在Google App Engine上使用HTTPS SSL时,裸域重定向失败 [英] Naked Domain Redirect Failing when using HTTPS SSL on Google App Engine
问题描述
我们有一个网站:
www.feeltracker.com
这是在Google上运行的App Engine
在Google App Engine上,我们设置了Naked Domain转发设置,因此:
重定向至
然而,当我们尝试在Chrome中打开以下地址时:
https://feeltracker.com (请注意HTTPS)
我们收到一个Google错误页面,其中包含以下消息:
Google
404.这是一个错误。
请求的URL /在此服务器上找不到。我们知道的就这些。
有谁知道我们如何确保 https://feeltracker.com 重定向到www.feeltracker.com?
请注意,在尝试打开
feeltracker。 com使用无效的安全证书。
此证书仅对以下名称有效:
* .google.com,* .android.com,* .appengine.google.com,* .cloud.google.com, * .google-analytics.com,* .google.ca,* .google.cl,* .google.co.in,* .google.co.jp,* .google.co.uk,* .google.com。 ar,* .google.com.au,* .google.com.br,* .google.com.co,* .google.com.mx,* .google.com.tr,* .google.com.vn, * .google.de,* .google.es,* .google.fr,* .google.hu,* .google.it,* .google.nl,* .google.pl,* .google.pt,*。 googleapis.cn,* .googlecommerce.com,* .gstatic.com,* .urchin.com,* .url.google.com,* .youtube-nocookie.com,* .youtube.com,* .youtubeeducation.com, * .ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com
(错误代码:ssl_error_bad_cert_domain)
请注意,我们正在使用SNI SSL证书功能在Google App Engine上使用我们上传的证书TE。
当我们通过 http://www.digicert.com/help/ 运行SSL诊断程序时,我们得到以下结果:
证书与名称不符feeltracker.com
主题* .google.com
有效期从2013年7月2日至2013年10月31日
发行人Google互联网管理局
Google互联网管理局标题
有效期从12月/ 12月/ 2012年至2013年12月31日
发行人Equifax
任何想法为什么 https://feeltracker.com 未能使用正确的证书,而www.feeltracker.com和 http://www.feeltracker.com 如期与我们的SSL证书一起工作? 2015年
看来现在可以按照论坛帖子和 Issue 10802
以下适用的信息在下面...
目前不支援。 裸域重定向是一种解决方法,仅适用于http,您可能请注意,您需要将DNS的具体IP地址与ghs.googlehosted.com的方法和IP地址不同。
这似乎表明它是谷歌基础设施的不同部分,他们还没有设法使他们一致或协同工作。我还没有看到有关他们什么时候解决这个问题的任何细节,因此可能需要等待很长时间。例如自2009年起的相关文章
赤裸裸的域名支持,所以当这个问题得到解决后,这个问题可能也解决了。
由于Google无法在其裸域重定向器上正确提供您的证书,因此现在有以下选项可供选择:
-
制作/提供您自己的反向代理(Apache httpd,varnish等)或使用反向代理服务(例如 CloudFlare )并指出你的裸体域名。你需要在反向代理上安装你的SSL,客户端将连接到你的裸站(没有证书错误),你可以将所有流量代理到你的真实站点。它可能会创建一个单一的故障点和成本取决于你使用的。
-
租一个廉价的VPS,你安装一个Web服务器,你的证书和一个重定向脚本 https://www.feeltracker.com 。在DNS中将裸域映射到该服务器。它可以是一个非常便宜的Linux服务器,因为重定向的要求非常低。
找到一个支持https的域名重定向服务,并允许您上传您的证书。可悲的是我还没有意识到。 -
使用 VIP (虚拟IP)SSL并在DNS中为您的裸域进行配置。我没有测试过自己,但似乎应该可以工作,但我确实发现了一条旧评论这里,它可能不会。有人测试过吗?但是,据我所知,DNS条目的TTL只有300(5分钟),Google不会提供建议,所以即使它工作正常,也可能需要一些脚本来更新DNS条目,因为它有很大的可能性不时变化。如果确实有效,那么像 DNSSimple 这样的DNS提供商就可以使用API。
也许第二个选项最适用于您的情况,因为您似乎不介意裸域(对于许多问题,这是一个问题)。
我最近发现了一个很好的例子: https:// khanacademy。 org / 他们似乎使用上述第二个选项的Amazon EC2主机。
https:// khanacademy .org /正在解析khanacademy.org ... 107.20.223.238
连接到khanacademy.org | 107.20.223.238 |:443 ...已连接。
警告:无法验证由/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,Inc./OU=http://certificates.godaddy.com/发布的khanacademy.org证书repository / CN = Go Daddy Secure Certification Authority / serialNumber = 07969287:无法在本地验证颁发者的权限。警告:证书通用名称* .khanacademy.org与请求的主机名称khanacademy.org不匹配。
发送HTTP请求,等待响应... 301移动
永久位置:https://www.khanacademy.org/ [关闭]
https://www.khanacademy.org/解析www.khanacademy.org ...
72.14.249.132连接到www.khanacademy.org | 72.14.249.132 |:443 ...已连接。
whois 107.20.223.238
OrgName:Amazon.com,Inc.
