在要求SSL之前重定向到"www" [英] Redirect to 'www' before ssl requirement

问题描述

问题

我目前遇到的问题是 https://domain.com 无法重定向到

I currently have the problem where https://domain.com does not redirect to https://www.domain.com and shows an untrusted ssl certificate.

这与"ruby​​-on-rails"解决方案有关 在force_ssl之前重定向到"www"

This is Related to which is a ruby-on-rails solution redirect to 'www' before force_ssl

问题

在SSL要求生效之前，是否可以重定向到www域?

Is there a way to redirect to the www domain before the SSL requirement kicks in?

我正在使用PHP.

推荐答案

HTTPS是基于TLS/SSL的HTTP(请参见 RFC 2818 )，它会在发送任何HTTP流量之前首先建立SSL/TLS连接.建立SSL/TLS连接后，任何重定向(通过mod_rewrite，自定义PHP代码或其他方式)将始终适用.

HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite, custom PHP code or other) will always apply after the SSL/TLS connection is established.

不这样做实际上是一个安全问题，因为攻击者可以在验证证书之前重写并重定向客户端.

Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.

如果要从https://domain.com重定向到https://www.domain.com，则从https://domain.com获得的证书必须对domain.com有效(然后，从https://www.domain.com获得的证书必须对www.domain.com有效)

If you want to redirect from https://domain.com to https://www.domain.com, the certificate obtained for https://domain.com must be valid for domain.com (and then, the certificate obtained for https://www.domain.com must be valid for www.domain.com).

(如果两个主机使用相同的IP地址，则可以在服务器名称指示中使用两个不同的证书，但这相当复杂.)

(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but this is rather convoluted.)

最简单的方法是获取同时对domain.com和www.domain.com有效的证书.可以使用具有多个使用者备用名称"条目的单个证书来完成此操作.大多数CA应该能够颁发此类证书.有些可以免费使用.

The easiest would be to obtain a certificate that's valid for both domain.com and www.domain.com. This can be done using a single certificate with multiple Subject Alternative Name entries. Most CAs should be able to issue such certificates. Some do it without additional fee.

这篇关于在要求SSL之前重定向到"www"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！