I have a wildcard certificate for *.domainname.com. I know that TLS sessions are set up before any URL rewrite rules happen. I have the URL test.domainname.com working fine and redirecting to https. But what happens when someone may type in www.test.domainname.com. Now they get "Your connection is not private" because the www adds one more level and makes the wildcard certificate invalid. I would like to strip out the www with a rule but the SSL check happens first. How do people handle this so that all URLs end up at the same place with no errors?!? I am using Windows Server and IIS...
Related
I've been using Heroku to host and manage a website of mine that requires an SSL certificate. For the last year and a half I've been using ZerigoDNS to manage my domain and SSL redirecting (although, redirecting from non-https, non-www to https and www does not work).
I just got a notice from Heroku that they will be shutting down ZerigoDNS soon and they recommend switching to PointDNS. I couldn't find any information in the PointDNS documentation about managing SSL redirects.
Here's what I'm looking to do:
non-www non-https redirects to https and www
non-https redirects to https and www
https but non-www redirects to https and www
The reason everything needs to be forwarded to https and www is that's what the ssl cert was created for (the www is required. I don't have a wildcard certificate).
Does anyone familiar with PointDNS know how to to set up the records and redirects properly?
Thanks in advance!
Regarding non-www to www redirects, I just got that to work as follows:
First, you must add both www.your-domain.com and your-domain.com as custom domains.
heroku domains:add andrewpuglionesi.com
heroku domains:add www.andrewpuglionesi.com
I have a CNAME record with name www.my-domain.com.. The text in its data field is my-heroku-domain.herokuapp.com. I also have an alias record with the name my-domain.com., and I made its data field www.my-domain.com. In other words, the alias just points to the CNAME.
I don't know if this is well-advised, but it seems to work (and without sticking www in the user's URL, at that). It simply solves the problem where you can't access pages other than the index without having www there). I like how Heroku and PointDNS' documentation both say you can easily do redirects and then don't actually explain how to... I guess this is one way.
I've previously been able to force https protocol through the backend of a Django site. I can't remember the exact method I used, but you might be able to do it without the DNS stuff.
First, add both www.your-domain.com and your-domain.com as custom domains under settings or run below commands
heroku domains:add domainname.com
heroku domains:add www.domainname.com
For redirection, you need to do it via server, eg. if you are using apache you can achieve redirections via .htacess file.
Also, you can only redirect non-www to www with pointDNS redirect option
I have ordered an SSL certificate which covers my root domain only and it can be successfully accessed through https://domain.com.
I have created a redirection from all requests from https://www.domain.com to the root domain.
However, when trying to access https://www.domain.com which was supposed to get redirected to https://domain.com the browser returns the following warning mentioning about a security risk of proceeding with the navigation:
This is probably not the site your are looking for!
You attempted to reach www.domain.com, but instead you actually reached a server identifying itself as domain.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.domain.com.
You should not proceed, especially if you have never seen this warning before for this site.
Is it somehow possible to redirect from www to the root domain using HTTPS without having to order another SSL certificate for www only for redirections?
PS: domain.com is just a placeholder to help illustrating the question.
Unfortunately SSL certificate negotiation happens before mod_rewrite rules come into effect. THerefore even before your 301 rule can redirect URIs to non-www domain, browser has already received certs for non-www while still on www domain. That is the point it shows that dreaded warning to visitor that cert is invalid.
You have 2 options:
(Recommended) Most of the certs these days allow you to use www with TLD, check with your provided if this is the option.
Go for wildcard certs (more expensive).
I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.
I have an apache server with multiple named hosts all working fine for port 80 http traffic.
(A VPS with one unique IP address)
I have one domain that has a SSL certificate and that domain is configured to handle both http and https traffic.
However if someone accidentally adds https to the beginning of a none SSL configured URL I get a typical certificate warning error (expected) and then if the user accepts the error (depending on the browser) it displays the SSL site I have configured instead of the original non-ssl domain.
I've read up a bit about SNI, but I don't have certificates for each of the other domains and would rather the server either not respond to the SSL request on anything else but one specific domain or redirect to the http version of the site.
Suggestions please as to how I approach this.
Kind regards, Spencer
For security reasons, what you're trying to achieve cannot work.
The browser (which implements the mechanisms to check the certificate) cannot know whether the user typed https:// instead of http:// accidentally or intentionally. Since it's ultimately up to the users to check that https:// is used when they think it's required, browsers should simply perform the actions requested by the users.
A redirection from https:// to http:// should always start with a valid https:// connection. SNI won't help you much there if you can't have valid certificates for the initial connection.
Otherwise, it would be fair for browsers to assume there may be a MITM attack in progress. Typing in https:// explicitly (or using HSTS) is the only reliably mechanism against MITM tools like SSLstrip, which would otherwise be capable of downgrading (or preventing an upgrade from http:// to https://).
My website is www.survivorssupply.com. I want to use SSL for my entire site because when I use SSL on only certain portions, the SSL certificate says certain parts were not delivered securely, not everything is secure, etc.
When I go into the Joomla admin panel, I set the entire site to force SSL for everything. I then get an issue with an endless redirect loop (301 error). My site is running the latest version of Joomla 2.5 on Nginx.
Is there some kind of rewrite I can use or does anyone know any Joomla tricks?
You are probably missing an extra parameter in the 443-section of your Nginx configuration. Add "fastcgi_param HTTPS on;" to the fastcgi-section.
#alfasin, Nginx doesn't use files like httpd.conf or .htaccess
check your httpd.conf and .htaccess for 301 redirect rules regarding HTTPS
you receive the warning that parts of your site are not secured because you have embedded links which use HTTP instead of HTTPS - I would create a backup of teh site and start changing all the urls in the: template, articles, modules etc.