Apache redirect http to https except localhost

Question

I know that there are several similar questions, but after many tests I am not able to get what I want.

First of all, I read that apache can redirect in three ways: redirect, mod_rewrite or with if-else statement (apache 2.4+).

In the past I simply used:

<VirtualHost *:80> ServerName example.com ServerAlias www.example.com # does not redirect Redirect "/" "https://www.example.com/" </VirtualHost> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com # does not redirect </VirtualHost> 

I read that I can use a more sophisticated syntax:

<VirtualHost *:80> ServerName example.com ServerAlias www.example.com # does not redirect RewriteEngine On RewriteBase / # redirect all RewriteCond %{REQUEST_URI} ^/ RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] # how to turn off for localhost and 127.0.0.1? 

Or

<VirtualHost *:80> ServerName example.com ServerAlias www.example.com <If "%{HTTP_HOST} == 'example.com'"> # how to add multiple condition? Redirect permanent / https://myexample.com/ </If> 

Sometimes is better to avoid rewrite directive. What can I do to achieve something like this?

1. https://example.com -> no redirect 2. http://example.com -> redirect to https://example.com 3. https://www.example.com -> redirect to https://example.com 4. http://www.example.com -> redirect to https://example.com 5. http://127.0.0.1/anyPath -> redirect to https://127.0.0.1/anyPath (or no redirect) 6. http://localhost/anyPath -> redirect to https://localhost/anyPath (or no redirect) 

As you can see, I am not an expert in apache configuration.

Thank you

Answer 1

(Unless you're operating your certificate authority) You can't get a valid TLS certificate for "localhost", "localhost.localdomain" and/or "127.0.0.1" AND there is no security benefit and only unnecessary overhead when you add encryption to traffic that stays within the same machine. (Any adversary that can intercept internal traffic between applications on the same system has already sufficient access that they don't need to intercept such traffic to get at your data...)

So redirecting requests for http://localhost to https://localhost` doesn't make sense.

What's the "best" way to redirect to https?

You already found https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect that suggests that the Redirect directive placed in the main httpd.conf or included config snippet is usually better and computationally cheaper for Apache http than using mod_rewrite and always better than relying on a .htaccess file.

IMHO Most exception conditions can be handled by setting up additional VirtualHost blocks.

How to turn off redirecting for localhost and 127.0.0.1?

Apache httpd VirtualHost matching will default to a default VirtualHost block. In the absence of an explicit default that is usually the first VirtualHost. (Long explanation here.)

By adding an explicit VirtualHost for localhost, requests for localhost and the localhost IP-address won't be handled by the default VirtualHost and won't be redirected by simple redirects.

(Binding the localhost VirtualHost to 127.0.0.1 IPv4 address prevents requests on internet interfaces with a manipulated Host: localhost header from accessing localhost only data. If you're also using IPv6 to access localhost, you shoudl create a separate IPv6 VirtualHost block for that as well I think.)

<VirtualHost *:80> ServerName example.com ServerAlias www.example.com # does not redirect Redirect "/" "https://www.example.com/" </VirtualHost> <VirtualHost 127.0.0.1:80> ServerName localhost DocumentRoot /var/www/localhost </VirtualHost> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com ... </VirtualHost>