Apache allowing HTTP access when should be redirected to HTTPS












5















I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



Apache.conf:



<VirtualHost *:80>

   ServerName 127.0.0.1



   DocumentRoot /var/www/web

</VirtualHost>



<VirtualHost _default_:443>

   ServerName example.com



   DocumentRoot /var/www/web

   SSLEngine On

   SSLCertificateFile      /etc/ssl/local_certs/example.com.pem

   SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key

   Header set Access-Control-Allow-Origin "*"

</VirtualHost>



<VirtualHost *:80>

   ServerName example.com



   Redirect permanent "/" "https://example.com/"

</VirtualHost>


Given the above I'm confused by several points:



1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



What happens when I browse to the site by IP:



In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.






apache-2.2 ssl







share|improve this question























  • Can you also include your Listen and NameVirtualHost directives?

    – Vilx-
    Jan 17 at 18:37
















5















I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



Apache.conf:



<VirtualHost *:80>

   ServerName 127.0.0.1



   DocumentRoot /var/www/web

</VirtualHost>



<VirtualHost _default_:443>

   ServerName example.com



   DocumentRoot /var/www/web

   SSLEngine On

   SSLCertificateFile      /etc/ssl/local_certs/example.com.pem

   SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key

   Header set Access-Control-Allow-Origin "*"

</VirtualHost>



<VirtualHost *:80>

   ServerName example.com



   Redirect permanent "/" "https://example.com/"

</VirtualHost>


Given the above I'm confused by several points:



1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



What happens when I browse to the site by IP:



In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.






apache-2.2 ssl







share|improve this question























  • Can you also include your Listen and NameVirtualHost directives?

    – Vilx-
    Jan 17 at 18:37














5












5








5








I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



Apache.conf:



<VirtualHost *:80>

   ServerName 127.0.0.1



   DocumentRoot /var/www/web

</VirtualHost>



<VirtualHost _default_:443>

   ServerName example.com



   DocumentRoot /var/www/web

   SSLEngine On

   SSLCertificateFile      /etc/ssl/local_certs/example.com.pem

   SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key

   Header set Access-Control-Allow-Origin "*"

</VirtualHost>



<VirtualHost *:80>

   ServerName example.com



   Redirect permanent "/" "https://example.com/"

</VirtualHost>


Given the above I'm confused by several points:



1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



What happens when I browse to the site by IP:



In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.






apache-2.2 ssl







share|improve this question














I thought I'd followed the accepted wisdom in redirecting HTTP traffic to HTTPS, but following a DNS issue today, and having to use an IP address instead of the URL, I realise something's amiss.



Apache.conf:



<VirtualHost *:80>

   ServerName 127.0.0.1



   DocumentRoot /var/www/web

</VirtualHost>



<VirtualHost _default_:443>

   ServerName example.com



   DocumentRoot /var/www/web

   SSLEngine On

   SSLCertificateFile      /etc/ssl/local_certs/example.com.pem

   SSLCertificateKeyFile /etc/ssl/local_certs/example.com.pem.key

   Header set Access-Control-Allow-Origin "*"

</VirtualHost>



<VirtualHost *:80>

   ServerName example.com



   Redirect permanent "/" "https://example.com/"

</VirtualHost>


Given the above I'm confused by several points:



1) If we're now using an IP address, why are any of the above ServerName specific virtual hosts serving a page? This would confuse me less if the IP address I'm using currently corresponded to the domain name (it should, but today it doesn't, DNS issue).



2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?



To explain the 127.0.0.1 host, this is a convenience for a local apt repository. I'm aware ServerName isn't 100% secure, but that's not an immediate concern.



What happens when I browse to the site by IP:



In the first instance I am redirected to HTTPS on the same IP address, which is what I might expect. But, if I go back the address bar in the browser and remove the 's' from https, it navigates me to the page on port 80 without a redirect, and I'm free to continue browsing the site unsecured.



I should add that the out-of-the-box enabled/available site config files do still exist, but these have a document root of /var/www/html, which contains nothing other than the default apache index.html landing page, which isn't what I'm served.






apache-2.2 ssl




apache-2.2 ssl






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 17 at 11:17









whoaskedwhoasked

547




547













  • Can you also include your Listen and NameVirtualHost directives?

    – Vilx-
    Jan 17 at 18:37



















  • Can you also include your Listen and NameVirtualHost directives?

    – Vilx-
    Jan 17 at 18:37

















Can you also include your Listen and NameVirtualHost directives?

– Vilx-
Jan 17 at 18:37





Can you also include your Listen and NameVirtualHost directives?

– Vilx-
Jan 17 at 18:37










2 Answers
2






active

oldest

votes


















8














Quote from the documentation:




If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




(highlighting not by me).



In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



(Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






share|improve this answer
























  • Ok, so move 443 to the top would be safest in my situation?

