Apache2 handling the direct ip requests

I have apache2 letsencrypt installation (git hub installation). During installation I choose to force redirect to https.
Installation works as expected when I try to access the website via domain name (and aliases) , i.e. example.com, http:// example.com, www.example.com and http://example.com are ‘resolved’ to https requests. When I try issuing request with IP address of the server:

  • trying 123.223.323.423 opens the website, no complaints,
  • trying http:// 123.223.323.423 ‘resolves’ to 123.223.323.423 and opens the site, no complaints
  • trying https://123.223.323.423 triggers warning in Chrome and Firefox, but would let you connect insecurely anyway, IE and Edge won’t let you connect (which is actually better).

I found that I can easily modify the config to either block (and inform about the reason) or to redirect the port 80 IP requests. But so far I found no good way to do that with port 443 IP requests. Best would be to quietly redirect traffic to be secure.

I think this is very wrong - because why should I bother with encrypting the site, if I cannot stop unecrypted traffic anyway.
I do realize this most possibly has to be solved in a apache2 config, yet I figure I have better chances in this community.

I’m a bit confused here - is your concern that you have no way to stop navigation to https://IP-ADDRESS? This is normal. The traffic is still encrypted, you’re just getting a certificate name mismatch error because the certificate isn’t issued for the IP address.

You could probably block direct-IP navigation with some clever SNI setup, but it really shouldn’t be necessary. There’s no real issue with HTTPS traffic to the IP address. Note that you can even do this with Google’s servers.

Jared, thanks for explaining that!

But you can. It's up to the system administrator to configure the website. You can configure your webserver to only issue redirects to https:// when connected insecurely through port 80.

I think @otalado's concern here was about the effect of people visiting the https:// version of the site by IP address (as opposed to domain name), rather than the effect of people visiting the http:// version of the site.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.