在 Google App Engine 上使用 HTTPS SSL 时裸域重定向失败 [英] Naked Domain Redirect Failing when using HTTPS SSL on Google App Engine
问题描述
我们有一个网站:
www.feeltracker.com
www.feeltracker.com
这是在 Google App Engine 上运行
This is running on Google App Engine
在 Google App Engine 上,我们有裸域转发设置,以便:
On Google App Engine, we have Naked Domain forwarding setup, so that:
重定向到
但是,当我们尝试在 Chrome 中打开以下地址时:
However, when we try to open the following address in Chrome:
https://feeltracker.com(注意 HTTPS)
我们收到一个包含以下消息的 Google 错误页面:
We get a Google error page with the following message:
Google
404. That’s an error.
The requested URL / was not found on this server. That’s all we know.
有谁知道我们如何确保 https://feeltracker.com 重定向到 www.feeltracker.com?
Does anyone know how we can ensure https://feeltracker.com redirects to www.feeltracker.com?
请注意,在 Firefox 中,我们在尝试打开 https://feeltracker.com 时会获得以下附加信息:
Note that in Firefox we get the following additional information when trying to open https://feeltracker.com:
feeltracker.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.google.com , *.android.com , *.appengine.google.com , *.cloud.google.com , *.google-analytics.com , *.google.ca , *.google.cl , *.google.co.in , *.google.co.jp , *.google.co.uk , *.google.com.ar , *.google.com.au , *.google.com.br , *.google.com.co , *.google.com.mx , *.google.com.tr , *.google.com.vn , *.google.de , *.google.es , *.google.fr , *.google.hu , *.google.it , *.google.nl , *.google.pl , *.google.pt , *.googleapis.cn , *.googlecommerce.com , *.gstatic.com , *.urchin.com , *.url.google.com , *.youtube-nocookie.com , *.youtube.com , *.youtubeeducation.com , *.ytimg.com , android.com , g.co , goo.gl , google-analytics.com , google.com , googlecommerce.com , urchin.com , youtu.be , youtube.com , youtubeeducation.com
(Error code: ssl_error_bad_cert_domain)
请注意,我们将 Google App Engine 上的 SNI SSL 证书功能与我们上传的证书一起使用.当我们通过 http://www.digicert.com/help/ 运行 SSL 诊断时,我们得到以下信息:
Note that we are using the SNI SSL certificate capability on Google App Engine with our uploaded certificate. When we run SSL diagnostics via http://www.digicert.com/help/ we get the following:
Certificate does not match name feeltracker.com
Subject *.google.com
Valid from 02/Jul/2013 to 31/Oct/2013
Issuer Google Internet Authority
Subject Google Internet Authority
Valid from 12/Dec/2012 to 31/Dec/2013
Issuer Equifax
为什么 https://feeltracker.com 未能使用正确的证书,而 www.feeltracker.com 和 http://www.feeltracker.com 使用我们的 SSL 证书按预期工作吗?
Any ideas why https://feeltracker.com fails to use the correct certificate, whereas www.feeltracker.com and http://www.feeltracker.com work as expected with our SSL certificate?
推荐答案
2015 年 9 月 16 日更新
以前适用的信息如下...
Previously applicable info below...
目前不支持.裸域重定向 仅适用于 http,您可能会请注意,您需要将特定 IP 地址放入 DNS 中,这与 ghs.googlehosted.com 的方法和 IP 地址不同.
Currently it's not supported. The naked domain redirect is a workaround only for http and you'll probably notice that specific IP addresses you need to be put in your DNS for that differ from the approach and IP addresses for ghs.googlehosted.com.
这似乎表明这是 Google 基础架构的不同部分,他们尚未设法使它们保持一致或协同工作.我还没有看到有关他们何时解决此问题的任何详细信息,因此可能需要等待很长时间.例如2009 年的相关帖子
This seems to indicate that it's different parts of Google's infrastructure and they haven't yet managed to make them consistent or work together. I haven't seen any details on when they will resolve this so it might be a long wait. e.g. Related post from 2009
裸域支持存在已确认"问题 所以当这个问题解决后,这个问题可能也解决了.
There is an "acknowledged" issue for Naked domain support so when that's fixed then likely this issue also resolved.
