How do I redirect www traffic without triggering b

2020-02-13 03:57发布

问题:

I have a valid certificate for example.com. If users go to my site at http://example.com, they get redirected to https://example.com and all is good. If they go to https://example.com, all is good. If they even go to http://www.example.com, they get redirected to https://example.com and all is good.

However, if they go to https://www.example.com, Chrome triggers its SSL warning before I can redirect and tells the user to not trust this site. I don't have this problem in Safari or Firefox.

Here's my nginx configuration. What am I doing wrong?

```

# Configuration for redirecting non-ssl to ssl;                                                                                                                                                         

server {
    listen *:80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}       

# Configuration for redirecting www to non-www; 

server {    
    server_name www.example.com;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    listen *:80;
    listen *:443 ssl spdy;    
    listen [::]:80 ipv6only=on;
    listen [::]:443 ssl spdy ipv6only=on;

    return 301 https://example.com$request_uri;
} 

server {
    listen *:443 ssl spdy;   
    listen [::]:443 ssl spdy;
    ssl_certificate ssl/ssl_cert.crt;
    ssl_certificate_key ssl/ssl_key.key;
    server_name example.com;
}

```

EDIT: I see that this is a problematic configuration because the second block will look at the certs. What's the proper way to set this up with a cert that reads from "example.com" rather than "www.example.com"?

回答1:

If your certificate is for example.com only and not for www.example.com then any access to www.example.com will trigger a certificate warning, no matter if you want just redirect it or not. Redirection is done at the HTTP level and before it talks HTTP it first does the SSL handshake (which triggers the problem), because HTTPS is just HTTP inside SSL.

And before you ask, tricks with DNS (like CNAME) will not help either because the browser will compare the certificate against the name in the URL, not against possible DNS alias names. There is simply no way around getting a proper certificate.