Apache2: Forcing All Inbound Traffic to SSL

So, you have an Apache 2 web server and you have decided that you want to force all inbound traffic to be encrypted via HTTPS (port 443) instead of HTTP (port 80). This method actually “dumbs down” the connection so the average user can’t inadvertently negotiate your web site without encrypting their traffic.
My web server of choice is Apache2, running on a Linux Operating System. Preferably Debian but we’ll discuss an option for Red Hat Enterprise Linux 4 (RHEL-4). That being said, you need Apache installed and running on Linux. You also need the Apache module “mod_rewrite.so” installed and an encryption key generated for your server.

In the following snippet of .conf file we will first load mod_rewrite and then redirect all inbound port 80 traffic to port 443.

Add the following code section to your httpd.conf down around line #220, right after the big “load modules” section.

Be aware that “#’s” indicate a comment line in the .conf file and are ignored by Apache2.

#########################################
#### XXX: BEGIN EDIT FOR MOD_REWRITE ####
#### This is intended to force HTTPS ####
#### for all inbound HTTP requests ####

####
# This module (mod_rewrite) simply tells Apache2 that all connections to
# port 80 need to go to port 443 – SSL – No exceptions
####

<IfModule !mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on

####
# The line below sets the rewrite condition for mod_rewrite.so.
# That is, if the server port does not equal 443, then this condition is true
####

ReWriteCond %{SERVER_PORT} !^443$

####
# The line below is the rule, it states that if above condition is true,
# and the request can be any url, then redirect everything to https:// plus
# the original url that was requested.
####

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</IfModule>

#### XXX: END EDIT FOR MOD_REWRITE ####
#######################################

Add the code to httpd.conf and restart Apache2, check your logs for errors to ensure a clean startup and connect to your server on port 80. It should be instantly redirected to 443.

Alternatively, on RHEL4, you can add the code above into a file (you create) called mod_rewrite.conf in the /conf.d directory (/conf.d/mod_rewrite.conf).

Note the “XXX” marks in my comments, I make a habit to “tag” any configuration files I edit on a linux server so when I come back to it later i can find my edits easily. Your initials work well for this and helps identify which admin makes the change.
Enjoy,

bf

Read more at blackflag.wordpress.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s