Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

HTTP and HTTPS on the same port
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HTTP and HTTPS on the same port

JonchunJonchun Member
edited August 2019 in General

Does anyone know how this is possible? Is it as simple as listening for the TLS ClientHello and falling back to check if it's valid HTTP if not on the Listener? I'm sure I could dig around via the source code and see what they're doing, but I noticed this today while playing with OpenLitespeed for the first time:

$curl -I xx.xx.xx.xx:7080
HTTP/1.0 301 Moved Permanently
Location: https://xx.xx.xx.xx:7080/
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Server:LiteSpeed
Content-Length: 0
Connection: Close


$curl -I https://xx.xx.xx.xx:7080 --insecure
HTTP/1.1 302 Found
X-Powered-By: PHP/5.6.36
X-Frame-Options: SAMEORIGIN
Set-Cookie: LSUI37FE0C43B84483E0=46250647add2d0cd0e62d4fa4418a9b0; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: /login.php
Content-Type: text/html; charset=UTF-8
Date: Sun, 11 Aug 2019 18:11:25 GMT
Server: LiteSpeed
Connection: Keep-Alive

Is there a different benefit in doing things this way other than only having to open one port on a firewall?

Comments

  • angstromangstrom Moderator

    @Jonchun said:
    Does anyone know how this is possible?

    Well, at least Apache can't use the same port for both http and https.

    I'm afraid that I don't know about OpenLiteSpeed.

    Is there a different benefit in doing things this way other than only having to open one port on a firewall?

    I see a benefit of redirecting http to https (using two ports), but I don't immediately see how putting http and https on a single port would yield a tangible benefit (not to mention that it would add complexity).

  • Daniel15Daniel15 Veteran
    edited August 2019

    Nginx does this by default too, except it just renders an error message. For example, see http://d.sb:443/:

    400 Bad Request: The plain HTTP request was sent to HTTPS port

    Nginx throws a non-standard error code in this case (497), so you can change the behaviour when that error is thrown, for example redirect to HTTPS.

    Is it as simple as listening for the TLS ClientHello and falling back to check if it's valid HTTP if not on the Listener

    I think they generally look at the first packet received, and see if it's TLS or plain HTTP. Same way that sslh lets you have HTTPS, SSH, plain HTTP and OpenVPN on the same port. For inspiration, you could look at sslh's probing code: https://github.com/yrutschle/sslh/blob/master/probe.c

    Thanked by 2Jonchun uptime
Sign In or Register to comment.