在 ssl 要求之前重定向到“www" [英] Redirect to 'www' before ssl requirement

问题描述

问题

我目前遇到的问题是 https://domain.com 没有重定向到 https://www.domain.com 并显示不受信任的 ssl 证书.

I currently have the problem where https://domain.com does not redirect to https://www.domain.com and shows an untrusted ssl certificate.

这与哪个是 ruby​​-on-rails 解决方案有关在 force_ssl 之前重定向到www"

This is Related to which is a ruby-on-rails solution redirect to 'www' before force_ssl

问题

有没有办法在 SSL 要求生效之前重定向到 www 域?

Is there a way to redirect to the www domain before the SSL requirement kicks in?

我正在使用 PHP.

推荐答案

HTTPS 是基于 TLS/SSL 的 HTTP(参见 RFC 2818)，它在发送任何 HTTP 流量之前首先建立 SSL/TLS 连接.在建立 SSL/TLS 连接后，任何重定向(通过 mod_rewrite、自定义 PHP 代码或其他)将始终适用.

HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite, custom PHP code or other) will always apply after the SSL/TLS connection is established.

不这样做实际上会造成安全问题，因为攻击者可以在验证证书之前重写和重定向客户端.

Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.

如果你想从https://domain.com重定向到https://www.domain.com，为https获取的证书://domain.com 必须对 domain.com 有效(然后，为 https://www.domain.com 获取的证书必须是有效的对于 www.domain.com).

If you want to redirect from https://domain.com to https://www.domain.com, the certificate obtained for https://domain.com must be valid for domain.com (and then, the certificate obtained for https://www.domain.com must be valid for www.domain.com).

(如果两台主机在同一 IP 地址上提供服务，您可以使用带有服务器名称指示的两个不同证书，但这相当复杂.)

(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but this is rather convoluted.)

最简单的方法是获得对 domain.com 和 www.domain.com 都有效的证书.这可以使用具有多个主题备用名称条目的单个证书来完成.大多数 CA 应该能够颁发此类证书.有些不需要额外费用.

The easiest would be to obtain a certificate that's valid for both domain.com and www.domain.com. This can be done using a single certificate with multiple Subject Alternative Name entries. Most CAs should be able to issue such certificates. Some do it without additional fee.

这篇关于在 ssl 要求之前重定向到“www"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！