0

So I have the following settings in my apache http virtualhost :80 config:

<Location "/analytics/">
    ProxyPreserveHost On
    ProxyPass "http://192.168.1.1/"
    ProxyPassReverse "http://192.168.1.1/"
</Location>

This works fine when connecting on http and even applies to https when using a normal gTLD like .com / .org.

But when using this on an .app gTLD the config does not work at all. It seems like because of the forced SSL HTTPS nature of the .app gTLD, its not even loading the Apache :80 config?

Now when I also add the config above to the apache https virtualhost :443 config, then it works fine.

Some questions I have:

  1. I have spent a few hours looking for an answer as to IF you HAVE to apply Location / Directory / Alias directives to both the 80 and 443 configs in Apache? It seems like they work fine when just adding them to 80 most of the time? But not in this .app case, but I cant seem to find what the standard is - do you have to apply these directives to both 80 and 443 or is 80 enough and will 443 then get that from 80?

  2. Why is the setting needed in 443 for .app domains but not for other gTDLs? Is it because browsers are just loading more strictly from the apache server? 443 configs only for .app but less strict for other gTDLs when loading https?

Some of this is being posted for reference for others as I could not find much online about it, but I am also interested in the answers for some of these questions.

Dieskim
  • 600
  • 3
  • 12

1 Answers1

1

When you registered your .APP domain your registrar should have (it is mandated by the registry - Google) shown to you a snippet explaining that an "SSL certificate"(sic) is required to make .APP domains work.

Which means that you can do only HTTPS queries and not HTTP queries to server name in this TLD.

Why? Because Google registered the TLD in the HSTS preloading list, which is used by browsers. It makes them never attempt an HTTP query but only HTTPS, for security reasons. You can still configure a web server on port 80 and have a command line client or HTTP library connect to port 80. But mainstream browsers obey the HSTS preloading list and hence will not open a connection to port 80 no matter what you do with them.

You can find details at my answer to the same question here some months ago: https://stackoverflow.com/a/50258651/6368697

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
  • Thanks, I did see your other answer earlier. It seemed confusing to me that I had some directives only in the :80 vhost config but they still seemed to load for other TLDs when accessing the domain over https. I am guessing the browser is allowed to check the :80 vhost config also since its not forcing HSTS preloading? To fix I will now use https://httpd.apache.org/docs/2.4/mod/mod_macro.html to include all configs on both :80 and :443 vhosts – Dieskim Oct 16 '19 at 07:26
  • 1
    Only a few TLDs are in the HSTS preloading list. Google ones (.APP .DEV .NEW) mainly. So allt the other ones will work on port 80 – Patrick Mevzek Oct 16 '19 at 13:57