Jump to content
  • Advertisement
Sign in to follow this  
JohnnyCode

http request onto https service

This topic is 833 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I wonder, if there is a secure domain, what server should generaly do if it recieves an http: request instead of https: request against this secure domain?

Second question also is, can a server on a station/IP, be serving http and https hosted domains simultenuosly? I am thinking, one way would be to run a secure server that gets certified, and run second isolated unsecure server, and not share hosts between them, would this be most viable thing to do?

Share this post


Link to post
Share on other sites
Advertisement
HTTPS is served (typically) on port 443, and HTTP is served (typically) on port 80.
If you send the wrong kind of data to a particular server, it will detect a protocol violation and send an error back.
It is very common to run both HTTP and HTTPS servers on the same domain. In the best of worlds, the HTTP server simply does a permanent redirect to the HTTPS version of the same resource for GET/OPTIONS/HEAD, and returns an error for POST/PUT/DELETE. Although some servers accept the same requests on HTTPS and HTTP, for legacy or simplicity reasons.

You also seem to believe that a HTTPS server needs to be "certified" and is somehow more secure than a HTTP server.
This is not true. A HTTPS server does need a signed certificate (which is a data file) to be able to properly identify itself to clients that connect, so that the client can known that the server on the other end actually is "citibank.com" like in the URL, and not "myversionofcitibank.com."
However, there is no security or operational differences in the hardware/software actually running on the machines.
The only difference is that HTTPS makes it harder to read the data while it's on the wire (if you can read packets on the wire,) and also makes it harder to pretend to be a domain you aren't authorized for (if you can hijack DNS somehow.)
Something (bugs, bad code, etc) that's insecure on the client when using HTTP, is still insecure when using HTTPS.
Something (bugs, bad code, etc) that's insecure on the server when using HTTP, is still insecure when using HTTPS.

Btw: You can now get free HTTPS certificates for your domain by jumping through a very small amount of hoops.
Check out letsencrypt.org!
(Some hosting providers even have a checkbox to do this for you; such as DreamHost) Edited by hplus0603

Share this post


Link to post
Share on other sites

Thanks!

 


It is very common to run both HTTP and HTTPS servers on the same domain. In the best of worlds, the HTTP server simply does a permanent redirect to the HTTPS version of the same resource for GET/OPTIONS/HEAD, and returns an error for POST/PUT/DELETE. Although some servers accept the same requests on HTTPS and HTTP, for legacy or simplicity reasons.

 

I am thinking I will give host an option to request secured communicating with client on file resources. If not, active documents can still, on behalf of host, respond with status 301 Moved with https:// modification of url. So server is serving on both ports/protocols the hosts.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!