子域的 https 证书问题 [英] https certificate issue with subdomain

问题描述

我的应用程序在负载均衡器后面的 EC2 上运行.已获得 www.example.com 和 *.example.com 的 https 证书.

I have my application running on EC2 behind the load balancer. Have got https certificate for www.example.com and *.example.com.

应用程序在 http 上运行，但 https 已在负载均衡器中设置.

Application is running on http but https is been setup in load balancer.

我已根据公司在我的应用程序中添加了子域支持.

I have added sub-domain support in my application based on the company.

例如，对于公司 XYZ，https://XYZ.example.com.

Like, https://XYZ.example.com for company XYZ.

如果我使用 https://XYZ.example.com 访问，它工作正常.

If i access using, https://XYZ.example.com, its working fine.

如果我使用 https://www.XYZ.example.com 访问，浏览器会发出警告，例如,

If I access using, https://www.XYZ.example.com, browser warns like,

www.arun.contactcentral.io 的所有者对其网站的配置不正确.为保护您的信息不被盗用，Firefox 未连接到该网站."

"The owner of www.arun.contactcentral.io has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website."

但是，如果我访问 https://www.example.com，它工作正常.

But, If i access https://www.example.com, it works fine.

虽然，我已经获得了 *.example.com 的认证，但即使我访问 www.XYZ.example.com 也无法使用.

Though, I have got certification for *.example.com, it doesnt work even i access www.XYZ.example.com.

我有一个过滤器来处理 http 到 https 方向，但它仍然没有从 url 过滤 WWW.

I have a filter to handle http to https direction, but still it is not filtering WWW from the url.

public class HttpsFilter implements Filter {

    private static final String HTTP = "http";

    private static final String HTTPS = "https";

    private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";

    @Override
    public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {


        HttpServletRequest request = (HttpServletRequest)req;

        HttpServletResponse httpResponse = (HttpServletResponse) res;

        String xfp = request.getHeader(X_FORWARDED_PROTO);

        if (HTTPS.equals(xfp)) {
            //httpResponse.setHeader("Strict-Transport-Security", "max-age=60");

            chain.doFilter(req, res);
            return;
        }
        else if (HTTP.equals(xfp)) {

            String serverUrl = HTTPS+"://"+req.getServerName()+((HttpServletRequest)req).getServletPath();

            httpResponse.sendRedirect(serverUrl);
            return;
        }

    }

}

谢谢，巴斯卡.S

推荐答案

通配符 SSL 证书将仅匹配一级子域(除非在非常罕见且不受支持的情况下).通配符星号将不匹配.(点).

Wildcard SSL certificates will match only ONE level of subdomains (except in very rare and not well supported cases). The wildcard asterisk will not match . (dot).

因此，*.example.com 的证书将匹配

So, a certificate for *.example.com WILL match

• www.example.com
• xyz.example.com
• some-really-long-name.example.com

但它不会匹配

• example.com
• www.xyz.example.com
• abc.def.ghi.example.com

如果要匹配 www.xyz.example.com 和 xyz.example.com，则需要两个不同的证书.

If you want to match www.xyz.example.com and xyz.example.com, you will need two different certificates.

https://en.wikipedia.org/wiki/Wildcard_certificate#Limitation

这篇关于子域的 https 证书问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！