由于 Google 不会在其裸域重定向器上正确提供您的证书,因此目前我看到了以下选项:
As Google is not going to correctly serve your certificate on their naked domain redirector then for now there are these options that I see:
制作/提供您自己的反向代理(Apache httpd、varnish 等)或使用反向代理服务(例如 CloudFlare) 并将您的裸域指向那里.您将在反向代理上安装 SSL,客户端将连接到您的裸域(无证书错误),并且您将所有流量代理到您的真实站点.它可能会造成单点故障和成本,具体取决于您使用的内容.
Make/provide your own reverse proxy (Apache httpd, varnish etc) or use a reverse proxy service (eg. CloudFlare) and point your naked domain there. You'd install your SSL on the reverse proxy, clients would connect there for your naked domain (no certificate errors) and you'd proxy all traffic to your real site. It might create a single point of failure and costs depending what you use.
租一个便宜的 VPS 来安装网络服务器、证书和重定向脚本到 https://www.feeltracker.com.在 DNS 中,将您的裸域映射到该服务器.它可以是一个非常便宜的 linux 服务器,因为重定向的要求非常低.
Rent a cheap VPS where you install a web server, your cert and a redirect script to https://www.feeltracker.com. In DNS map your naked domain to that server. It can be a really cheap linux server as requirements just to redirect are very low.
找到支持 https 并允许您上传证书的域重定向服务.遗憾的是,我不知道任何.
Find a domain redirect service that supports https and allows you to upload your certificate. Sadly I'm not aware of any.
使用 VIP(虚拟 IP)SSL 并在裸域的 DNS.我还没有测试过自己,但它似乎应该有效,尽管我确实找到了一条旧评论 此处 可能不是.有人测试过吗?请注意,但据我所知,DNS 条目的 TTL 仅为 300(5 分钟),而 Google 不建议这样做,因此即使它确实有效,您也可能需要一些脚本来更新您的 DNS 条目,因为它很有可能不时发生变化.如果它确实有效,那么像 DNSSimple 这样的 DNS 提供商有一个 API,所以它是可能的.
Use VIP (Virtual IP) SSL and configure it in DNS for your naked domain. I haven't tested myself but it seems it should work, although I did find a old comment here that it may not. Has someone tested? NOTE however as far as I could see the DNS entry has a TTL of just 300 (5mins) and Google doesn't advise it, so even if it did work you might need some scripts to update your DNS entries as there's a strong chance it changes from time to time. If it does work then DNS providers like DNSSimple have an API so it would be possible.
可能第二个选项最适用于您的情况,因为您似乎并不介意裸域(这对许多人来说是一个问题).
Probably the second option is most applicable in your case as you don't seem to mind about the naked domain (which for many is an issue).
我最近发现了一个很好的例子:https://khanacademy.org/ 他们似乎使用了 Amazon EC2 主机按照上面的第二个选项.
I recently found a good example: https://khanacademy.org/ They appear to use an Amazon EC2 host as per the second option above.
https://khanacademy.org/ Resolving khanacademy.org... 107.20.223.238
Connecting to khanacademy.org|107.20.223.238|:443... connected.
WARNING: cannot verify khanacademy.org’s certificate, issued by "/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287": Unable to locally verify the issuer’s authority. WARNING: certificate common name "*.khanacademy.org" doesn’t match requested host name "khanacademy.org".
HTTP request sent, awaiting response... 301 Moved
Permanently Location: https://www.khanacademy.org/ [following]
https://www.khanacademy.org/ Resolving www.khanacademy.org...
72.14.249.132 Connecting to www.khanacademy.org|72.14.249.132|:443... connected.
whois 107.20.223.238
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
截至 2014 年 4 月 12 日,Google 似乎取得了一些进展,现在允许映射非 Google Apps 域(请参阅issue 8517),尽管 SSL 似乎不适用于该方法(请参阅 issue 10794 用于跟踪).
As of 12 April 2014 it looks like Google makes some progress and now allows mapping of non Google Apps domains (seeissue 8517), although SSL appears not to work for that method yet (see issue 10794 for tracking that).
这篇关于在 Google App Engine 上使用 HTTPS SSL 时裸域重定向失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
