I am trying to setup a website that uses https only and not http.

I have seen several phrasing for doing so, but I am not sure which is correct. The one that make the most sense is:


SSLProtocal all
SSLCipherSuite HIGH:MEDIUM

But the directions call for putting it in the httpd.conf file. I am runnign the lattest Apache on Redhat 9. From what I see, all SSL commands are in the ssl.conf file, not in httpd.config.

Can someone tell me where and in which file it is suppose to go.

Also, will this mandate https and not http in so that when someone types in my domain name, they automaticly get https?

It reads both files, I would put it in ssl.conf

you will need to close port 80 (turn off listen 80) and only allow port 443, or redirect http to https


I would have the virtualhost for ssl somewhere other than the default /var/www/html and put only index.php in /var/www/html

index.php
<?php
header("Location: https://my.domain.com/");
?>


you will also need to change the other folders like manual, cgi-bin, and any others to ssl

I am redirecting 80 to 443 but I am getting a "Bad Request" error page (400). It states:

Your browser sent a request that this server could not nderstand.
Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

Hint: https://new.host.name/

This is very much, an appropriate error. Now what I would like to do is create a custom error page that redirects http to https. I have the page crated and it works. But when I try to direct Apache to it, it seems like it ignores the command and uses the default settings. I tried to create a .htac.. file which direct 400 errors to the page and that did not work.

Am I doing something wrong?
Is there a better way?

Thanks for your feedback
Tony

It sounds like you are redirecting port 80 to 443 using iptables rules or something like that. It won't work that way, the browsers header needs to be https.

You could use the rewrite rules in your http.conf file to redirect all trafic to https..
This will alow you to either redirect without notice or to show a nice messgage like "you must use https to ..."

What I am going to do is use a redirecting index.htm file and have it be the only fine in the /html. I will place all other files in a subdirectory.

All of the links will be automaticly linked to https when I create the pages. However, this will not prevent someone from typing in the full address without the https - meaning the files might be sent un-encripted.

Thanks for your feedback, it was helpfull

Tony

you do not want to put the https document root in html, put it somewhere else, then the only file in html will be index.php


like this

ssl.conf
DocumentRoot /var/www/htmls


httpd.conf
DocumentRoot /var/www/html

the redirect is also a good idea

I setup my site last night according to your directions David, and it works great !!!!!!! Individuals are automatically redirected to the https page. If they try to type in a file location directly without the https (http only) they get an error page.

Great help -- thanks a million

Tony