Somehow I've stumbled on this website that has an http url and an https url at the same time:
http://www.actbrain-vn.com/
https://www.actbrain-vn.com/
I'm not that seasoned in web development yet, so here are my questions:
How does that work? Why doesn't the http url redirect to the newer https? Could this be oversight? If I'm to turn an http website into an https website, what should I do so that this won't happen?
http runs on port 80, and https runs on TCP port 443. They can both be open at the same time, they can even serve different websites. In some ways they are 2 different websites.
To avoid this you can simply close down port 80, or alternatively, make sure that website served on port 80 always sends a redirect to the https website.
Related
I have a Windows PC with some Flask webapps running on various ports 5000, 5001, ...
I have mapped subdomains with CNAMEs to point to the server and Nginx handles the rerouting (correct wording?) to the appropriate ports: x.server.net -> ip:5000, y.server.net -> ip:5001
It works
Now I want to enable https so I would like to redirect users from http to https.
Further, I discovered that Nginx doesn't handle when users supply a non-standard port, so x.server.net:5001 actually points to the wrong Flask app. So I would also like to redirect non-default ports to the default (80 or 443 depending on http or https). Some of the apps don't need https, so I might mix it.
Can this be done with Nginx or should I use something else? I found others asking this, but the replies are only for Linux as far as I understand (iptables?).
And last but not least, is redirects a safe approach? Can it be ignored by a malicious client?
I have a web application running on AWS EC2 using a load balancer which only listens for HTTPS requests on port 443 along with a security group which only allows for traffic on port 443 so my application cannot be reached via HTTP (as far as I am aware).
The application has recently been pen tested which resulted in the recommendation to implement HSTS. From what I can see one of the requirements for implementing HSTS is to redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect. Upon trying to do this through another listener on the load balancer redirecting traffic from port 80 to port 443 I get a warning that the security group attached "does not allow traffic on this listener port."
My question is should I consider enabling HTTP traffic so that I can implement the permanent redirect and then implement HSTS or am I better off leaving things the way they are? I'm inclined to think that because my load balancer does not allow HTTP traffic that I'm better off leaving my current set up as is but not 100% sure. Can anyone explain which is the safer option and why? Thanks in advance.
It totally depends on whether you want to allow and redirect HTTP traffic to HTTPS. For example if it's a user facing application then generally HTTP traffic allowed at gateway/load balancer and then redirected to HTTPS as end user shouldn't get any error on accessing on HTTP. Then in this case HSTS header plays important role.
But it's not end-user facing application and you know consuming entity will always access using HTTPS then don't allow HTTP traffic. So here you won't need to have HSTS header set.
I have a Wordpress website that is being listed in Google results as a https:// website. Thing is that I have not set up a SSL or https:// for this website.
I've searched online and some people suggested that I might have https:// links inside my website and indeed there were some. However, after doing this modifications the website result still directs to a https:// address
Is there any other way I can fix this?
https will by default connect to port 443. You can then send a redirect (if possible) from your webserver from port 443 to the client to go the http on port 80 instead. I think that you have to send a redirect to the client. Making port 443 redirect directly to port 80 in your webserver's configuration may not remove the encryption and cause some issues
I have a website that I built that is https only.
I have a redirect that rolls http to https via Javascript.
The problem is that the process lasts up to 4 seconds of wait time to reset connection and start https.
Is there a faster way to send http to https?
Thanks.
You can rewrite HTTP requests to HTTPS requests using Nginx.
You can find an example here.
I have a production server with a live website configured to use SSL. It has also been configured to redirect any HTTP URLs to the HTTPS.
I would like to be able to view the website from the server and test the redirect taking place. Instead I get an error message about permissions.
If I type the the HTTP url from a different machine I am able to view the website, i.e. the HTTP url has automatically been converted into an HTTPS url.
The question is how can I test the HTTP redirect from the production server?
You either make the webserver also listen to localhost (127.0.0.1), or you make the test bind to the external IP of the host.