How to redirect all SSL traffic?

brianmercer nginx-forum at nginx.us
Wed Nov 11 17:27:22 MSK 2009 

Igor Sysoev Wrote:
-------------------------------------------------------
> On Mon, Nov 09, 2009 at 05:34:11PM +0700, Glen
> Lumanau wrote:
> 
> > So I can't use such a configuration
> > 
> > server {
> > listen 443;
> > rewrite (^.*) https://www.mydomain.com$1
> permanent; }
> > 
> > ?
> 
> The following configuration should work:
> 
>      server {
>          listen  192.168.1.1:443;
>          server_name   mydomain.com;
>          ssl on;
>          ssl_certificate  
> /path/to/wildcard.certifcate;
>          ...
>      }
> 
>      server {
>          listen  192.168.1.1:443;
>          server_name   *.mydomain.com;
>          ssl on;
>          ssl_certificate  
> /path/to/wildcard.certifcate;
>          rewrite ^  
> https://www.mydomain.com$request_uri? permanent; }
>      }
> 
> Please note, that you should use the same wildcard
> certifcate in both
> servers.
> 
> > -----Original Message-----
> > From: owner-nginx at sysoev.ru  On Behalf Of Igor
> > Sysoev
> > Sent: 09 Nopember 2009 17:30
> > To: nginx at sysoev.ru
> > Subject: Re: How to redirect all SSL traffic?
> > 
> > On Mon, Nov 09, 2009 at 10:23:33AM +0000, Glen
> Lumanau wrote:
> > 
> > > My question is,
> > > 
> > > Is that posibble to redirect all the traffic
> to www?
> > 
> > With the "*.mydomain.com" certificate the answer
> is YES.
> > 
> > > 
> > > Best Regards,
> > > 
> > > Glen Lumanau
> > > 
> > > 
> > > -----Original Message-----
> > > From: Maxim Dounin 
> > > Date: Mon, 9 Nov 2009 13:17:43 
> > > To: 
> > > Subject: Re: How to redirect all SSL traffic?
> > > 
> > > Hello!
> > > 
> > > On Mon, Nov 09, 2009 at 08:11:23AM +0000, Glen
> Lumanau wrote:
> > > 
> > > > Yes I have a valid ssl for www.mydomain.com.
> I don't have a license for
> > mydomain.com
> > > > 
> > > > That's why I want to redirect all traffic
> goes to mydomain.com to
> > www.mydomain.com
> > > 
> > > As long as you have no valid cert for
> mydomain.com - you can't 
> > > handle requests in this domain without
> warnings from browsers.  No 
> > > way.
> > > 
> > > Maxim Dounin
> > > 
> > > 
> > > > 
> > > > 
> > > > Best Regards,
> > > > 
> > > > Glen Lumanau
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: Igor Sysoev 
> > > > Date: Mon, 9 Nov 2009 10:57:18 
> > > > To: 
> > > > Subject: Re: How to redirect all SSL
> traffic?
> > > > 
> > > > On Mon, Nov 09, 2009 at 08:49:56AM +0700,
> Glen Lumanau wrote:
> > > > 
> > > > > I tried this, but still doesn't works 
> > > > 
> > > > What do you mean by "doesn't work" ? Browser
> shows a warning about
> > invalid
> > > > certificate ? In this case you need two
> certificates: for
> > "www.domain.com"
> > > > and "mydomain.com" and you should configure
> servers on different IP
> > addreses.
> > > > Or you can use a certificate with two
> Subject Alternate Names for
> > > > "domain.com" and "www.domain.com". Then you
> may use the certificate in
> > > > both server with single IP address.
> > > > 
> > > > > -----Original Message-----
> > > > > From: Alex Hunsaker  
> > > > > Sent: 09 Nopember 2009 5:11
> > > > > To: glen at lumanau.web.id
> > > > > Cc: nginx at sysoev.ru
> > > > > Subject: Re: How to redirect all SSL
> traffic?
> > > > > 
> > > > > On Sun, Nov 8, 2009 at 03:31, Glen Lumanau
> 
> > wrote:
> > > > > 
> > > > > [ please keep the mailing list cc'ed ]
> > > > > 
> > > > > > Try port 80...
> > > > > 
> > > > > >> On port 80 is sucessfull. Is there any
> way to do that on port 443?
> > > > > 
> > > > > Ahh ok so you want http://mydomain.com and
> https://mydomain.com to go
> > > > > to https://www.mydomain.com.
> > > > > 
> > > > > Sure something like:
> > > > > server {
> > > > > listen 80;
> > > > > rewrite (^.*) https://www.mydomain.com$1
> permanent;
> > > > > }
> > > > > 
> > > > > # config for https://www.mydomain.com
> > > > > server {
> > > > >  listen 443;
> > > > >  ...
> > > > >  if ($host !~ www\.mydomain\.com) {
> > > > >  rewrite ^(.*) https://www.mydomain.com$1
> permanent;
> > > > > }
> > > > > 
> > > > > }
> > > > > 
> > > > 
> > > > -- 
> > > > Igor Sysoev
> > > > http://sysoev.ru/en/
> > > > 
> > > 
> > 
> > -- 
> > Igor Sysoev
> > http://sysoev.ru/en/
> > 
> 
> -- 
> Igor Sysoev
> http://sysoev.ru/en/

Some plain SSL certificates work with both www and non-www without being a wildcard certificate.  I just learned that the $10/year PositiveSSL that I got free from domain registration at http://www.namecheap.com/learn/ssl-certificates/free-positive-ssl-certificates.asp has this feature, although they don't list it on their website.

server {
  listen  443;
  server_name mydomain.com;

  rewrite ^ https://www.mydomain.com$request_url permanent;

  ssl on;
  ssl_certificate  /etc/ssl/certs/mydomain.com.crt;
  ssl_certificate_key  /etc/ssl/private/mydomain.com.key;
}
 
server {
  listen  443;
  server_name www.mydomain.com;

  ssl on;
  ssl_certificate  /etc/ssl/certs/mydomain.com.crt;
  ssl_certificate_key  /etc/ssl/private/mydomain.com.key;

  ...
}

Works fine with the cheapo PositiveSSL cert. It looks like some companies use the feature to upsell you to their premium cert: http://www.geocerts.com/ssl/quicksslpremium

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,21109,22131#msg-22131

More information about the nginx mailing list