Find the answer to your Linux question:
Results 1 to 5 of 5
Is it possible to redirect an https URL to an http URL and still provide the security from the original https? If so, would the redirected page information show it ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    11

    Securely redirecting https to http


    Is it possible to redirect an https URL to an http URL and still provide the security from the original https? If so, would the redirected page information show it as encrypted (if it is retaining the original redirecting https encription)?

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,446
    No, https is http over an encrypted channel.
    If you strip the encryption, then well.. it is gone


    Might be OffTopic:
    If you have a pool of http servers behind a loadbalancer, then it is possible to offload and terminate the encryption at the lb.
    You must always face the curtain with a bow.

  3. #3
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    Quote Originally Posted by Irithori View Post
    No, https is http over an encrypted channel.
    If you strip the encryption, then well.. it is gone


    Might be OffTopic:
    If you have a pool of http servers behind a loadbalancer, then it is possible to offload and terminate the encryption at the lb.
    Also, a common setup is to have one or more http based servers on the internal network with access to the sensitive database servers, proxied on the internet-facing side by an Apache reverse proxy using ProxyRewrite rules.

    This is the way a lot of Oracle IAS/J2EE apps are designed, and is essentially similar to the load balancer scenario I think you're describing.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2007
    Posts
    11
    Thanks. I was thinking the same thing as Irithori but looks like you might be right in this case, Mudgen. The only problem, though, is that you never see the "https" or the lock next to the URL in the browser so you almost have to take the word of whoever is running the site that it's secure, right? The instance I am talking about, even when you check the page (using Firefox's Web Developer toolbar) it shows that it's not encrypted.

  6. #5
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    Actually, with a proxy setup, either with Apache or with an appliance such as Irithori was talking about, the connection from the browser to the proxy IS encrypted and you can see the lock and inspect the certificate in the browser. The connection from the proxy to the app server is often plan https, but it's typically on a well secured part of the network and passing through another firewall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •