I host 100+ websites on 2 different servers. Some of my clients recently have noticed that when they go to https://theirwebsite.com, if they DONT have SSL on their website, it redirects to the first SSL website in the apache conf file. I did some reading and discovered that SSL websites need their own IP addresses, so i switched the IP addresses of my SSL websites. However, i noticed that the problem is still happening. It's possible that there are still SSL websites that need to be removed or changed in httpd.conf, but is there a way to stop this from happening? Can i find a way to just make websites without https redirect to nothing if https is used?
Add a comment
|
1 Answer
it redirects to the first SSL website in the apache conf file.
This is because there are 2 sets of virtual hosts you have for apache: 1 that listens to port 80 (non-SSL) and one that listens to port 443 (SSL). Any non-SSL request gets sent to the vhosts that listens to port 80, and any SSL request gets sent to the chosts that listens to port 443. When a request is made for a host that isn't defined in any of the vhosts, it defaults to the "default" vhost, which becomes the very first one that gets defined (e.g. the first one that appears in your vhost file).
In order to prevent this, you can either have a defined SSL vhost for each of your non-SSL websites, or you can create a new "default" vhost in your SSL file that does nothing but redirect to non-SSL:
RewriteEngine On
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R]
4 Comments
Katushai
very interesting. thanks so much for the answer. it's exactly what i needed. but do you think you could elaborate a little bit on that? create a new default vhost in the SSL file? or create the default vhost in httpd.conf?
Katushai
nevermind, i solved it. i just add a self signed certificate for each website that doesnt have SSL installed on their website. that way, if they "accidentally" type https:// theirwebsite.com, it still directs to them. idiots. they know they dont have ssl. were they just trying to see what happened?
Lexib0y
I had the same problem. Lately I noticed that search engines try https:// for all domains I own, thus ending up to the wrong website, and worse, with the wrong contect, since they get duplicate content of the default website for that domain name. That can result in lower pageranking, etc. So it is not just a user problem, it soon can turn into a SEO problem.
Ain Tohvri
Having to create self-signed certs for every domain that needs to be redirected back to HTTP is not a nice solution. Has anyone found any other, better ways to achieve the same thing?