Apache2 handling the direct ip requests

otalado · November 9, 2017, 4:05pm

I have apache2 letsencrypt installation (git hub installation). During installation I choose to force redirect to https.
Installation works as expected when I try to access the website via domain name (and aliases) , i.e. example.com, http:// example.com, www.example.com and http://example.com are ‘resolved’ to https requests. When I try issuing request with IP address of the server:

trying 123.223.323.423 opens the website, no complaints,
trying http:// 123.223.323.423 ‘resolves’ to 123.223.323.423 and opens the site, no complaints
trying https://123.223.323.423 triggers warning in Chrome and Firefox, but would let you connect insecurely anyway, IE and Edge won’t let you connect (which is actually better).

I found that I can easily modify the config to either block (and inform about the reason) or to redirect the port 80 IP requests. But so far I found no good way to do that with port 443 IP requests. Best would be to quietly redirect traffic to be secure.

I think this is very wrong - because why should I bother with encrypting the site, if I cannot stop unecrypted traffic anyway.
I do realize this most possibly has to be solved in a apache2 config, yet I figure I have better chances in this community.

jared.m · November 9, 2017, 4:41pm

I’m a bit confused here - is your concern that you have no way to stop navigation to https://IP-ADDRESS? This is normal. The traffic is still encrypted, you’re just getting a certificate name mismatch error because the certificate isn’t issued for the IP address.

You could probably block direct-IP navigation with some clever SNI setup, but it really shouldn’t be necessary. There’s no real issue with HTTPS traffic to the IP address. Note that you can even do this with Google’s servers.

otalado · November 9, 2017, 5:02pm

Jared, thanks for explaining that!

Osiris · November 9, 2017, 10:15pm

But you can. It's up to the system administrator to configure the website. You can configure your webserver to only issue redirects to https:// when connected insecurely through port 80.

schoen · November 9, 2017, 10:21pm

I think @otalado's concern here was about the effect of people visiting the https:// version of the site by IP address (as opposed to domain name), rather than the effect of people visiting the http:// version of the site.

system · December 9, 2017, 10:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Redirect an IP to domain name Help	12	2170	October 27, 2020
apache2 config help needed	50	11558	January 17, 2016
Https redirect with Apache Server	4	2195	December 3, 2015
Let's Encrypt - Redirect/Rewrite Rules with Apache Help	12	5666	June 26, 2017
Redirect to https not working Server	11	1050	March 13, 2019

Apache2 handling the direct ip requests

Related topics