asked on

Redirect all port 80 traffic to 443 using firewall

Centos 7 using firewalld

Am trying to redirect all requests to port 80 to port 443.. Otherwise http to https

I have added this rule forward-ports: port=80:proto=tcp:toport=443:toaddr=

But it doesn't seem to work

noci

firewalld is not for redirecting traffic from 80 -> 443. You mixup NAT (firewall level, Layer 4) with redirect (HTTP level, layer 7).

You need instruction for your webserver to upgrade the http traffic (if it arrives on port 80) to https. (on port 443).
That also requires the client to make a different request, one that does a SSL setup which is for more involved than a plain TCP setup.

Dr. Klahn

noci is correct. There is much more involved in successfully redirecting an insecure port 80 HTTP request to a secure port 443 HTTPS request than simply redirecting a packet.

Redirecting the packet would not create the desired effect even if it worked. The browser would be convinced that it is talking to an HTTP server and not an HTTPS server, and since the preceding TLS negotiation never occurred, the response from the web server would be unintelligible.

Much easier and more effective to use a mod_rewrite or .htaccess rule to do the job. This gets discussed here about twice a week and there are numerous examples of how to do it, for both Apache and IIS.

noci

And all the other webservers like nginx, lighttpd, hiawatha, h2o, adsf, boa, caddy, cherokee, civetweb etc. etc.

David Favor

A very bad idea to attempt doing this at any network layer outside your Webserver.

You'll likely loose hours of your life debugging + have to eventually switch to Webserver redirects anyway... to get 100% stability with this...

Just do a simple redirect in your Apache config file for your site.

Simple Apache template I use for sites...

<VirtualHost *:80>
   ServerName  www.WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
   RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [NC,L,R=302]
   Include logging.conf
</VirtualHost>

<VirtualHost *:80>
   ServerName  WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NC,L,R=302]
   Include logging.conf
</VirtualHost>

<IfModule mod_ssl.c>

   <VirtualHost *:443>

      ServerName  www.WEBSITE
      ServerAdmin support@WEBSITE

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
      RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=302]

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

   <VirtualHost *:443>

      ServerName  WEBSITE
      ServerAdmin support@WEBSITE

      DocumentRoot /sites/OWNER/WEBSITE/TYPE

      <Directory /sites/OWNER/WEBSITE/TYPE>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

</IfModule>

Open in new window

This question needs an answer!

Become an EE member today

7 DAY FREE TRIAL

Members can start a 7-Day Free trial then enjoy unlimited access to the platform.

View membership options

Learn why we charge membership fees

We get it - no one likes a content blocker. Take one extra minute and find out why we block content.