To impose the use of https rather than http, is disabling port 80 on the target machines all that there is to do? Or is there more to it?

Thank you for your help.

You could do it that way but the safer method (so those who don't realize they need to use https) would be to create an index.html page that would redirect them to the https page - that way if they were to use http instead of https they would still end up in the right place using ssl....

Just a thought...

gm...

I use Apache rewrite rules to accomplish automatically forcing traffic to https. That way you don't have to maintain a list of IP's.

No, disabling port 80 will just make people complain because they can't connect to your server. You need to redirect them to the https site on port 433.

Creating an index.html to redirect them, as gmckinney suggested, is probably the easiest way to do that.

as already stated most servers will issue a 30x http response with the location field in the http header set to https:somewebsite.org/

The client then knows that it must disc'n and then
reconnect to port 443 and negotiate an ssl/tls connection.

Thank you all for your answers.

This system is to be used within a WAN and we set up all the machines. These machines are not allowed to communicate through HTTP at all and the users know it.

Is there a more drastic way to make the default HTTPS and to insure no machine is able to use HTTP?

By not installing some packages or similar?

Hmmm - Since you are wanting to limit the target machines to ONLY https (port 443) you would have to change the settings on the web browsers to only use https. You will need to dig into the docs for the web browser used to see how that is accomplished (in Windows there is a registry setting to state what the default port to use is BUT it can be bypassed!).

A second method would be to put a firewall at either the local WAN end or remote WAN end with firewall rules that would redirect all port 80 traffic to port 443. Again - depending on the firewall used (and it could be done in Linux with iptables).

A third method would be to setup a machine as a proxy server - then configure the proxy server to translate all http requests to https requests. You would need to configure the client machines to point to the proxy server to web browsing and lock down the machines so the client can not change the proxy settings in the browser...

One caveat to forcing all http traffic to https - if there is ever a need to use http on the client machines then they will not be able to do so easily unless you do use a firewall with specific target host machines targeted for https only. If this is the case it is much simpler to just have the host machine redirect the browser to https...

Just some thoughts early in the morning on the first cup of coffee...

gm...

surely it will be simpler to re-configure a few http servers to re-direct http connections to https rather than statically configure all the clients??

Just Port forwarding a normal http request to port
443 will not work because the client wil not know that it is trying to negotiate with a https server.
However If you send the https re-directs back then it will know to
do the proper handshake ssl/tls handshaking b4 sending its http request.

The proxy server suggestion could work but but no less complicated than the re-direction ploy that I see used on most https I have come across on the web.

Thank you. I will follow your advice. There is a lot of info available if one google "apache http https redirect"