2

For a web application located at:

https://www.domain.com/

With an SSL certificate issued to "www.domain.com",

What is are the proper rewrite rules, DNS settings, or combination of both which makes each of the below urls redirect seemlessly to https://www.domain.com/:

 1. http://www.domain.com
 2. http://domain.com
 3. https://domain.com

The difficulty is really with #3. https://domain.com tends to cause browser security messages. How do the major HTTPS sites do this? Take Paypal.com, for instance.

perrierism
  • 179
  • 3
  • 9

4 Answers4

5

Followup to James's Answer:

RewriteCond %{HTTP_HOST} !^www.domain.com$    [OR]
RewriteCond %{HTTP_PORT} !^443$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

This still doesn't fix #3, you'd need a wildcard or UCC cert for that.

Community
  • 1
Chris S
  • 77,945
  • 11
  • 124
  • 216
  • OK, #3 is exactly what I'm looking to fix. Can you elaborate on what you mean by wildcard or UCC cert? – perrierism Jun 22 '10 at 18:59
  • 2
    @perrierism: you can get a wildcard certificate that covers *.exmaple.com (this includes example.com). You can also get a UCC Certificate which contains multiple Subject Alternate Names (ie, www.example.com and example.com both on the same cert) (Note that UCC have just one SN, so anyone looking at the cert will only see one of the names "featured" on it). – Chris S Jun 22 '10 at 19:17
  • 2
    FYI, I don't think wildcard certs will work here. I just tried it with FireFox3 and one of our sites using a wildcard. It seems to choke, because `http://domain.com` doesn't use a subdomain. Doesn't look like the wildcard will match 'none'. UCC may be you're only real bet. – Christopher Karel Jun 22 '10 at 19:36
3

I think the easiest option is to use mod_rewrite in an htaccess file or right in your httpd.conf. Here is what I use to forward the first two that you need:

RewriteCond %{SERVER_PORT} 80
ReWriteRule ^(.*)$ https://www.domain.com/$1 [R,L]

So, to forward https://domain.com to https://www.domain.com, you could do:

RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} ^domain.com
RewriteRule ^(.*)$ http://www.domain.com/$1 [R,L]

I'm sure there is a way to consolidate those two rule sets if you want to try. Not around my apache server at the moment to test it.

James
  • 1,021
  • 1
  • 6
  • 4
  • This is basically what I arrived at. Good summary of the rules. I run into a problem though with this when redirecting https://domain.com to https://www.domain.com, because the browser first talks to "https://domain.com" before getting redirected, and since the server is carrying a certificate that is only valid for "www.domain.com" the browser gives a warning. I'm wondering if you get around this with some sort of DNS redirects... of if you actually need a certificate also issued to domain.com to avoid the warning. – perrierism Jun 22 '10 at 18:56
  • Hmm... now that I think about it. You're right. Let the trickiness of #3 begin. I think technically, you do need a certificate for domain.com that is valid. Though, I know a lot of SSL certificate CA's that give you a single domain certificate that includes both .domain.com and www.domain.com. Who's your CA? – James Jun 22 '10 at 19:06
  • I'm using verisign. When I created the signing request I could only specify one domain and I chose "www.domain.com". I think even if I chose "domain.com" they would have issued a cert only good for "domain.com". – perrierism Jun 22 '10 at 19:13
3

As some more assistance for item 3, and maybe 2 as well, how about using Server Name Indication to use two certs on the same host. (ie: www.domain.com and domain.com) Apache's Wiki has some info on the specifics.

--Christopher Karel

Christopher Karel
  • 6,582
  • 1
  • 28
  • 34
  • I'm selecting this as the answer because it comes closest to stating the solution, which is I believe that two separate certificates (one for "https://domain.com" and one for "https://www.domain.com") are required for no. 3 to work seamlessly. There isn't apparently, as I was hoping to find, a way of taking care of this with DNS configuration (by somehow routing requests to "domain.com" to "www.domain.com" without ever talking to the webserver, which causes a warning -- someone please correct me if I'm wrong). Esp since this is what Paypal does, I'll take that as the best practice solution. – perrierism Jun 23 '10 at 18:34
0

A certificate for https://www.domain.com will not work for https://domain.com.

There are plenty of tutorials.

mcandre
  • 168
  • 8
  • Yes. So how do you make a seamless redirect from https://domain.com? There is a way to do it, look at paypal or any other major https site. Do they have an extra certificate for http://domain.com to avoid the security warning? Also note, the tutorials you mention have nothing to do with the question asked. They are tutorials for generating ssl certificates. – perrierism Jun 22 '10 at 18:50
  • 2
    @perrierism: Paypal does indeed have a completely different Class 2 Certificate just for paypal.com so it can be redirected. – Chris S Jun 22 '10 at 19:14
  • 1
    Also, paypal.com and www.paypal.com resolve to different IP addresses. So that means whatever box catches those requests only needs the certificate for that one domain. – Christopher Karel Jun 22 '10 at 19:43
  • Generating SSL certificates is a necessary part of the process. If you're lucky, your host will generate them for you. Yes, seamless redirects require extra certificates--ever get a browser warning that you are leaving a secured website? That's why. Chris S. agrees. – mcandre Jun 23 '10 at 15:00
  • 1
    Yes I think the final answer is that it requires 2 certificates. I was holding out that perhaps there was a DNS way of routing "https://domain.com" calls to "https://www.domain.com" to avoid the warning. Yes, of course I understand why you get a warning when you are leaving a secure site, but that's really different than what were talking about, if related. We're talking about redirecting to a secure site, and the certificate domains which are or aren't required for a secure host. – perrierism Jun 23 '10 at 18:26