New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
HTTP and HTTPS on the same port
Does anyone know how this is possible? Is it as simple as listening for the TLS ClientHello and falling back to check if it's valid HTTP if not on the Listener? I'm sure I could dig around via the source code and see what they're doing, but I noticed this today while playing with OpenLitespeed for the first time:
$curl -I xx.xx.xx.xx:7080
HTTP/1.0 301 Moved Permanently
Location: https://xx.xx.xx.xx:7080/
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Server:LiteSpeed
Content-Length: 0
Connection: Close
$curl -I https://xx.xx.xx.xx:7080 --insecure
HTTP/1.1 302 Found
X-Powered-By: PHP/5.6.36
X-Frame-Options: SAMEORIGIN
Set-Cookie: LSUI37FE0C43B84483E0=46250647add2d0cd0e62d4fa4418a9b0; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: /login.php
Content-Type: text/html; charset=UTF-8
Date: Sun, 11 Aug 2019 18:11:25 GMT
Server: LiteSpeed
Connection: Keep-Alive
Is there a different benefit in doing things this way other than only having to open one port on a firewall?
Comments
Well, at least Apache can't use the same port for both http and https.
I'm afraid that I don't know about OpenLiteSpeed.
I see a benefit of redirecting http to https (using two ports), but I don't immediately see how putting http and https on a single port would yield a tangible benefit (not to mention that it would add complexity).
Nginx does this by default too, except it just renders an error message. For example, see http://d.sb:443/:
Nginx throws a non-standard error code in this case (497), so you can change the behaviour when that error is thrown, for example redirect to HTTPS.
I think they generally look at the first packet received, and see if it's TLS or plain HTTP. Same way that sslh lets you have HTTPS, SSH, plain HTTP and OpenVPN on the same port. For inspiration, you could look at sslh's probing code: https://github.com/yrutschle/sslh/blob/master/probe.c