Serving port 443 over http creates 400 Bad Request Error instead of redirect

Solution 1:

TL;TR: you cannot serve both HTTP and HTTPS on the same port (443).

While it would be in theory possible to figure out based on the first data from the client if the client is sending a HTTP request (i.e. GET .. or similar) or is starting a TLS handshake (\x16\x03...) most web servers don't do this. Instead they expect the client to behave properly, that is use plain HTTP on one port (usually 80) and HTTPS on another port (usually 443).

Your URL of http://example.com:443 is causing the browser to make a plain HTTP request to port 443. But the server is expecting TLS there which means that your plain HTTP request is unexpected. Apache is at least nice enough to check if the incoming data for a plain HTTP request in this case so that it can offer you a more useful description:

Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

If you try such requests with other servers then they would either close the connection without any error at all or just hang because they are still hoping to get a TLS handshake from the client.

Solution 2:

I had this same error and the culprit was that my config was trying to enable SSL on my non-ssl port. Any website address that starts with http:// will be funneled through port 80 (<VirtualHost *:80>) and that host doesn't want to know anything about SSL. Any sites that start with https:// will be funneled through port 443 (<VirtualHost *:443>)

The more direct issue was that I had the following SSL details under my *:80 host, which was making Apache try to enable SSL for a non-SSL connection.

SSLEngine on
SSLCertificateFile /bla.crt
SSLCertificateKeyFile /bla.key
SSLCertificateChainFile /bla.crt

After removing those lines from *:80 (and making sure they were present under <VirtualHost *:443>) My server popped back up again.

So, here are my <VirtualHost>s (all in /etc/apache2/sites-available/http.conf but might be different depending on your setup):

<VirtualHost *:80>

    -- snip --

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

</VirtualHost>


<VirtualHost *:443>

    -- snip --

    SSLEngine on
    SSLCertificateFile /var/www/ssl/STAR_iconcierge_net_au.crt
    SSLCertificateKeyFile /var/www/ssl/STAR_iconcierge_net_au.key
    SSLCertificateChainFile /var/www/ssl/STAR_iconcierge_net_au.crt

</VirtualHost>

Notice how *:80 (http) enacts a rewrite to *:443 (https), which then enforces SSL with the SSLEngine on directive.


Solution 3:

What you are actually looking after is sending HSTS headers from the webserver back to the users, which tell the browser always to access the site using TLS. There isn't any 301 redirect happening there, as you can see from the development tools in any browser.

This happens with Google for example. Once you have visited Google the first time, it sent you a HSTS header, and your browser saved the header to a list. After, when you try to connect to google.com with http://, the browser changes the connection method automatically to https:// without any communication to the remote webserver.

This is one further security mechanism to prevent attacks on the security layer.