如何在不触发浏览器 SSL 检查的情况下重定向 www 流量? [英] How do I redirect www traffic without triggering browsers SSL check?

问题描述

我有 example.com 的有效证书.如果用户通过 http://example.com 访问我的网站，他们会被重定向到 https://example.com 一切都很好.如果他们访问 https://example.com，一切都很好.如果他们甚至去 http://www.example.com，他们会被重定向到 https://example.com 一切都很好.

I have a valid certificate for example.com. If users go to my site at http://example.com, they get redirected to https://example.com and all is good. If they go to https://example.com, all is good. If they even go to http://www.example.com, they get redirected to https://example.com and all is good.

但是，如果他们转到 https://www.example.com，Chrome 会在之前触发其 SSL 警告我可以重定向并告诉用户不要信任该站点.我在 Safari 或 Firefox 中没有这个问题.

However, if they go to https://www.example.com, Chrome triggers its SSL warning before I can redirect and tells the user to not trust this site. I don't have this problem in Safari or Firefox.

这是我的 nginx 配置.我做错了什么?

Here's my nginx configuration. What am I doing wrong?

```

# Configuration for redirecting non-ssl to ssl;                                                                                                                                                         

server {
    listen *:80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}       

# Configuration for redirecting www to non-www; 

server {    
    server_name www.example.com;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    listen *:80;
    listen *:443 ssl spdy;    
    listen [::]:80 ipv6only=on;
    listen [::]:443 ssl spdy ipv6only=on;

    return 301 https://example.com$request_uri;
} 

server {
    listen *:443 ssl spdy;   
    listen [::]:443 ssl spdy;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    server_name example.com;
}

```

我发现这是一个有问题的配置，因为第二个块将查看证书.使用从example.com"而不是www.example.com"读取的证书进行设置的正确方法是什么?

I see that this is a problematic configuration because the second block will look at the certs. What's the proper way to set this up with a cert that reads from "example.com" rather than "www.example.com"?

推荐答案

如果您的证书仅用于 example.com 而不是用于 www.example.com 那么任何对 www.example.com 的访问都会触发证书警告，不不管你是否只想重定向它.重定向是在 HTTP 级别完成的，在它与 HTTP 通信之前，它首先进行 SSL 握手(这会触发问题)，因为 HTTPS 只是 SSL 内部的 HTTP.

If your certificate is for example.com only and not for www.example.com then any access to www.example.com will trigger a certificate warning, no matter if you want just redirect it or not. Redirection is done at the HTTP level and before it talks HTTP it first does the SSL handshake (which triggers the problem), because HTTPS is just HTTP inside SSL.

在您询问之前，使用 DNS 的技巧(如 CNAME)也无济于事，因为浏览器会将证书与 URL 中的名称进行比较，而不是与可能的 DNS 别名进行比较.根本没有办法获得适当的证书.

And before you ask, tricks with DNS (like CNAME) will not help either because the browser will compare the certificate against the name in the URL, not against possible DNS alias names. There is simply no way around getting a proper certificate.

这篇关于如何在不触发浏览器 SSL 检查的情况下重定向 www 流量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！