    – whoasked
    Jan 17 at 11:23






  • 1





    No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

    – Gerald Schneider
    Jan 17 at 11:24






  • 1





    So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

    – whoasked
    Jan 17 at 11:28











  • No, for every address that is not configured the first virtualhost (with the same port) will be used.

    – Gerald Schneider
    Jan 17 at 11:29








  • 1





    You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

    – Lightness Races in Orbit
    Jan 17 at 16:30



















5















2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them: 



<VirtualHost 127.0.0.1:80>

   ServerName 127.0.0.1

   DocumentRoot /var/www/web

</VirtualHost>





<VirtualHost example.com:80>

   ServerName example.com

   Redirect permanent "/" "https://example.com/"

</VirtualHost>





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "2"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949512%2fapache-allowing-http-access-when-should-be-redirected-to-https%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    8














    Quote from the documentation:




    If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




    (highlighting not by me).



    In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



    (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






    share|improve this answer
























    • Ok, so move 443 to the top would be safest in my situation?

      – whoasked
      Jan 17 at 11:23






    • 1





      No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

      – Gerald Schneider
      Jan 17 at 11:24






    • 1





      So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

      – whoasked
      Jan 17 at 11:28











    • No, for every address that is not configured the first virtualhost (with the same port) will be used.

      – Gerald Schneider
      Jan 17 at 11:29








    • 1





      You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

      – Lightness Races in Orbit
      Jan 17 at 16:30
















    8














    Quote from the documentation:




    If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




    (highlighting not by me).



    In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



    (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






    share|improve this answer
























    • Ok, so move 443 to the top would be safest in my situation?

      – whoasked
      Jan 17 at 11:23






    • 1





      No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

      – Gerald Schneider
      Jan 17 at 11:24






    • 1





      So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

      – whoasked
      Jan 17 at 11:28











    • No, for every address that is not configured the first virtualhost (with the same port) will be used.

      – Gerald Schneider
      Jan 17 at 11:29








    • 1





      You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

      – Lightness Races in Orbit
      Jan 17 at 16:30














    8












    8








    8







    Quote from the documentation:




    If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




    (highlighting not by me).



    In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



    (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).






    share|improve this answer













    Quote from the documentation:




    If no matching ServerName or ServerAlias is found in the set of virtual hosts containing the most specific matching IP address and port combination, then the first listed virtual host that matches that will be used.




    (highlighting not by me).



    In other words, Apache will always use one of the VirtualHosts, even if none of the configured VirtualHosts matches exactly. Not configuring an address does not mean that the address is not server some content.



    (Note: only after posting this I realized that the question is tagged with apache-2.2, but the 2.2 documentation contains a virtually identical paragraph).







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Jan 17 at 11:21









    Gerald SchneiderGerald Schneider

    6,25512446




    6,25512446













    • Ok, so move 443 to the top would be safest in my situation?

      – whoasked
      Jan 17 at 11:23






    • 1





      No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

      – Gerald Schneider
      Jan 17 at 11:24






    • 1





      So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

      – whoasked
      Jan 17 at 11:28











    • No, for every address that is not configured the first virtualhost (with the same port) will be used.

      – Gerald Schneider
      Jan 17 at 11:29








    • 1





      You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

      – Lightness Races in Orbit
      Jan 17 at 16:30



















    • Ok, so move 443 to the top would be safest in my situation?

      – whoasked
      Jan 17 at 11:23






    • 1





      No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

      – Gerald Schneider
      Jan 17 at 11:24






    • 1





      So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

      – whoasked
      Jan 17 at 11:28











    • No, for every address that is not configured the first virtualhost (with the same port) will be used.

      – Gerald Schneider
      Jan 17 at 11:29








    • 1





      You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

      – Lightness Races in Orbit
      Jan 17 at 16:30

















    Ok, so move 443 to the top would be safest in my situation?

    – whoasked
    Jan 17 at 11:23





    Ok, so move 443 to the top would be safest in my situation?

    – whoasked
    Jan 17 at 11:23




    1




    1





    No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

    – Gerald Schneider
    Jan 17 at 11:24





    No, it would not make any difference. You will have to configure a virtualhost for the IP address, or a default virtualhost that is used for everything that isn't configured specifically. Remember, anybody can point any domain that he owns to your IP address.

    – Gerald Schneider
    Jan 17 at 11:24




    1




    1





    So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

    – whoasked
    Jan 17 at 11:28





    So if the bottom host became <VirtualHost *:*>? Sorry to press I'll go back to google ...

    – whoasked
    Jan 17 at 11:28













    No, for every address that is not configured the first virtualhost (with the same port) will be used.

    – Gerald Schneider
    Jan 17 at 11:29







    No, for every address that is not configured the first virtualhost (with the same port) will be used.

