I have apache2 letsencrypt installation (git hub installation). During installation I choose to force redirect to https.
Installation works as expected when I try to access the website via domain name (and aliases) , i.e. example.com, http:// example.com, www.example.com and http://example.com are ‘resolved’ to https requests. When I try issuing request with IP address of the server:
- trying 123.223.323.423 opens the website, no complaints,
- trying http:// 123.223.323.423 ‘resolves’ to 123.223.323.423 and opens the site, no complaints
- trying https://123.223.323.423 triggers warning in Chrome and Firefox, but would let you connect insecurely anyway, IE and Edge won’t let you connect (which is actually better).
I found that I can easily modify the config to either block (and inform about the reason) or to redirect the port 80 IP requests. But so far I found no good way to do that with port 443 IP requests. Best would be to quietly redirect traffic to be secure.
I think this is very wrong - because why should I bother with encrypting the site, if I cannot stop unecrypted traffic anyway.
I do realize this most possibly has to be solved in a apache2 config, yet I figure I have better chances in this community.