OrgId:AMAZO-4
地址:Amazon Web Services,Elastic Compute Cloud,EC2
截至2014年4月12日,Google似乎取得了一些进展,现在允许映射非Google Apps域(请参阅 issue 8517 ),尽管SSL似乎不适用于该方法(请参阅问题10794 )。
We've got a website:
www.feeltracker.com
This is running on Google App Engine
On Google App Engine, we have Naked Domain forwarding setup, so that:
redirects to
However, when we try to open the following address in Chrome:
https://feeltracker.com (notice the HTTPS)
We get a Google error page with the following message:
Google
404. That’s an error.
The requested URL / was not found on this server. That’s all we know.
Does anyone know how we can ensure https://feeltracker.com redirects to www.feeltracker.com?
Note that in Firefox we get the following additional information when trying to open https://feeltracker.com:
feeltracker.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.google.com , *.android.com , *.appengine.google.com , *.cloud.google.com , *.google-analytics.com , *.google.ca , *.google.cl , *.google.co.in , *.google.co.jp , *.google.co.uk , *.google.com.ar , *.google.com.au , *.google.com.br , *.google.com.co , *.google.com.mx , *.google.com.tr , *.google.com.vn , *.google.de , *.google.es , *.google.fr , *.google.hu , *.google.it , *.google.nl , *.google.pl , *.google.pt , *.googleapis.cn , *.googlecommerce.com , *.gstatic.com , *.urchin.com , *.url.google.com , *.youtube-nocookie.com , *.youtube.com , *.youtubeeducation.com , *.ytimg.com , android.com , g.co , goo.gl , google-analytics.com , google.com , googlecommerce.com , urchin.com , youtu.be , youtube.com , youtubeeducation.com
(Error code: ssl_error_bad_cert_domain)
Note that we are using the SNI SSL certificate capability on Google App Engine with our uploaded certificate. When we run SSL diagnostics via http://www.digicert.com/help/ we get the following:
Certificate does not match name feeltracker.com
Subject *.google.com
Valid from 02/Jul/2013 to 31/Oct/2013
Issuer Google Internet Authority
Subject Google Internet Authority
Valid from 12/Dec/2012 to 31/Dec/2013
Issuer Equifax
Any ideas why https://feeltracker.com fails to use the correct certificate, whereas www.feeltracker.com and http://www.feeltracker.com work as expected with our SSL certificate?
Update 16 Sept 2015
It appears this may now work as per Forum post and Issue 10802
Previously applicable info below...
Currently it's not supported. The naked domain redirect is a workaround only for http and you'll probably notice that specific IP addresses you need to be put in your DNS for that differ from the approach and IP addresses for ghs.googlehosted.com.
This seems to indicate that it's different parts of Google's infrastructure and they haven't yet managed to make them consistent or work together. I haven't seen any details on when they will resolve this so it might be a long wait. e.g. Related post from 2009
There is an "acknowledged" issue for Naked domain support so when that's fixed then likely this issue also resolved.
As Google is not going to correctly serve your certificate on their naked domain redirector then for now there are these options that I see:
Make/provide your own reverse proxy (Apache httpd, varnish etc) or use a reverse proxy service (eg. CloudFlare) and point your naked domain there. You'd install your SSL on the reverse proxy, clients would connect there for your naked domain (no certificate errors) and you'd proxy all traffic to your real site. It might create a single point of failure and costs depending what you use.
Rent a cheap VPS where you install a web server, your cert and a redirect script to https://www.feeltracker.com. In DNS map your naked domain to that server. It can be a really cheap linux server as requirements just to redirect are very low.
Find a domain redirect service that supports https and allows you to upload your certificate. Sadly I'm not aware of any.
Use VIP (Virtual IP) SSL and configure it in DNS for your naked domain. I haven't tested myself but it seems it should work, although I did find a old comment here that it may not. Has someone tested? NOTE however as far as I could see the DNS entry has a TTL of just 300 (5mins) and Google doesn't advise it, so even if it did work you might need some scripts to update your DNS entries as there's a strong chance it changes from time to time. If it does work then DNS providers like DNSSimple have an API so it would be possible.
Probably the second option is most applicable in your case as you don't seem to mind about the naked domain (which for many is an issue).
I recently found a good example: https://khanacademy.org/ They appear to use an Amazon EC2 host as per the second option above.
https://khanacademy.org/ Resolving khanacademy.org... 107.20.223.238
Connecting to khanacademy.org|107.20.223.238|:443... connected.
WARNING: cannot verify khanacademy.org’s certificate, issued by "/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287": Unable to locally verify the issuer’s authority. WARNING: certificate common name "*.khanacademy.org" doesn’t match requested host name "khanacademy.org".
HTTP request sent, awaiting response... 301 Moved
Permanently Location: https://www.khanacademy.org/ [following]
https://www.khanacademy.org/ Resolving www.khanacademy.org...
72.14.249.132 Connecting to www.khanacademy.org|72.14.249.132|:443... connected.
whois 107.20.223.238
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
As of 12 April 2014 it looks like Google makes some progress and now allows mapping of non Google Apps domains (seeissue 8517), although SSL appears not to work for that method yet (see issue 10794 for tracking that).
这篇关于在Google App Engine上使用HTTPS SSL时,裸域重定向失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
