Is it wrong to configure the web server to map HTTP and HTTPS traffic to the same document root?

Question

Is it wrong to configure the web server to map HTTP and HTTPS traffic to the same document root?

Is there something wrong with setting up a web server to map SSL traffic (port 443) to the same document root as normal traffic (port 80)?

Using the same document root for http and https means that you need to implement the following:

Each page that needs to be protected must have some application code that redirects the user to the https version if they somehow get into the http version (or redirect the user to the login page if they don’t have a session).
The login page should always be redirected to the https version.
For pages accessible via HTTP and HTTPS, you need to set a canonical URL to make sure it does not appear as you have duplicate content.

Is there a better way to set up encryption for user account pages? Is there a better way to separate a website from HTTP and HTTPS?

+3

security https apache

Tom Jan 4 '10 at 11:11

source share

3 answers

Carl Smotricz · Answer 1 · 2010-01-04T11:21:48+0000

It is not necessary to do it wrong, but, as your points 1..3 show, it introduces complications. It seems to me that creating a separate document root can be much easier than working with complications.

Pedro Laguna · Answer 2 · 2010-01-11T14:01:42+0000

Internet Information Server 7.X " ", HTTPS, .

, .

MITM · Answer 3 · 2010-04-12T16:07:41+0000

http https "--" . -- HTTP-, HTTPS, HTTPS-.

Is it wrong to configure the web server to map HTTP and HTTPS traffic to the same document root?

More articles: