New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Redirect HTTPS requests to HTTP without a warning
Hello folks looking for some pointers.
For reasons I won't go into, I need to redirect requests for a domain made under HTTPS to plain HTTP. I don't have a valid encryption certificate for the domain, so when the initial request is made I get a certificate error for a hostname mismatch. Is there any way I can avoid this, short of not accepting encrypted traffic at all?
Thanked by 1eddynetweb
This discussion has been closed.
Comments
AFAIKit is technically impossible to send anything through https without using https.Hey,
Try this out,
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI}
Not possible, you still need valid certificate. Get wosign or cloudflare free plan.
Edit your ssl.conf by removing 443 related virtual server. (If you're on a shared hosting. Out of luck most probably)
Because https warning triggers before http request. Hope this helps.
This won't work unless there is a valid SSL.
This is the best option so far. If you're able to install a valid SSL to the host. You can trigger the redirect. Grab one free SSL from wosign or start com.
Cheers guys, just wanted some opinions to validate my conclusion.
I appreciate the suggestions but installing a cert and stopping HTTP traffic are not viable solutions in this instance.
+1 cloudflare.
Cloudflare is also not viable.
I appreciate I'm being vague but that's unfortunately necessary.
All redirects require an established connection, whether it's Javascript/HTML redirect in the response body or redirecting via HTTP header. If these could be sent without an encrypted channel being established, then it implies an attacker could redirect anyone making a request for HTTPS resource, or at the very least that an attacker would be able to see where client is being redirected in some cases; this defeats the point of HTTPS. So this is not and should not be supported.
It's $10 for a cert that will work basically everywhere or try your luck with startssl. Stop being cheap, no excuses for pathetic security practices.
Not possible, and for good reason.
Your claim that you're "being vague but it's necessary" doesn't exactly inspire much confidence, makes me feel there's some serious insecurity going on... security through obscurity and all that.
Or that doesn't want to give his game away because he doesn't want an association between his alias (Nekki) and whoever he is and does in the real world.
It has to be some very, very niche usecase for that to be a plausible scenario. I've had people use this same kind of argument when asking for help on IRC and refusing to give more details, and it basically always turned out that they'd been worrying too much, and the risk wasn't there.
No-one said anything about cheap. I'm looking to counter an extremely crap situation I've been left to deal with, and I wanted to validate that there was no way round it.
Correct-a-mundo.
Yes, ludicrously so.
Fair enough
You bastard. You work for the NSA, don't you?
It's possible if you can code a proxy page, then process the request on the server side.
Example you have a page https://yourdomain.com/proxy.php?url=http://destination.com/abcxyz
It won't show any error
Better use Redirect than Rewrite. See http://httpd.apache.org/docs/trunk/rewrite/avoid.html
Could a mod close this please as I have my answer (can't be done without making use of a method I can't utilise).