Hosting https and http on same apache server

My domain is: bournemouthbeaches.co.uk (secured with lets encrypt ssl cert)

I ran this command: http://anotherwebsite.co.uk (http only - accessed via my /etc/hosts file hosted on same apache server)

It produced this output: displayed front page of https://bournemouthbeaches.co.uk

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes (via sudo)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Hi,
I set up a domain (bournemouthbeaches.co.uk) on my apache server and successfully gained an SSL certificate no problems.

I created a second test site (call it testsite.co.uk). I access this site by listing it in my /etc/hosts file so I don't have to mess with the DNS. This site has no certificate and is intended to be accessed by http port 80. The /etc/host file correctly intercepts the testsite.co.uk address and associates it with the IP address.

<I think - pretty sure> I have the apache conf files set up correctly for both sites (famous last words) on the server. But when I try and access the http://testsite.co.uk it defaults to https://bournemoutbeaches.co.uk. AS I've disabled the apache default site it strongly indicates either I have cocked up or there is something forcing apache to use 443 and avoid 80 for all sites hosted.

If I disable both (80 & 443) bournemouthbeaches.co.uk apache conf files I still get SSL errors and the browser still tries to access https (I do have the browser configured to allow access to http and that works on other http sites) i.e. defaults to https://testsite.co.uk. Which of course doesn't exist

Neither can i access http://bournemouthbeaches.co.uk when I disable only the secure conf file in apache and comment out the redirection at the bottom of the http conf file.

I'm at a loss! A few questions for any one who knows..

  1. Can I actually run http (port 80) and https (443) on the same server? Or is this not viable?
  2. Is there a way of disabling the SSL verification on bournemouthbeaches.co.uk so I can get it working again as vanilla http?
  3. Is there a setting in apache I need to set/clear to allow mixed (http and https) traffic?
  4. My intention is to actually have several DNS addressed sites on this server. But obviously initially they need to be http in order to get registered on a new certificate. How can I achieve this if I cannot set them up as http site(s) first?
    Any suggested debug would be great. (And apologies for the length)

Hello @BillR, welcome to the Let's Encrypt community. :slightly_smiling_face:

What are you expecting for result and why?

What is your question(s) and/or issue(s)?

1 Like

I'm also puzzeling what the question is, but the answer on your current (sort of) question in the thread title is: probably. (I'd say "yes" if you didn't include the whole "accessed via my /etc/hosts file" bit.)

2 Likes

Apache/2.4.52 is very capable of hosting SNI sites regardless of any extra /etc/hosts IP/name manipulation.

That said, only your local host will use any entries made in the /etc/hosts file.
Everyone within your network might be manipulated via a local DNS system.
Everyone else will default to global DNS and can't be so easily manipulated.

That said, even with such manipulations, you won't be able to obtain a certificate for a domain name you can't prove control over...
So, I'm not sure what the point of such action is for/about.

1 Like

Sorry - first post - I accidentally posted it before | had added any info. (Sorry). I've updated it now.

2 Likes

No problem @BillR :slight_smile:

1 Like

Sorry I managed to post the thing before I had actually added any useful info. Hopefully its a bit clearer now

1 Like

My intent is to move several sites over to a new server and this is just the test phase (hence the local hosts file access to the second site).

My problem is that the second site (http port 80) seems to get redirected to 443 and then obviously fails and the only available site which has an ssl certificate gets displayed. It seems Apache now defaults to 443 for everything even when the relevant ssl conf files are disabled.

The most important question I have is really can you mix secure (https:443) and insecure (http:80) on the same Apache server? Is it easy? Or do I have to do something specific to Apache config.

(p.s. I have set up multiple http sites on an apache server before but not a http/https mix)

Yes.

Just like all magic tricks: It's always easy ... once you know how it's done.

It makes little difference.
If the vhost uses HTTP, then it has :80.
If the vhost uses HTTPS, then it has :443 and SSL Engine On [or something of the sort] and defines the cert files to be used to create the encryption.

Each vhost is treated separately to all other vhosts.
So, yes, they can be mixed within Apache - just not within one single vhost.

2 Likes

Thanks for that rg305.

It is what I expected but I was beginning to clutch at straws and my sanity was receding.

I re-enabled the a default page (just a brief html banner) and it worked fine when I tried to access it using a garbage url that I had linked to the IP address in my hosts file.

So - I can run http and https on the same Apache instance! (as you said and as I would expect).

I can actually also now, after adding the garbage url to the hosts file(?!), access the testsite index page as well (firefox only). Though all other pages return the other (https) site obviously through an error path..

Hey Ho. If I fully figure out this before this thread times-out I'll put it up as a penance in case anyone else gets caught like this.

But thanks for your guidance it helped a lot.
rgds
Bill

1 Like

Thanks to the replies here.
As I promised to post if I got a "fix" here it is. Embarrassing as it is!
There was nothing wrong with my Apache setup.
It came down to the fact that for the http testsite I had blindly duplicated the html code for an existing site that already uses https. This normally should have worked fine, except for the fact that in this old sites header file was this line:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Which irrespective of Apache, htaccess or whatever forces all future access to https via it seems a 301 - permanent redirect. So we end up on the one site that does have a certificate. Or if that site is disabled then there is no certificate available then it all goes horribly wrong. Because it is a 301 it gets cached and the problem persists.
That anyway, is what i think was going on.
I commented out the line, restarted Apache and cleared out the history from Firefox and it all worked.
Thanks for looking. Time for a beer.

3 Likes