将 https://www 重定向到 https://non-www - 没有看到证书错误，可能吗? [英] Redirecting https://www to https://non-www - without seeing certificate error, possible?

问题描述

所以我的 SSL 证书只适用于 https://example.com - 而不是 https://www.example.com(不能抱怨，它是免费).

So my SSL certificate only applies to https://example.com - not https://www.example.com (can't complain, it was free).

在尝试 mod_rewrite 和大量阅读(主要来自 stackoverflow)之后，我有一个 .htaccess 文件，它可以满足我的大部分需求，这是该文件(当然，域已编辑).

After venturing into mod_rewrite and a lot of reading (mostly from stackoverflow) I have an .htaccess file that does most of what I need, here is that file (with domain redacted of course).

<IfModule mod_rewrite.c>
    RewriteEngine On

    #First rewrite any request to the wrong domain to use the correct one
    RewriteCond %{HTTP_HOST} !^subdomain\.
    RewriteCond %{HTTP_HOST} ^(www|ftp|mail)\.example\.com [NC]
    RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

    #Redirect these subdomains to a subfolder
    RewriteCond %{HTTP_HOST} ^([^/.]+)\.example\.com$ 
    RewriteCond %1 !^(www|ftp|mail)$ [NC]
    RewriteRule (.+)$ "http://example.com/%1" [L,P]

    #Now, rewrite to HTTPS:
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

脚本包含对其功能的注释(我比你想象的更需要它们).并且正在重定向的子域的文件夹上还有一个额外的 .htaccess 文件(根 Web 文件夹中的子文件夹，具有匹配的子域名)以及我的 dns 服务器上的随附 dns 条目.该文件夹上的 .htaccess 只是将 http(端口 80)重定向到 https.

The script contains comments as to what it does (I need them more than you think). And there is an additional .htaccess file on the folder for the subdomain that is being redirected (a subfolder in the root web folder, with matching subdomain name) and the accompanying dns entry on my dns server. The .htaccess on that folder simply redirects http (port 80) to https.

目前，它可以满足我的需求，但我正在寻找更简单的方法来编写它.更简单地说，它也可能意味着更全局化(如果它比硬编码域更快)，并且是否可以从上述重写中获得任何速度改进.

At the moment, it does what I need but I'm looking for simpler ways to write this. And by simpler it could also mean more global (if it makes it faster than hardcoding domains) and if there are any speed improvements to gain from said rewrite.

如前所述，我的证书仅适用于非 www example.com 域，因此这将我带到第二个(但我的主要)问题.

As previously mentioned, my certificate is only for a non-www example.com domain so this brings me to the second (but my main) question.

像这样路由的流量:https://www.example.com 会在任何路由、重写等完成之前看到错误.这是因为此时还没有连接到 Web 服务器，对吗?这本质上是您的服务器移交您的证书，浏览器说:等一下！

Traffic that is routed like so: https://www.example.com will see the error before any routing, rewrite, etc is ever done. This is because a connection to the web server has not even happened at this point, correct? This is essentially your server handing your certificate over and the browser saying: wait a minute!

在浏览器发出证书错误之前，有没有办法防止流量以不正确的方式 (https://www) 访问您的服务器?

Is there a way to prevent traffic to hit your server the improper way (https://www) before the browser gives out a certificate error?

这不必仅限于 .htaccess 方法.

This does not have to be restricted to just the .htaccess method.

有没有办法做到这一点 - 完全?那是什么方式?

Is there a way to do this - at all? And what is that way?

我的条件有一些问题，并重写了不应该的查询.我也有一些重定向循环，所以前往 apache.org 进行研究；因此，作为跟踪所述更改的一种方式，现在是 .htaccess 文件:

I was having a few issues with my conditions and rewrites hitting queries it should not. I was also having a few redirect loops so headed over to apache.org to research that; so just as a way to keep track of said changes here is the .htaccess file now:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # First rewrite any request to the wrong domain to use the correct one
    RewriteCond %{HTTP_HOST} ^(www|ftp|mail)\.example\.com$ [NC]
    RewriteRule ^(.*)$ http://example.com/$1

    # Redirect these subdomains to a subfolder
    RewriteCond %{HTTP_HOST} ^([^/.]+)\.example\.com$
    RewriteCond %{REQUEST_URI} !^([^/.]+)/([^/.]+)
    RewriteCond %1 !^(www|ftp|mail)$ [NC]
    RewriteRule ^(.*)$ http://example.com/%1$1 [L,NC,QSA]

    #Now, rewrite to HTTPS:
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{HTTP_HOST} ^http://example\.com/$ [NC]
    RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L,R,NE]
</IfModule>

推荐答案

在浏览器发出证书错误之前，有没有办法防止流量以不正确的方式(https://www)访问您的服务器?

Is there a way to prevent traffic to hit your server the improper way (https:// www) before the browser gives out a certificate error?

不，您无能为力，您的评估是正确的，浏览器查看服务器证书并发现主机不匹配并显示错误.该错误不是由服务器生成的，这发生在甚至将请求发送到服务器之前.这发生在 SSL 握手期间.您唯一能做的就是阻止现有的任何 http://www 链接，或者购买包含www"的新证书.

No, there's nothing you can do, your assessment is correct that the browser looks at the server certificate and sees that the host doesn't match and displays the error. The error isn't generated by the server, and this happens before a request is even sent to the server. This happens during the SSL handshake. The only things you can do are prevent any http://www links from existing, or buy a new certificate that includes "www".

至于您的规则，实际上没有办法简化它，因为每个规则都有多个条件.

As for your rules, there's really no way to simplify it since you have multiple conditions for each rule.

这篇关于将 https://www 重定向到 https://non-www - 没有看到证书错误，可能吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！