如何在不触发浏览器SSL检查的情况下重定向www流量？ [英] How do I redirect www traffic without triggering browsers SSL check?

问题描述

我有一个有效的example.com证书。如果用户通过 http://example.com 访问我的网站，他们会被重定向到 https://example.com ，一切都很好。如果他们访问 https://example.com ，一切都很好。如果他们甚至去 http://www.example.com ，他们会被重定向到 https://example.com ，一切都很好。

然而，如果他们去了 https://www.example.com ，Chrome会触发其SSL警告，然后我可以重定向并告知用户不要相信这个网站。我在Safari或Firefox中没有这个问题。

这是我的nginx配置。我做错了什么？

```

 ＃配置用于将非ssl重定向到ssl; 
 
服务器{
 listen *：80; 
 listen [::]：80; 
 server_name example.com; 
返回301 https：//example.com$request_uri; 
} 
 
＃将www重定向到非www的配置; 
 
服务器{
 server_name www.example.com; 
 ssl_certificate ssl / ssl_cert.crt; 
 ssl_certificate_key ssl / ssl_key.key; 
听*：80; 
听*：443 ssl spdy; 
监听[::]：80 ipv6only = on; 
 listen [::]：443 ssl spdy ipv6only = on; 
 
返回301 https：//example.com$request_uri; 
} 
 
服务器{
 listen *：443 ssl spdy; 
 listen [::]：443 ssl spdy; 
 ssl_certificate ssl / ssl_cert.crt; 
 ssl_certificate_key ssl / ssl_key.key; 
 server_name example.com; 
} 
  

```

<编辑：我看到这是一个有问题的配置，因为第二个块会查看证书。使用从example.com而不是www.example.com读取的证书进行设置的正确方法是什么？ 如果您的证书仅适用于example.com，而不适用于www.example.com，则任何对www.example的访问都是如此。 com将触发证书警告，无论你是否只是重定向它。重定向是在HTTP级完成的，并且在它谈到HTTP之前，它首先执行SSL握手（这触发了问题），因为HTTPS只是SSL内部的HTTP。

你问，使用DNS的技巧（如CNAME）也无济于事，因为浏览器会将该证书与URL中的名称进行比较，而不是针对可能的DNS别名进行比较。没有办法获得适当的证书。

I have a valid certificate for example.com. If users go to my site at http://example.com, they get redirected to https://example.com and all is good. If they go to https://example.com, all is good. If they even go to http://www.example.com, they get redirected to https://example.com and all is good.

However, if they go to https://www.example.com, Chrome triggers its SSL warning before I can redirect and tells the user to not trust this site. I don't have this problem in Safari or Firefox.

Here's my nginx configuration. What am I doing wrong?

```

# Configuration for redirecting non-ssl to ssl;                                                                                                                                                         

server {
    listen *:80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}       

# Configuration for redirecting www to non-www; 

server {    
    server_name www.example.com;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    listen *:80;
    listen *:443 ssl spdy;    
    listen [::]:80 ipv6only=on;
    listen [::]:443 ssl spdy ipv6only=on;

    return 301 https://example.com$request_uri;
} 

server {
    listen *:443 ssl spdy;   
    listen [::]:443 ssl spdy;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    server_name example.com;
}

```

EDIT: I see that this is a problematic configuration because the second block will look at the certs. What's the proper way to set this up with a cert that reads from "example.com" rather than "www.example.com"?

解决方案

If your certificate is for example.com only and not for www.example.com then any access to www.example.com will trigger a certificate warning, no matter if you want just redirect it or not. Redirection is done at the HTTP level and before it talks HTTP it first does the SSL handshake (which triggers the problem), because HTTPS is just HTTP inside SSL.

And before you ask, tricks with DNS (like CNAME) will not help either because the browser will compare the certificate against the name in the URL, not against possible DNS alias names. There is simply no way around getting a proper certificate.

这篇关于如何在不触发浏览器SSL检查的情况下重定向www流量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！