How to redirect all SSL traffic?

Igor Sysoev is at rambler-co.ru
Wed Nov 11 18:00:36 MSK 2009 

On Wed, Nov 11, 2009 at 09:27:22AM -0500, brianmercer wrote:

> Igor Sysoev Wrote:
> -------------------------------------------------------
> > On Mon, Nov 09, 2009 at 05:34:11PM +0700, Glen
> > Lumanau wrote:
> > 
> > > So I can't use such a configuration
> > > 
> > > server {
> > > listen 443;
> > > rewrite (^.*) https://www.mydomain.com$1
> > permanent; }
> > > 
> > > ?
> > 
> > The following configuration should work:
> > 
> >      server {
> >          listen  192.168.1.1:443;
> >          server_name   mydomain.com;
> >          ssl on;
> >          ssl_certificate  
> > /path/to/wildcard.certifcate;
> >          ...
> >      }
> > 
> >      server {
> >          listen  192.168.1.1:443;
> >          server_name   *.mydomain.com;
> >          ssl on;
> >          ssl_certificate  
> > /path/to/wildcard.certifcate;
> >          rewrite ^  
> > https://www.mydomain.com$request_uri? permanent; }
> >      }
> > 
> > Please note, that you should use the same wildcard
> > certifcate in both
> > servers.
> > 
> > > -----Original Message-----
> > > From: owner-nginx at sysoev.ru  On Behalf Of Igor
> > > Sysoev
> > > Sent: 09 Nopember 2009 17:30
> > > To: nginx at sysoev.ru
> > > Subject: Re: How to redirect all SSL traffic?
> > > 
> > > On Mon, Nov 09, 2009 at 10:23:33AM +0000, Glen
> > Lumanau wrote:
> > > 
> > > > My question is,
> > > > 
> > > > Is that posibble to redirect all the traffic
> > to www?
> > > 
> > > With the "*.mydomain.com" certificate the answer
> > is YES.
> > > 
> > > > 
> > > > Best Regards,
> > > > 
> > > > Glen Lumanau
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: Maxim Dounin 
> > > > Date: Mon, 9 Nov 2009 13:17:43 
> > > > To: 
> > > > Subject: Re: How to redirect all SSL traffic?
> > > > 
> > > > Hello!
> > > > 
> > > > On Mon, Nov 09, 2009 at 08:11:23AM +0000, Glen
> > Lumanau wrote:
> > > > 
> > > > > Yes I have a valid ssl for www.mydomain.com.
> > I don't have a license for
> > > mydomain.com
> > > > > 
> > > > > That's why I want to redirect all traffic
> > goes to mydomain.com to
> > > www.mydomain.com
> > > > 
> > > > As long as you have no valid cert for
> > mydomain.com - you can't 
> > > > handle requests in this domain without
> > warnings from browsers.  No 
> > > > way.
> > > > 
> > > > Maxim Dounin
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > Best Regards,
> > > > > 
> > > > > Glen Lumanau
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Igor Sysoev 
> > > > > Date: Mon, 9 Nov 2009 10:57:18 
> > > > > To: 
> > > > > Subject: Re: How to redirect all SSL
> > traffic?
> > > > > 
> > > > > On Mon, Nov 09, 2009 at 08:49:56AM +0700,
> > Glen Lumanau wrote:
> > > > > 
> > > > > > I tried this, but still doesn't works 
> > > > > 
> > > > > What do you mean by "doesn't work" ? Browser
> > shows a warning about
> > > invalid
> > > > > certificate ? In this case you need two
> > certificates: for
> > > "www.domain.com"
> > > > > and "mydomain.com" and you should configure
> > servers on different IP
> > > addreses.
> > > > > Or you can use a certificate with two
> > Subject Alternate Names for
> > > > > "domain.com" and "www.domain.com". Then you
> > may use the certificate in
> > > > > both server with single IP address.
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Alex Hunsaker  
> > > > > > Sent: 09 Nopember 2009 5:11
> > > > > > To: glen at lumanau.web.id
> > > > > > Cc: nginx at sysoev.ru
> > > > > > Subject: Re: How to redirect all SSL
> > traffic?
> > > > > > 
> > > > > > On Sun, Nov 8, 2009 at 03:31, Glen Lumanau
> > 
> > > wrote:
> > > > > > 
> > > > > > [ please keep the mailing list cc'ed ]
> > > > > > 
> > > > > > > Try port 80...
> > > > > > 
> > > > > > >> On port 80 is sucessfull. Is there any
> > way to do that on port 443?
> > > > > > 
> > > > > > Ahh ok so you want http://mydomain.com and
> > https://mydomain.com to go
> > > > > > to https://www.mydomain.com.
> > > > > > 
> > > > > > Sure something like:
> > > > > > server {
> > > > > > listen 80;
> > > > > > rewrite (^.*) https://www.mydomain.com$1
> > permanent;
> > > > > > }
> > > > > > 
> > > > > > # config for https://www.mydomain.com
> > > > > > server {
> > > > > >  listen 443;
> > > > > >  ...
> > > > > >  if ($host !~ www\.mydomain\.com) {
> > > > > >  rewrite ^(.*) https://www.mydomain.com$1
> > permanent;
> > > > > > }
> > > > > > 
> > > > > > }
> > > > > > 
> > > > > 
> > > > > -- 
> > > > > Igor Sysoev
> > > > > http://sysoev.ru/en/
> > > > > 
> > > > 
> > > 
> > > -- 
> > > Igor Sysoev
> > > http://sysoev.ru/en/
> > > 
> > 
> > -- 
> > Igor Sysoev
> > http://sysoev.ru/en/
> 
> Some plain SSL certificates work with both www and non-www without being a wildcard certificate.  I just learned that the $10/year PositiveSSL that I got free from domain registration at http://www.namecheap.com/learn/ssl-certificates/free-positive-ssl-certificates.asp has this feature, although they don't list it on their website.
> 
> server {
>   listen  443;
>   server_name mydomain.com;
> 
>   rewrite ^ https://www.mydomain.com$request_url permanent;
> 
>   ssl on;
>   ssl_certificate  /etc/ssl/certs/mydomain.com.crt;
>   ssl_certificate_key  /etc/ssl/private/mydomain.com.key;
> }
>  
> server {
>   listen  443;
>   server_name www.mydomain.com;
> 
>   ssl on;
>   ssl_certificate  /etc/ssl/certs/mydomain.com.crt;
>   ssl_certificate_key  /etc/ssl/private/mydomain.com.key;
> 
>   ...
> }
> 
> Works fine with the cheapo PositiveSSL cert. It looks like some companies use the feature to upsell you to their premium cert: http://www.geocerts.com/ssl/quicksslpremium

Yes, if you have just two names, you may use such certificate.
BTW, in this case you may set it on http level:

http {

   ssl_certificate  /etc/ssl/certs/mydomain.com.crt;
   ssl_certificate_key  /etc/ssl/private/mydomain.com.key;

   server {


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list