Best Way to Force use of SSL Certificate

Huw Evans

8/19/23, 1:20 PM

When a browser connects to my website by entering it's FQDN the connection is encrypted using the site's SSL Certificate.

However it has come to my attention that it is possible to bypass the SSL and initiate an unencrypted connection by entering the load balancer IP Address (in which case you get an error saying it could not be encrypted).

The link below suggests that I could solve this with a redirect.

Apache reverse proxy so that SSL browser requests for IP of server are redirected to FQDN

Is this good practice or should I really be tying the certificate to the IP address in addition to the FQDN?

0 + 0

load-balancing

ssl-certificate

ssl-certificate-errors

digital-ocean

Rob

8/19/23, 2:14 PM

I don't understand exactly what your problem or misconfiguration is, but in general it is considered to be best practice to configure your web server to not serve any real content over plain HTTP on port 80, but only use port 80 to redirect to https. When you don't have a certificate for the IP-address simply don't (generate a) redirect to `https://<IP-address>` but to `https://www.example.com` and you should be fine. Or you can consider HTTP requests without a (valid) domain/hostname as erroneous and simply respond with a suitable error response.

Brandon Xavier

8/19/23, 2:16 PM

IMHO, if you have a load balancer, it should handle redirecting http to https. And if you consider the connections between the load balancer to be trusted - you can go a step further and let the load balancer handle all the SSL processing and pass the traffic to the web servers unencrypted. Then you only have to maintain the single certificate on the LB.

Huw Evans

8/19/23, 2:44 PM

@Rob I am aware of this and definitely didn't intend for anything to be served over plain HTTP on port 80. The issue is that if you put https://<IP-address> it serves the page with a 'failed to encrypt' error. I dont' know how to change this.

Huw Evans

8/19/23, 2:46 PM

@BrandonXavier Yes it does redirect http to https but only for the FQDN. The setup is as you describe at the moment although I am considering end to end encryption as an option.

Huw Evans

8/19/23, 2:49 PM

For reference this is the guide I followed to set up the load balancer. https://docs.digitalocean.com/products/networking/load-balancers/how-to/ssl-termination/

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Best Way to Force use of SSL Certificate

TH: วิธีที่ดีที่สุดในการบังคับใช้ใบรับรอง SSL

RO: Cel mai bun mod de a forța utilizarea certificatului SSL

RU: Лучший способ принудительно использовать SSL-сертификат

VI: Cách tốt nhất để bắt buộc sử dụng Chứng chỉ SSL

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.