4

I've some doubt on how to do redirect all my http pages to https.

I've saw that are someone that tell to do a rewrite like in this reply:

And Apache says to do in this way

Anyone can explain me what is the recommended way to make this change

Community
  • 1
  • 1
Overnet
  • 965
  • 3
  • 12
  • 20

2 Answers2

3

The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.

The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option:

<VirtualHost *:80>
      ServerName www.example.com
      Redirect "/" "https://www.example.com/"
</VirtualHost>

Apache redirect

In the https response:

<VirtualHost *:443>
      # Use HTTP Strict Transport Security to force client to use secure connections only
      # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
      Header always set Strict-Transport-Security "max-age=31536000"

      # Further Configuration goes here
      [...]
</VirtualHost>

HSTS

Or, using .htaccess:

# Redirect if http
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# set header if https
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

The Header Strict-Transport-Security (HSTS) has 2 effects:

  • For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
  • For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https. Note that HSTS+preload can't be rolled back, it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)

The HSTS in comment is the most secure one but can't be rolled back:

  • Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:

  • Strict-Transport-Security "max-age=31536000"

HSTS is the only reliable protection against SSLTrip

SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Can you tell me where I need to do these changes? – Overnet May 03 '16 at 11:53
  • Thank Tom but the problem now is how to put this lines on port 80, 433 in the directadmin interface :( – Overnet May 04 '16 at 19:59
  • 2
    HSTS is good, but not without risks. Especially with includeSubDomains (unless you know all subdomains are on https only) and extra especially with preload (as its basically not reversible). Use HSTS - but not before understanding what it means, how it works, and the risks. Otherwise you could end up DoSing yourself. Also to me HSTS is a way of enforcing https, rather than replacing standard redirects - which are still needed to 1) pick up the HSTS policy (unless preloading), 2) support browsers that don't support HSTS, and 3) support other things non-Browsers like Google crawling your site. – Barry Pollard May 04 '16 at 20:01
  • @Overnet I've add the .htaccess version, does it works for you ? Please read carefully the notes about HSTS. – Tom May 04 '16 at 21:39
  • @BazzaDP You're right, I've put a note in bold to explain it. Feel free to propose corrections. – Tom May 04 '16 at 21:40
  • @Tom I've decided to do the redirect with the htaccess because I don't know well how works HSTS and I don't want to risk, especially my SEO ranking. – Overnet May 04 '16 at 22:49
  • @Overnet I've add comments about SEO and a less radical version of HSTS, as a first step. I know it's scary because it's powerful. If your website has a login page or manipulate personal data you should look into it for the futur. – Tom May 05 '16 at 09:41
  • 1
    @Tom thank for your help! In the future I want to know more about this. But now I haven't time to dedicate to it. – Overnet May 05 '16 at 09:52
0

Add just below or above Document Root in /etc/apache2/sites-available/yoursite.conf

Redirect permanent / https://your-site.com/

Goforseeking
  • 385
  • 1
  • 3
  • 15
  • That answer is correct but incomplete: Without HSTS an apache redirect will always be insecure. – Tom May 03 '16 at 13:08