    – Gerald Schneider
    Jan 17 at 11:29






    1




    1





    You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

    – Lightness Races in Orbit
    Jan 17 at 16:30





    You don't need Google, you need the documentation, except you don't, because the relevant part was already quoted in this answer, so you just need to read the answer. :)

    – Lightness Races in Orbit
    Jan 17 at 16:30













    5















    2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




    Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



    You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



    Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



    Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them: 



    <VirtualHost 127.0.0.1:80>
    
   ServerName 127.0.0.1
    
   DocumentRoot /var/www/web
    
</VirtualHost>
    

    

    
<VirtualHost example.com:80>
    
   ServerName example.com
    
   Redirect permanent "/" "https://example.com/"
    
</VirtualHost>





    share|improve this answer




























      5















      2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




      Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



      You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



      Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



      Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them: 



      <VirtualHost 127.0.0.1:80>
      
   ServerName 127.0.0.1
      
   DocumentRoot /var/www/web
      
</VirtualHost>
      

      

      
<VirtualHost example.com:80>
      
   ServerName example.com
      
   Redirect permanent "/" "https://example.com/"
      
</VirtualHost>





      share|improve this answer


























        5












        5








        5








        2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




        Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



        You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



        Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



        Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them: 



        <VirtualHost 127.0.0.1:80>
        
   ServerName 127.0.0.1
        
   DocumentRoot /var/www/web
        
</VirtualHost>
        

        

        
<VirtualHost example.com:80>
        
   ServerName example.com
        
   Redirect permanent "/" "https://example.com/"
        
</VirtualHost>





        share|improve this answer














        2) Given the IP address I'm using isn't 127.0.0.1, why am I allowed access on port 80?




        Because you don't bind/restrict Apache httpd to the loopback interface specifically, and listen to all interfaces.



        You probably have a Listen 80 directive elsewhere in your httpd.conf that allows Apache to accept traffic to port 80 on all interfaces. (You probably want to keep that to be able to continue to Redirect from HTTP to HTTPS on your internet facing website(s)).



        Additionally you use <VirtualHost *:80> in your Virtual Host definitions. That makes them valid on all interfaces/ip-addresses. As Gerald Scneider already explained that then makes the first VirtualHost entry the default that will handle all requests that don't match any of your other VirtualHost entries.



        Your use case is good example on when to use more specific IP-based VirtualHost definitions that will more predictably behave in the way you intend them: 



        <VirtualHost 127.0.0.1:80>
        
   ServerName 127.0.0.1
        
   DocumentRoot /var/www/web
        
</VirtualHost>
        

        

        
<VirtualHost example.com:80>
        
   ServerName example.com
        
   Redirect permanent "/" "https://example.com/"
        
</VirtualHost>






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 17 at 12:14









        HBruijnHBruijn

        54.6k1087147




        54.6k1087147






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f949512%2fapache-allowing-http-access-when-should-be-redirected-to-https%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

            Image
            28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
            Read more

            Does disintegrating a polymorphed enemy still kill it after the 2018 errata?

            Image
            up vote 13 down vote favorite 1 After the 2018 errata, the disintegrate spell description now reads: A creature targeted by this spell must make a Dexterity saving throw. On a failed save, the target takes 10d6 + 40 force damage. The target is disintegrated if this damage leaves it with 0 hit points. If you were to polymorph an enemy into a rat and then disintegrate it, would the enemy be disintegrated or would it just return to its original form? I know that for Druids, it’s not an instant kill anymore, but is this the case for polymorph as well? dnd-5e spells polymorph errata share | improve this question edited 18 hours ago
            Read more

            A Topological Invariant for $pi_3(U(n))$

            Image
            3 3 $begingroup$ Recently, I saw a construction of topological invariant for $pi_3(U(n))$ with $ngeq 2$ : $$ N=frac{1}{24pi^2}int_{S^3} d^3x epsilon^{ijk} Tr[(U^{-1}partial_{x_i}U)(U^{-1}partial_{x_j}U)(U^{-1}partial_{x_k}U)] , $$ where $Uin U(n)$ depends on $boldsymbol{x}=(x_1,x_2,x_3)in S^3$ , $epsilon^{ijk}$ is the Levi-Civita symbol, $i,j,k=1,2,3$ , and the duplicated indexes are summed over. It is claimed that $N$ is an integer, but why? Update 02/02/2019 I think I got an argument for $n=2$ . In this case, $U=e^{i varphi} q$ with $qin SU(2)$ . Due to the trace and the Levi-Civita symbol in $N$ , $varphi$ does not contribute to $N$ . As $Tr[q^{dagger}partial_i q]=0$ and $(q^{dagger}partial_i q)^{dagger}=-q^{dagger}partial_i q$ , $q^{dagger}partial_i q$ in geneeral has the form $q^{dagger}partia
            Read more