Linux – Redirect some HTTPS traffic to HTTP in Caddy

httpslinuxPROXYUbuntuubuntu-16.04

I am using Caddy as a proxy for many sites on the same server. Some of my sites are not ready for HTTPS. I can route them on HTTP just fine, but if I visit those sites with HTTPS, I get an ugly…

No such site at :443

…error. How can I use Caddy to redirect to HTTP instead?

This works but gives me the error:

siteCanHandleSSL.com {
  proxy / 123.123.123.123:80 {
    transparent
  }
  tls my@email.addy {
    dns route53
    max_certs 200
  }
}

http://siteCantHandleSLL.com {
  proxy / 123.456.654.321:80 {
    transparent
  }
  tls off
}

This gives me a different error:

siteCanHandleSSL.com {
  proxy / 123.123.123.123:80 {
    transparent
  }
  tls my@email.addy {
    dns route53
    max_certs 200
  }
}

https://siteCantHandleSLL.com {
  redir http://{host}{uri}
  tls off
}

http://siteCantHandleSLL.com {
  proxy / 123.456.654.321:80 {
    transparent
  }
  tls off
}

❯ curl https://surrain.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or –insecure) option.

~
❯ curl -k https://surrain.com
No such site at :443%

Best Answer

In order to establish a valid SSL connection to a domain, the server must have a valid certificate for that domain. Otherwise you will get error message about invalid certificate.

If you want to redirect from HTTPS to HTTP, you need the a valid certificate. This is because SSL is below HTTP, and the HTTP redirect response is sent after a valid SSL connection has been setup.

The best you can do is to host HTTP only domains on a server that has no server listening to SSL port. This means you need a separate server for your HTTPS/HTTP and plain HTTP sites.

Related Topic