Advertisement

http request onto https service

Started by April 04, 2016 04:46 PM
1 comment, last by JohnnyCode 8 years, 7 months ago

I wonder, if there is a secure domain, what server should generaly do if it recieves an http: request instead of https: request against this secure domain?

Second question also is, can a server on a station/IP, be serving http and https hosted domains simultenuosly? I am thinking, one way would be to run a secure server that gets certified, and run second isolated unsecure server, and not share hosts between them, would this be most viable thing to do?

HTTPS is served (typically) on port 443, and HTTP is served (typically) on port 80.
If you send the wrong kind of data to a particular server, it will detect a protocol violation and send an error back.
It is very common to run both HTTP and HTTPS servers on the same domain. In the best of worlds, the HTTP server simply does a permanent redirect to the HTTPS version of the same resource for GET/OPTIONS/HEAD, and returns an error for POST/PUT/DELETE. Although some servers accept the same requests on HTTPS and HTTP, for legacy or simplicity reasons.

You also seem to believe that a HTTPS server needs to be "certified" and is somehow more secure than a HTTP server.
This is not true. A HTTPS server does need a signed certificate (which is a data file) to be able to properly identify itself to clients that connect, so that the client can known that the server on the other end actually is "citibank.com" like in the URL, and not "myversionofcitibank.com."
However, there is no security or operational differences in the hardware/software actually running on the machines.
The only difference is that HTTPS makes it harder to read the data while it's on the wire (if you can read packets on the wire,) and also makes it harder to pretend to be a domain you aren't authorized for (if you can hijack DNS somehow.)
Something (bugs, bad code, etc) that's insecure on the client when using HTTP, is still insecure when using HTTPS.
Something (bugs, bad code, etc) that's insecure on the server when using HTTP, is still insecure when using HTTPS.

Btw: You can now get free HTTPS certificates for your domain by jumping through a very small amount of hoops.
Check out letsencrypt.org!
(Some hosting providers even have a checkbox to do this for you; such as DreamHost)
enum Bool { True, False, FileNotFound };
Advertisement

Thanks!


It is very common to run both HTTP and HTTPS servers on the same domain. In the best of worlds, the HTTP server simply does a permanent redirect to the HTTPS version of the same resource for GET/OPTIONS/HEAD, and returns an error for POST/PUT/DELETE. Although some servers accept the same requests on HTTPS and HTTP, for legacy or simplicity reasons.

I am thinking I will give host an option to request secured communicating with client on file resources. If not, active documents can still, on behalf of host, respond with status 301 Moved with https:// modification of url. So server is serving on both ports/protocols the hosts.

This topic is closed to new replies.

Advertisement