Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
679 views
in Technique[技术] by (71.8m points)

google chrome - How do I redirect www traffic without triggering browsers SSL check?

I have a valid certificate for example.com. If users go to my site at http://example.com, they get redirected to https://example.com and all is good. If they go to https://example.com, all is good. If they even go to http://www.example.com, they get redirected to https://example.com and all is good.

However, if they go to https://www.example.com, Chrome triggers its SSL warning before I can redirect and tells the user to not trust this site. I don't have this problem in Safari or Firefox.

Here's my nginx configuration. What am I doing wrong?

```

# Configuration for redirecting non-ssl to ssl;                                                                                                                                                         

server {
    listen *:80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}       

# Configuration for redirecting www to non-www; 

server {    
    server_name www.example.com;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    listen *:80;
    listen *:443 ssl spdy;    
    listen [::]:80 ipv6only=on;
    listen [::]:443 ssl spdy ipv6only=on;

    return 301 https://example.com$request_uri;
} 

server {
    listen *:443 ssl spdy;   
    listen [::]:443 ssl spdy;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    server_name example.com;
}

```

EDIT: I see that this is a problematic configuration because the second block will look at the certs. What's the proper way to set this up with a cert that reads from "example.com" rather than "www.example.com"?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If your certificate is for example.com only and not for www.example.com then any access to www.example.com will trigger a certificate warning, no matter if you want just redirect it or not. Redirection is done at the HTTP level and before it talks HTTP it first does the SSL handshake (which triggers the problem), because HTTPS is just HTTP inside SSL.

And before you ask, tricks with DNS (like CNAME) will not help either because the browser will compare the certificate against the name in the URL, not against possible DNS alias names. There is simply no way around getting a proper certificate.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...