{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Anthone 的问题《.htaccess redirect only executes after browser war》','https://www.manongdao.com/q-324699.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a rewrite rule which forces HTTPS and www. The SSL certificate is for the www version of the site. The entire site needs to be HTTPS.
The problem is that if the request is https://example.com/ the browser displays a warning page before the redirect can execute. ('This Connection is Untrusted' in Firefox and 'This is probably not the site that you are looking for!' in Chrome)
If the user adds an exception in Firefox or ignores the error in Chrome, the rewrite rule executes and they are redirects to the www version of the site with a 100% secure page.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
I've been testing the rules on the site as well as on http://martinmelin.se/rewrite-rule-tester/
How can I get the redirect to execute before the browser warning?
This post addresses your issue, and provides the following answer:
Another option might be to get a wildcard cert, which would allow you to match for(Apparently this won't work. Thanks @Giel)*.example.com.You could make
http://example.com/redirect tohttps://www.example.com/, but that may not help you if you already have users visitinghttps://example.com/.The redirection from
https://example.comtohttps://www.example.comcan only happen after the client has made an initial successful request tohttps://example.com.This is because HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent.
mod_rewritewill always apply after the SSL/TLS connection is established. Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified. Even if the TLS upgrade was within HTTP (RFC 2817, which is virtually never used/supported and is not https), you would still want the redirection to come from a trusted entity.For this initial connection to work, the server at
https://example.commust have a certificate valid forexample.com, otherwise, this connection won't even happen (and the server won't send a redirection response).To achieve your goal, you need requests for
https://example.comto present a certificate valid forexample.comand requests forhttps://www.example.comto present a certificate valid forwww.example.com.There are two solutions:
example.comandwww.example.com. This can be achieved by getting a certificate with multiple Subject Alternative Name (SAN) DNS entries (it won't work with just*.example.comsince the dot isn't part of the wildcard pattern).The latter is certainly the easiest solution. It's quite common for CAs to issue certificates that have SAN entries for both
example.comandwww.example.comwhen you apply for one or the other, sometimes without an extra fee.