12

I have two domains, myexample.com and my-example.com. I want all traffic for either domain to go to https://www.my-example.com, for which I have an SSL certificate. I do not have an SSL certificate for the domain myexample.com.

I have http://myexample.com, http://www.myexample.com, http://my-example.com and http://www.my-example.com all redirecting to https://www.my-example.com with no problem, however when I set up a redirect for https://myexample.com or https://www.myexample.com, it checks for their SSL certificate before redirecting and so I always get a certificate error.

Is there a way to do the redirect without the SSL checking for the non-SSL domain that I am redirecting away from?

The relevant part of my config file:

frontend www-https
   bind xxx.xxx.xxx.xxx:443 ssl crt /etc/ssl/private/www.my-example.com.pem
   reqadd X-Forwarded-Proto:\ https
   redirect prefix https://www.my-example.com code 301 if { hdr(host) -i myexample.com }
   redirect prefix https://www.my-example.com code 301 if { hdr(host) -i www.myexample.com }
   default_backend www-backend
Ben Holness
  • 944
  • 2
  • 10
  • 28
  • 16
    Imagine for a moment how bad it would be for a MITMed `https://www.paypal.com/` to be redirectable to `https://www.not-paypal.com/` for a moment and you'll have your answer. SSL certs are free these days - get one for your other domain. – ceejayoz Sep 04 '16 at 14:59
  • Like @ceejayoz mentioned, just get a free certificate for the other domain. – Moshe Katz Sep 04 '16 at 20:02
  • I have done that now, I was just wondering if it was necessary or if there was a way to configure it like I did for non-ssl before I tried to figure out how to have more than one certificate in the haproxy config (I'm far from an expert!). – Ben Holness Sep 04 '16 at 22:47
  • @BenHolness You can get a multi-domain certificate (Let's Encrypt fully supports this), if you like. – ceejayoz Sep 07 '16 at 15:02

1 Answers1

21

Redirection is done at the HTTP level, i.e. after the SSL connection was established. Since establishing the SSL connection includes validating the certificate it is not possible to bypass the certificate check for redirects.

Steffen Ullrich
  • 13,227
  • 27
  • 39