4

A port translation is configured on a firewall with public address to redirect an https request from https://customdomain.fr:8443 to https://localIP-apache-server.

The translation works well and the index.php page is displayed correctly.

When i authenticate to the portal, the url is changed to http instead of https, and the following message appears:

Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

If i replace http by https, the page is correctly displayed.

I use a wamp server. In my httpd.conf there is 2 VirtualhHost, one for port 80, and one for port 443. Both port are listened. I tried to enable a RewriteRule in httpd.conf in VirtualHost 443:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule "^/?(.*)" "https://customdomain.fr:8443/$1" [L,R,NE]

But the error 400 still occurs. It seems that Apache send the Error before the request is read by the VirtualHost 443.

So I tried to set the following code before VirtualHost 443 in httpd.conf:

ErrorDocument 400  https://customdomain.fr:8443/aaa/bbb

I do not have Error 400, but the displayed page is https://customdomain.fr:8443/aaa/bbb/index.php and not another page by example https://customdomain.fr:8443/aaa/bbb/order.php

Do you know a way to display the requested page using ErrorDocument or another way to solve my issue please ?

PapiDid
  • 49
  • 1
  • 5
  • Just don't redirect to http. Using HTTPS only for login was common practice 10 years ago, nowadays you should serve the complete page via HTTPS. – Robert Jun 04 '19 at 13:50
  • https is not only used for authentication, but for the entire site. – PapiDid Jun 04 '19 at 14:06
  • But you are writing `the url is changed to http instead of https`. As you are talking about the forwarding config and not an unexpected fallback to HTTP I assumed that this was done intentionally. Therefore your page is not served fully via HTTPS. – Robert Jun 04 '19 at 14:08
  • Yes your right: the browser changed https to http automatically, the change did not do manually, it is why the error 400 occurs. I am not an Apache expert, so I didn't yet find a solution. – PapiDid Jun 04 '19 at 15:12

1 Answers1

0

I found the solution: enable HSTS by adding the following code in httpd.conf:

Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains;"

In this case, the browser send all requests via https adn not via http. Issue solved.

PapiDid
  • 49
  • 1
  • 5
  • 2
    I would call that a workaround, not a solution. The clean solution would be to adapt the web application running on the server and change all `http://` links to `https://` – Robert Jun 04 '19 at 16:42
  • It's not a solution to the question asked, since it requires a client to FIRST go to the https endpoint, but the client doesn't know that, otherwise it wouldn't hit the http endpoint in the first place. – Mladen B. Dec 05 '21 at 08:18