Score:0

Exclude specific URL from HTTP to HTTPS redirect in apache2 virtual host

pa flag

I'm looking for an easy configuration to exclude a specific URL(pattern) from my apache2 HTTP to HTTPS redirect and failed so far. Background is an API with typical authorization mechanics which should never be sent via normal HTTP, so I do not want to redirect but rather return a 403 or 404 if someone tries to access the API via plain HTTP. My current Virtual Host is a typical redirect for everything:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

What I want is to skip this redirect for URLs like http://example.com/api/(.*). Is it really necessary to omit the Redirect-directive and build a rather complex mod_rewrite configuration for this simple task?

Score:0
pa flag

Okay, actually I figured out the following solution I might live with:

<VirtualHost *:80>
    ServerName example.com
    Redirect gone /api
    Redirect permanent / https://example.com/
</VirtualHost>

This seems to catch all requests to /api/(.*) first and returns a 410.

I would like to give some more background why I do not want to return a simple 301 and why I think this is important. If someone calls a simple request module in his desired language with the HTTP URL which follows the redirect, there is the potential risk that the users credentials/authorizations get sent unencrypted through the internet for every request and nobody is noticing.

I'm not sure how other developers handle this but does anyone agree that it is better to block the HTTP access instead of redirecting for such credential critical requests?

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.