Is it possible to set same port work with http and https?

networking apache2 proxy nodejs

9,914

Solution 1

No, it's not possible to run HTTP and HTTPS on the same port.

When using HTTPS the connection uses the SSL/TLS protocol from the very start. There is no possibility for the client to start transmitting using plain HTTP.

The SSL/TLS standard doesn't provide for a way to drop back to HTTP if plaintext communication is detected on the port.

Solution 2

I don't know how they did it, but the developers in my company did exactly what @thomasrutter says you can't do: We use a non standard TCP port (so not 80, nor 443) e.g. 8080 and on that port if you send a http request it redirects you to https on the same port 8080. They did it with nginx and did not achieve this with apache2!

Edit: does seem to do it in nginx witha 497 error code and your browser does the rest: https://ma.ttias.be/force-redirect-http-https-custom-port-nginx/

9,914

Nullpointer

Updated on September 18, 2022

Comments

Nullpointer almost 2 years
I've nodejs application which port number is 3001 and this app working with http but not work with https. On apache server, set the revers proxy for 80 or 443 to 5001 and set revers proxy for 3001 also.
```
http://<domain>:3001/socket.io/socket.js   ---> Work

https://<domain>:3001/socket.io/socket.js   ---> Not Work(Secure Connection Failed or This site can’t be reached)
```
Here I need to know same port(3001) is work with http and https ?

Any solution for that?
- pa4080 over 7 years
  
  I'm not familiar with nodejs apps, but in all cases you can use stunnel4 to redirect http to https.
- Nullpointer over 7 years
  
  but our requirement is to work both http and https so redirect not option for me :) In general case it is possible ?
- pa4080 over 7 years
  
  If http port is open in the firewall, it will be accessible.
- Nullpointer over 7 years
  
  Port 80, 443 and 3001 are open to all but second https url which not work as above
- pa4080 over 7 years
  
  I will write an answer and if you want you can try it.
- Nullpointer over 7 years
  
  @SpasSpasov Sure Man
- Nullpointer over 7 years
  
  Let us continue this discussion in chat.
- user.dz over 7 years
  
  Please, avoid cross posting ( serverfault.com/questions/820621/… ) . Have you checked these similar posts from SO stackoverflow.com/questions/22453782/… , stackoverflow.com/questions/15313308/…
- Nullpointer over 7 years
  
  @user.dz i check above url it contains coding level and haproxy solution but i need to change on apache server only
Nullpointer over 7 years

So that developer set another port 9001 for https and 3001 for http, Now issue is that http+3001 working file. using https+9001 url working directly. Can we redirect https+3001->9001 using apache2 proxy ?
thomasrutter over 7 years

You would not be able to run both the redirect and the HTTP service on port 3001. You can't listen for both HTTP and HTTPS on the same port regardless of what your internal setup is.
Nullpointer over 7 years

Can we do like if https+3001 --> 9001 redirect before the apache server and for http not changes. here my case 3001 port common for http and https (able to open https+9001 URL working fine).
pa4080 over 7 years

If https working properly, why you need http?
Nullpointer over 7 years

No, http working properly but https not because same port(3001), requirements is to work both, pls suggest me ones more
thomasrutter over 7 years

No unfortunately you cannot do as suggested a couple of comments ago. At the level of network communication where you would need to redirect a port, you would not know whether HTTP or HTTPS is being used yet. While you might be able to buffer and sniff the data, it would be both complicated and affect security.
Sara over 4 years

You absolutely can do this if you write the http(s) server. It's very easy to distinguish a TLS client handshake "hello" from a plaintext HTTP request, you only need to inspect the first byte (== 0x16 (TLS) or not). However, it would be difficult or impossible to combine that with most HTTP server implementations, as they don't typically allow you to pass them existing connections and buffers. The more important question is why would you want to do this, it's not generally a good idea.
bessarabov over 4 years

If it is not possible how does this nodejs library do it? github.com/mscdex/httpolyglot
thomasrutter over 4 years

Well that looks like a pretty neat solution. It would have to remember state enough that communication could continue, and I imagine a client would not be able to mix HTTP and HTTPS requests to the same server
thomasrutter almost 3 years

It's impossible to do it at the network layer, ie without integrating the functionality into your TLS wrapper code (or deep inspection of same with buffering). If you do have the ability to integrate this functionality into your TLS code, to detect an incoming conversation that's not a valid handshake to see if it's plain HTTP, then yes. It's a kludge, whose security implications I haven't fully thought through, but it's doable at that layer. In your case, if the only possible HTTP interaction is a redirect to HTTPS, then at first glance I can't see any security issue.