I'm trying to turn off HTTP on a fresh install of www/apache24, and enable HTTPS by default. I'm slowly getting a handle on how to work the solutions into my own httpd.conf. However, when I do research on the Internet, it seems like mod_rewrite is the preferred way to do it. But exact usage left me a bit lost:
Thing is, namecheap.com article also suggests using VirtualHost directive:
Basically, the VirtualHost solution looks simple. However, both VirtualHost and mod_rewrite seem to accept the insecure HTTP connections and simply rewrite/redirect them to HTTPS. I'd like to ask for some help in figuring out how to outright reject the insecure HTTP connections with a 403 error code first, and then accept HTTPS requests and respond by serving up a page or a file over HTTPS.
But if there's something I missed, I welcome commentary!
From ibm.com:
This just disables the HTTP requests. I'm seeing similar solutions on StackOverflow, too.Code:RewriteEngine On RewriteCond %{REQUEST_METHOD} ^OPTIONS RewriteRule .* - [F]
From namecheap.com:
This looks usable, but seems like it just tacks the 'S' onto HTTP requests before allowing them to complete. Oh, hold on, shouldn't RewriteCond be 'off'? if it's not HTTPS, I want to reject the connection, not rewrite it.Code:RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Thing is, namecheap.com article also suggests using VirtualHost directive:
From namecheap.com:
This looks usable, but I wonder, is there a way to combine the mod_rewrite rules?Code:<VirtualHost *:80> ServerName www.yourdomain.com Redirect permanent / https://www.yourdomain.com/ </VirtualHost> <VirtualHost _default_:443> ServerName www.yourdomain.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On ... </VirtualHost>
Basically, the VirtualHost solution looks simple. However, both VirtualHost and mod_rewrite seem to accept the insecure HTTP connections and simply rewrite/redirect them to HTTPS. I'd like to ask for some help in figuring out how to outright reject the insecure HTTP connections with a 403 error code first, and then accept HTTPS requests and respond by serving up a page or a file over HTTPS.
But if there's something I missed, I welcome commentary!