Redirect to 'www' before ssl requirement
HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite
, custom PHP code or other) will always apply after the SSL/TLS connection is established.
Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.
If you want to redirect from https://domain.com
to https://www.domain.com
, the certificate obtained for https://domain.com
must be valid for domain.com
(and then, the certificate obtained for https://www.domain.com
must be valid for www.domain.com
).
(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but this is rather convoluted.)
The easiest would be to obtain a certificate that's valid for both domain.com
and www.domain.com
. This can be done using a single certificate with multiple Subject Alternative Name entries. Most CAs should be able to issue such certificates. Some do it without additional fee.
How do I redirect www traffic without triggering browsers SSL check?
If your certificate is for example.com only and not for www.example.com then any access to www.example.com will trigger a certificate warning, no matter if you want just redirect it or not. Redirection is done at the HTTP level and before it talks HTTP it first does the SSL handshake (which triggers the problem), because HTTPS is just HTTP inside SSL.
And before you ask, tricks with DNS (like CNAME) will not help either because the browser will compare the certificate against the name in the URL, not against possible DNS alias names. There is simply no way around getting a proper certificate.
SSL needed on redirect?
Yes.
The redirection is an HTTP-level action which happens inside the SSL envelope.
The client needs to establish an SSL connection to the original host before it 'sees' the redirect, then after completing the redirect it must establish another SSL connection to the target host.
So you definitely need an SSL certificate on redirects to a page with one.
redirect to 'www' before force_ssl
Since your 301 is being sent by the application, and the request can't even reach the application before hitting the middleware (on which rack-ssl runs), your only solutions are to change the middleware or to do the redirect before it even hits the middleware.
For the latter, you'd have to poke around Heroku. I don't use it myself. On a VPS deployment, you'd just add the redirect on your forward-facing web server (Apache, nginx) before it even hit the middleware. This seems like a common case, so I imagine Heroku might have something there for you.
For the former, it shouldn't be hard. The rack-ssl middleware is very, very simple, and it shouldn't be hard to monkeypatch it to suit your needs.
https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L58
I imagine that something like url.host = "www.myhost.com"
might be what you'd want (although you can probably tell there are probably more FQDN-agnostic ways to do it).
Do I really need 2 SSL certifications to redirect a naked domain to www?
Yes, you really need a certificate valid for the two domains if you want to be able to redirect users who manually enter the naked domain with the https protocol.
It can be two certificate, but it can be one certificate containing the two domains. Most SSL vendors include for free the naked domain.
(And, there is Let's encrypt that can give you certificate for free.)
Furthermore, having a certificate for the naked domain allow you to use HSTS including sub-domains, which can protect all your sub-domains against SSL strip.
Does redirecting a secure domain require an ssl certificate on both domains?
You will be able to redirect non-secure URL to the HTTP/HTTPs. But you won’t be able to redirect HTTPS URL (https://domain1.com) to any HTTP/HTTPs (https://www.domain2.com) unless you have installed valid SSL certificate.
http://domain1.com -> https://www.domain2.com [YES, with or without SSL]
http://www.domain1.com -> https://www.domain2.com [YES, with or without SSL]
And,
https://domain1.com -> https://www.domain2.com [Required Valid SSL certificate for domain1.com]
https://www.domain1.com -> https://www.domain2.com [Required Valid SSL for domain1.com]
That’s why you are getting error as ‘the given certificate isn't valid for this domain’ because you have not valid certificate. Please note you have to install SSL certificate on both OLD and NEW domain if you want old URLs to redirect on new HTTPS URLs.
Related Topics
PHP Array, Are Array Indexes Case Sensitive
PHP Pthreads: Fatal Error: Class 'Thread' Not Found
How to Iterate by Row Through a MySQL Query in PHP
How to Get the Last Dir from a Path in a String
Symfony: How to Refresh the Authenticated User from the Database
Find All Hrefs in Page and Replace with Link Maintaining Previous Link - PHP
PHP - Syntax Error, Unexpected T_Constant_Encapsed_String
PHP Loop; How to Print Each Result and Delay It for a Second Before Echoing Another Result
Mongodb Get _Id as String in Find Query
How to Disable Adding Properties into a Class from an Instance of the Class
Cakephp Cake_Core_ Cache Was Unable to Write 'Cake_Dev_En-Us'
Set Maximum Execution Time in MySQL/Php
Swap Two Words in a String PHP
How to Disable or Encrypt "View Source" for My Site
Simulate PHP Array Language Construct or Parse with Regexp