Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
768 views
in Technique[技术] by (71.8m points)

apache - Redirecting https://www to https://non-www - without seeing certificate error, possible?

So my SSL certificate only applies to https://example.com - not https://www.example.com (can't complain, it was free).

After venturing into mod_rewrite and a lot of reading (mostly from stackoverflow) I have an .htaccess file that does most of what I need, here is that file (with domain redacted of course).

<IfModule mod_rewrite.c>
    RewriteEngine On

    #First rewrite any request to the wrong domain to use the correct one
    RewriteCond %{HTTP_HOST} !^subdomain.
    RewriteCond %{HTTP_HOST} ^(www|ftp|mail).example.com [NC]
    RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

    #Redirect these subdomains to a subfolder
    RewriteCond %{HTTP_HOST} ^([^/.]+).example.com$ 
    RewriteCond %1 !^(www|ftp|mail)$ [NC]
    RewriteRule (.+)$ "http://example.com/%1" [L,P]

    #Now, rewrite to HTTPS:
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

The script contains comments as to what it does (I need them more than you think). And there is an additional .htaccess file on the folder for the subdomain that is being redirected (a subfolder in the root web folder, with matching subdomain name) and the accompanying dns entry on my dns server. The .htaccess on that folder simply redirects http (port 80) to https.

At the moment, it does what I need but I'm looking for simpler ways to write this. And by simpler it could also mean more global (if it makes it faster than hardcoding domains) and if there are any speed improvements to gain from said rewrite.

As previously mentioned, my certificate is only for a non-www example.com domain so this brings me to the second (but my main) question.

Traffic that is routed like so: https://www.example.com will see the error before any routing, rewrite, etc is ever done. This is because a connection to the web server has not even happened at this point, correct? This is essentially your server handing your certificate over and the browser saying: wait a minute!

Is there a way to prevent traffic to hit your server the improper way (https://www) before the browser gives out a certificate error?

This does not have to be restricted to just the .htaccess method.

Is there a way to do this - at all? And what is that way?

Edit:

I was having a few issues with my conditions and rewrites hitting queries it should not. I was also having a few redirect loops so headed over to apache.org to research that; so just as a way to keep track of said changes here is the .htaccess file now:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # First rewrite any request to the wrong domain to use the correct one
    RewriteCond %{HTTP_HOST} ^(www|ftp|mail).example.com$ [NC]
    RewriteRule ^(.*)$ http://example.com/$1

    # Redirect these subdomains to a subfolder
    RewriteCond %{HTTP_HOST} ^([^/.]+).example.com$
    RewriteCond %{REQUEST_URI} !^([^/.]+)/([^/.]+)
    RewriteCond %1 !^(www|ftp|mail)$ [NC]
    RewriteRule ^(.*)$ http://example.com/%1$1 [L,NC,QSA]

    #Now, rewrite to HTTPS:
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{HTTP_HOST} ^http://example.com/$ [NC]
    RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L,R,NE]
</IfModule>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Is there a way to prevent traffic to hit your server the improper way (https:// www) before the browser gives out a certificate error?

No, there's nothing you can do, your assessment is correct that the browser looks at the server certificate and sees that the host doesn't match and displays the error. The error isn't generated by the server, and this happens before a request is even sent to the server. This happens during the SSL handshake. The only things you can do are prevent any http://www links from existing, or buy a new certificate that includes "www".

As for your rules, there's really no way to simplify it since you have multiple conditions for each rule.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...