0

I created ssl certificate for myDomain.com Hence I see following 3 files under /etc/apache2/sites-enabled in Ubuntu

example.com-le-ssl.conf  example.com.conf  example.conf

My example.com.conf looks like this 

<VirtualHost *:80>
    ServerAdmin admin@example
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    JKMount /* ajp13_worker
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Now, if I enter http://www.example.com it is redirected to https://www.example.com

But if someone finds out my server ip address and enter http://<myIpAddress> the content is served as non-https

So I added this in addition to above virtualHost chunk

<VirtualHost myIpAddr:80>
    ServerAdmin admin@example
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    JKMount /* ajp13_worker
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =myIpAddr [OR]
RewriteCond %{SERVER_NAME} =myIpAddr:80
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

But still when I enter http://myIpAddr:80 or http://myIpAddr I see this enter image description here

Improve this question
1

1 Answer 1

Reset to default
2

That is because your SSL certificate contains your hostname (example.com and www.example.com) but not your IP address. Nor should it - normal clients will only use your actual domain name, not the IP address of your server.

Based on the config you've shown, your redirect should go to the hostname rather than the IP address, and it's not possible to see why this goes wrong based only on your config. But I don't quite see why you think you need to have a separate virtual host for your IP address, or why you need to do a RewriteCond match on the Host header at all.

I should remove the RewriteCond lines from your files and only retain the RewriteRule lines.

Also check the third file you've got - there should normally not be both example.com.conf and example.conf. There may be something in that file that gets read before the config with the IP address.

Improve this answer
8
  • But what if a hacker uses ip address and finds out https is not enabled for ip address and starts hacking. How can I protect it? So, my only solution is to create separate SSL for ip address?
    – sofs1
    Commented Aug 13, 2019 at 6:51
  • HTTPS does not protect against intrusion. The fact that your certificate is invalid for the IP address does not in any way reduce the security of your system. You should read up on basic web server security, which is a far larger topic - a good place to start is security.stackexchange.com/questions/77/… .
    – Jenny D
    Commented Aug 13, 2019 at 6:54
  • Thank you very much for the link. But I check few websites like quora.com (whose ip address is 52.55.163.53 , 34.235.255.157 etc.) where they have fixed the issue that I'm talking about. How do I fix it? Please give me some directions.
    – sofs1
    Commented Aug 13, 2019 at 7:02
  • 1
    @sofs1 You can redirect from IP to name (quora does something like that) using a dedicated server_name with your IP or by using correct rewrite rules (stackoverflow.com/a/24329245/4994025), but really that's not necessary. HTTPS is active regardless of connecting to IP or to name, the only difference is the certificate warning. Don't overthink this.
    – Lenniey
    Commented Aug 13, 2019 at 7:43
  • Quora do a redirect to https://quora.com, not to https://IPADRESS. So should you.
    – Jenny D
    Commented Aug 13, 2019 at 7:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .