Redirect without and SSL certificate

Maxim Dounin mdounin at mdounin.ru
Wed Jul 18 15:31:06 UTC 2018


Hello!

On Wed, Jul 18, 2018 at 03:10:54PM +0000, Friscia, Michael wrote:

> We have a problem where we have a large number of vanity domain 
> names that are redirected. For example we have surgery.yale.edu 
> which redirects to medicine.yale.edu/surgery. This works fine 
> until someone tries to request https://surgery.yale.edu. For 
> administrative reasons, I cannot get a wildcard certificate to 
> handle *.yale.edu and make this simple to solve.
> 
> My question is if there is any way to redirect a request 
> listening on port 80 and 443 but bypass the SSL certificate 
> warning so it will redirect? I would assume the order of 
> operation with HTTPS is to first validate the certificate but I 
> really want the 301 redirect to take place before the SSL cert 
> is verified.
>
> I’m open to ideas but we are limited in what we can actually do 
> so as it stands the only solution we have is to request a 
> certificate for each of the 600+ domains.

Certificate warning appears when client establishes a connection 
and cannot verify a certificate.  The connection is not 
established at this point, and a request is not sent.  You cannot 
return a redirect unless the client agrees to continue despite the 
certificate warning.

That is, if you want redirects to be returned, the only option is 
to obtain valid certificates.

Another option might be to reject https connections to domains 
when it is not configured to use https.  When using SNI, you can 
configure nginx to selectively reject connections to some names by 
using unsatisfiable ssl_ciphers (see 
https://trac.nginx.org/nginx/ticket/195#comment:6).

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list