I have installed ssl certificates on my site but the browsers still showing unsafe connection. However i can access a safe connection by using https:// before site url
If you want to force https you'll need to set that up.
As explained on the apache wiki the recommended method is to setup the http virtual host to redirect to the https virtual host. Alternatively, you can use mod_rewrite to redirect from http to https.
Related
I am using ngrok to make my local instance of Apache (running through XAMPP on Windows 10) viewable to the internet. It works fine to access http://example.com but if I try https://example.com it gives me a certificate error (because the certificate is issued for its ngrok.io domain). I know I can avoid the cert error by using a url that ngrok generates for https, but I'd rather use my own domain name. How can I avoid the certificate error and get my site to load over https? I've seen a few guides for enabling https/ssl on localhost, but that's not what I need to do - I need to enable it for example.com, not localhost, and as I said, serving the site over http is working fine.
I have a virtual server and it doesn't have an ssl certificate. When I try to use webmail from http://webmail.oznurdavetiye.com, I encounter "your connection is not secure message" because of https redirection.
If I edit directives as "RewriteRule ^(.*) http://oznurdavetiye.com:20000/ [R]", I encounter "Error - Document follows, This web server is running in SSL mode ".
How can I configure a virtual server's webmail to work without an https connection ?
It's done in Webmin->Usermin Configuration->SSL Encryption.
You need to either disable Enable SSL or Redirect non-SSL requests to SSL mode options.
Afterwards, you will not be redirected to SSL version and thus will not see the certificate error.
The other possible solution is to get free SSL certificate for your domain, for example from Let’s Encrypt.
I've just started using Zap, and am successfully running it in Firefox and Chrome.
I'd like to use it to automatically serve it's SSL cert for non https sites as well.
So for example, I'd like it to be able to serve
http://example.com
as
https://example.com
even though example.com normally wouldn't serve an SSL cert.
This would allow me to test local development sites without ever creating a self signed cert for them, or having to configure the cert with a webserver.
I've tried to port forward my dev port (18000) to port 443, but there's no SSL cert being served by my webserver, and the connection fails. I've also tried this with sni terminator zap plugin with no luck, though it feels like it's super close!
Any suggestions?
No application can choose communication protocol on which a client communicates. Web servers communication is strictly client driven except server redirects. For client to choose HTTP(s) out of two options http and http(s) you may install browser plugins like HTTP(s) everywhere which will seek for https first even if http is entered in browser
I have an apache server with multiple named hosts all working fine for port 80 http traffic.
(A VPS with one unique IP address)
I have one domain that has a SSL certificate and that domain is configured to handle both http and https traffic.
However if someone accidentally adds https to the beginning of a none SSL configured URL I get a typical certificate warning error (expected) and then if the user accepts the error (depending on the browser) it displays the SSL site I have configured instead of the original non-ssl domain.
I've read up a bit about SNI, but I don't have certificates for each of the other domains and would rather the server either not respond to the SSL request on anything else but one specific domain or redirect to the http version of the site.
Suggestions please as to how I approach this.
Kind regards, Spencer
For security reasons, what you're trying to achieve cannot work.
The browser (which implements the mechanisms to check the certificate) cannot know whether the user typed https:// instead of http:// accidentally or intentionally. Since it's ultimately up to the users to check that https:// is used when they think it's required, browsers should simply perform the actions requested by the users.
A redirection from https:// to http:// should always start with a valid https:// connection. SNI won't help you much there if you can't have valid certificates for the initial connection.
Otherwise, it would be fair for browsers to assume there may be a MITM attack in progress. Typing in https:// explicitly (or using HSTS) is the only reliably mechanism against MITM tools like SSLstrip, which would otherwise be capable of downgrading (or preventing an upgrade from http:// to https://).
If I get an ssl certificate - can I still access my web pages using http (instead of https) so they'll load faster?
Or perhaps have the ssl for only certain pages on my site? (I'm using web hosting, perhaps it matters.)
Yes. When you're setting up the certificate, you can configure your server to listen on port 443 (for SSL, where it will serve your certificate) as well as port 80 (where normal HTTP traffic will go). For pages where you absolutely want to have SSL, you'll need to force the user to visit the https:// URL.