htaccess的浏览器警告后重定向只执行 [英] .htaccess redirect only executes after browser warning
问题描述
我有一个重写规则,迫使HTTPS和www。 SSL证书是该网站的www的版本。整个网站需要HTTPS。
I have a rewrite rule which forces HTTPS and www. The SSL certificate is for the www version of the site. The entire site needs to be HTTPS.
现在的问题是,如果该请求是 https://example.com/ 浏览器显示一个警告页面之前重定向可以执行。 (此连接不受信任在Firefox和这可能不是您要查找的网站!在Chrome)
The problem is that if the request is https://example.com/ the browser displays a warning page before the redirect can execute. ('This Connection is Untrusted' in Firefox and 'This is probably not the site that you are looking for!' in Chrome)
如果用户在Firefox中增加了一个异常或忽略浏览器的错误,重写规则执行,他们重定向到该网站的一个100%安全的网页www的版本。
If the user adds an exception in Firefox or ignores the error in Chrome, the rewrite rule executes and they are redirects to the www version of the site with a 100% secure page.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
我一直在测试的规则在网站上以及在 http://martinmelin.se/rewrite-rule-测试仪/
我怎样才能在浏览器的警告之前执行重定向?
How can I get the redirect to execute before the browser warning?
推荐答案
从 https://example.com 重定向到的https:/ /www.example.com 只能发生在客户机已经取得了初步的成功请求 https://example.com 。
The redirection from https://example.com to https://www.example.com can only happen after the client has made an initial successful request to https://example.com.
这是因为HTTPS是在HTTP TLS / SSL(见 RFC 2818 ),它首先建立SSL / TLS任何HTTP通信之前,连接发送。 的mod_rewrite 将始终应用是建立在SSL / TLS连接之后。不这样做实际上是一个安全问题,因为攻击者可以重写和重定向客户端证书已被证实之前。即使TLS升级是在HTTP(RFC 2817,这几乎是从来没有使用过/支持,而不是HTTPS),你仍然要重定向到来自受信任的实体。
This is because HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. mod_rewrite will always apply after the SSL/TLS connection is established. Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified. Even if the TLS upgrade was within HTTP (RFC 2817, which is virtually never used/supported and is not https), you would still want the redirection to come from a trusted entity.
有关此初始连接到工作中,服务器 https://example.com 必须具有有效的 example.com ,否则,这种连接甚至不会发生(和服务器将不发送重定向响应)。
For this initial connection to work, the server at https://example.com must have a certificate valid for example.com, otherwise, this connection won't even happen (and the server won't send a redirection response).
要实现你的目标,你需要为 https://example.com 请求present有效期为 example.com证书和present有效期为 www.example的证书请求。 https://www.example.com .COM
To achieve your goal, you need requests for https://example.com to present a certificate valid for example.com and requests for https://www.example.com to present a certificate valid for www.example.com.
有两种解决方法:
- 在使用两个不同的证书为每个主机,通过使用不同的IP地址或通过使用服务器名称指示。这里的缺点是,不是所有的客户端都支持SNI,即使它变得更加普遍。
- 使用一个单独的证书有效期为两个
example.com和www.example.com。这可以通过让多个主题备用名称(SAN)的DNS条目的证书(它不会只用*。example.com由于句点是不行的实现通配符图案的一部分)。
- Using two distinct certificates for each hosts, either by using distinct IP addresses or by using Server Name Indication. The downside here is that not all clients support SNI, even if it's getting more common.
- Using a single certificate that is valid for both
example.comandwww.example.com. This can be achieved by getting a certificate with multiple Subject Alternative Name (SAN) DNS entries (it won't work with just*.example.comsince the dot isn't part of the wildcard pattern).
后者当然是最简单的解决方案。这是很常见的核证机关发出了对SAN项合格证书 example.com 和 www.example.com 时,你申请一个或另一个,有时并没有额外的费用。
The latter is certainly the easiest solution. It's quite common for CAs to issue certificates that have SAN entries for both example.com and www.example.com when you apply for one or the other, sometimes without an extra fee.
这篇关于htaccess的浏览器警告后重定向只执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
