsite.mainsite.ru
    ServerAlias www.https-subsite.mainsite.ru
    SuexecUserGroup blah blah
    AddType application/x-httpd-php .php
    php_admin_value open_basedir "/var/www/blah/data:.:/usr/share/pear:/usr/share/php"
    php_admin_value upload_tmp_dir "/var/www/blah/data/mod-tmp"
    php_admin_value session.save_path "/var/www/blah/data/mod-tmp"
</VirtualHost>

<VirtualHost *:80 >
    ServerName https-subsite.mainsite.ru
    CustomLog /var/www/httpd-logs/https-subsite.mainsite.ru.access.log combined
    DocumentRoot /var/www/blah/data/www/https-subsite.mainsite.ru
    ErrorLog /var/www/httpd-logs/https-subsite.mainsite.ru.error.log
    ServerAdmin webmaster@https-subsite.mainsite.ru
    ServerAlias www.https-subsite.mainsite.ru
    SuexecUserGroup blah blah
    AddType application/x-httpd-php .php
    php_admin_value open_basedir "/var/www/blah/data:.:/usr/share/pear:/usr/share/php"
    php_admin_value upload_tmp_dir "/var/www/blah/data/mod-tmp"
    php_admin_value session.save_path "/var/www/blah/data/mod-tmp"
</VirtualHost>

<VirtualHost *:80 >
    ServerName mainsite.ru
    CustomLog /var/www/httpd-logs/mainsite.ru.access.log combined
    DocumentRoot /var/www/blah/data/www/mainsite.ru
    ErrorLog /var/www/httpd-logs/mainsite.ru.error.log
    ServerAdmin webmaster@mainsite.ru
    ServerAlias www.mainsite.ru
    SuexecUserGroup blah blah
    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@mainsite.ru"
    php_admin_value upload_tmp_dir "/var/www/blah/data/mod-tmp"
    php_admin_value session.save_path "/var/www/blah/data/mod-tmp"
</VirtualHost>

<VirtualHost *:80 >
    ServerName othernonhttps.ru
    CustomLog /var/www/httpd-logs/othernonhttps.ru.access.log combined
    DocumentRoot /var/www/blah/data/www/othernonhttps.ru
    ErrorLog /var/www/httpd-logs/othernonhttps.ru.error.log
    ServerAdmin webmaster@othernonhttps.ru
    ServerAlias www.othernonhttps.ru
    SuexecUserGroup blah blah
    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@othernonhttps.ru"
    php_admin_value upload_tmp_dir "/var/www/blah/data/mod-tmp"
    php_admin_value session.save_path "/var/www/blah/data/mod-tmp"
</VirtualHost>

<VirtualHost *:80 >
    ServerName other-non-https.mainsite.ru
    CustomLog /var/www/httpd-logs/other-non-https.mainsite.ru.access.log combined
    DocumentRoot /var/www/blah/data/www/other-non-https.mainsite.ru
    ErrorLog /var/www/httpd-logs/other-non-https.mainsite.ru.error.log
    ServerAdmin webmaster@other-non-https.mainsite.ru
    ServerAlias www.other-non-https.mainsite.ru
    SuexecUserGroup blah blah
    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir "/var/www/blah/data:."
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@other-non-https.mainsite.ru"
    php_admin_value upload_tmp_dir "/var/www/blah/data/mod-tmp"
    php_admin_value session.save_path "/var/www/blah/data/mod-tmp"
</VirtualHost>

Answer 1

We are going around in circles in the comment thread above, so let me state this clearly for you in the form of an answer: once your users have entered an HTTPS URL in their browser, they are committed to having an HTTPS transaction with a server that has a properly-signed certificate matching the hostname they've entered before they can do anything else at all. Anything that goes wrong with that - no listener on port 443, wrong hostname in certificate, expired or self-signed certificate - will generate an error for the user. Those errors arise when the HTTPS connection is first made, long before any redirection instructions can be passed back by the server. Things have to be this way, or HTTPS would be completely pointless.

You don't say this explicitly, but I'm assuming you've only got one IP address. The perfect case for you is SNI, combined with valid, publicly-signed certificates for each host so hosted. Anything less than that will generate problems for your users, and your only choice is which problem(s) it will create.

If you don't mind the users having to click through self-signed certificate warnings, then SNI coupled with self-signed certificates for all of your hosts except the one that has a publicly-valid certificate is probably your best bet.

If neither of the above are acceptable, please be clearer about what error(s) your users are prepared to tolerate. And let me finish by repeating one last time: if you aren't prepared to get publicly-signed certificates for all your virtual sites, support SNI, and require SNI support from your users, you cannot do this without your users experiencing some kind of error.