Serving port 443 over http creates 400 Bad Request Error instead of redirect

http ssl apache-2.4

So for posterity sake, I am trying to configure my server so that even when someone tries to go to go to http:// domain.com:443, they would be correctly redirected to the https version of the site (https:// domain.com).

When testing something like http:// domain.com:443, it does not redirect correctly to https:// domain.com, I instead get hit with a 400 Bad Request page with the following content:

Bad Request

Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.18 (Ubuntu) Server at sub.domain.com Port 443

I tried including the following lines in my 000-default.conf in the <VirtualHost *:80>:

RewriteEngine On 
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

But it didn't work.

This issue occurs on all domains, subdomains and the server IP itself.

Possibly related, trying to do a dry run of letsencrypt returns the following:

   Domain: domain.com
   Type:   connection
   Detail: Failed to connect to 123.123.123.123:443 for TLS-SNI-01
   challenge

For each and every domain listed in the sites-enabled folder.


Solution 1:

TL;TR: you cannot serve both HTTP and HTTPS on the same port (443).

While it would be in theory possible to figure out based on the first data from the client if the client is sending a HTTP request (i.e. GET .. or similar) or is starting a TLS handshake (\x16\x03...) most web servers don't do this. Instead they expect the client to behave properly, that is use plain HTTP on one port (usually 80) and HTTPS on another port (usually 443).

Your URL of http://example.com:443 is causing the browser to make a plain HTTP request to port 443. But the server is expecting TLS there which means that your plain HTTP request is unexpected. Apache is at least nice enough to check if the incoming data for a plain HTTP request in this case so that it can offer you a more useful description:

Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

If you try such requests with other servers then they would either close the connection without any error at all or just hang because they are still hoping to get a TLS handshake from the client.

Solution 2:

I had this same error and the culprit was that my config was trying to enable SSL on my non-ssl port. Any website address that starts with http:// will be funneled through port 80 (<VirtualHost *:80>) and that host doesn't want to know anything about SSL. Any sites that start with https:// will be funneled through port 443 (<VirtualHost *:443>)

The more direct issue was that I had the following SSL details under my *:80 host, which was making Apache try to enable SSL for a non-SSL connection.

SSLEngine on
SSLCertificateFile /bla.crt
SSLCertificateKeyFile /bla.key
SSLCertificateChainFile /bla.crt

After removing those lines from *:80 (and making sure they were present under <VirtualHost *:443>) My server popped back up again.

So, here are my <VirtualHost>s (all in /etc/apache2/sites-available/http.conf but might be different depending on your setup):

<VirtualHost *:80>

    -- snip --

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

</VirtualHost>


<VirtualHost *:443>

    -- snip --

    SSLEngine on
    SSLCertificateFile /var/www/ssl/STAR_iconcierge_net_au.crt
    SSLCertificateKeyFile /var/www/ssl/STAR_iconcierge_net_au.key
    SSLCertificateChainFile /var/www/ssl/STAR_iconcierge_net_au.crt

</VirtualHost>

Notice how *:80 (http) enacts a rewrite to *:443 (https), which then enforces SSL with the SSLEngine on directive.

Solution 3:

What you are actually looking after is sending HSTS headers from the webserver back to the users, which tell the browser always to access the site using TLS. There isn't any 301 redirect happening there, as you can see from the development tools in any browser.

This happens with Google for example. Once you have visited Google the first time, it sent you a HSTS header, and your browser saved the header to a list. After, when you try to connect to google.com with http://, the browser changes the connection method automatically to https:// without any communication to the remote webserver.

This is one further security mechanism to prevent attacks on the security layer.

Related

Is there a way to disable IPv6 SLAAC on a per-interface basis in Debian?
apt-get update mdadm scary warnings
Apache ProxyPass ignore static files
Use Nginx to server different pages depending on IP address/subnet
Windows folder permissions, Administrators and UAC, what's the "right" way to deal with this?
GitLab Active Directory authentication: no results and no authentication
iotop and iostat disagree
Which archive/compression format?
Configuring sudo to work without password
How to COMPLETELY uninstall Visual Studio Code from Windows 10?
Rename/delete Windows (x64) folder with leading and trailing space
How to automatically run commands on SSH login?