Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Redirect to 'www' before ssl requirement

Tags:

redirect

php

ssl

Problem

I currently have the problem where https://domain.com does not redirect to https://www.domain.com and shows an untrusted ssl certificate.

This is Related to which is a ruby-on-rails solution redirect to 'www' before force_ssl

Question

Is there a way to redirect to the www domain before the SSL requirement kicks in?

I am using PHP.

like image 560
williamcarswell Avatar asked Jun 07 '12 09:06

williamcarswell

People also ask

Do I need an SSL certificate for a redirect?

In order to be able to set up a secure connection for your funnel where there is a redirection, you need to enable the SSL certificate for your domain.

Do I need a different SSL certificate for WWW and without?

You don't need a separate SSL for www and non www, although the specifics depend on which certificate type you have: Single domain: secures www and non-www by default. Wildcard: secures www and non-www by default. Multi-domain: need to add separate SANs for www and non-www.

Do you need SSL for WWW?

Why you need an SSL certificate. Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.

2 Answers

HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite, custom PHP code or other) will always apply after the SSL/TLS connection is established.

Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.

If you want to redirect from https://domain.com to https://www.domain.com, the certificate obtained for https://domain.com must be valid for domain.com (and then, the certificate obtained for https://www.domain.com must be valid for www.domain.com).

(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but this is rather convoluted.)

The easiest would be to obtain a certificate that's valid for both domain.com and www.domain.com. This can be done using a single certificate with multiple Subject Alternative Name entries. Most CAs should be able to issue such certificates. Some do it without additional fee.

like image 155
Bruno Avatar answered Nov 09 '22 13:11

Bruno

A redirect response is issued through the HTTP protocol. In order to receive such a response/command, the client first needs to establish an HTTP connection. If the client is trying to establish an HTTP_S_ connection, then the SSL negotiation needs to complete first.

In other words, no. The URL https://domain.com is invalid for your app. No client should even know about this particular address and hence should not try to access it. You should avoid giving out this URL anywhere so clients won't try to access it. In fact, you do not seem to want to run an HTTPS server for that domain, so you should actually turn it off, so clients won't be able to connect to domain.com via HTTPS at all.

like image 26
deceze Avatar answered Nov 09 '22 13:11

deceze
Sign in to Comment

Related questions

Simple PHP Condition help: if($Var1 = in list($List) and $Cond2) - Is this posslbe?
In PHP can you extend a class to the same name?
Ruby and PHP HMACs not agreeing
Check if Youtube and Vimeo-clips are valid
Parsing HTTP status code
Can a subclass inherit also the constructor of the parent class, or must every class have its own constructor?
What HTTP Status Codes Should Programmers be Concerned With?
Best way to convert title into url compatible mode in PHP?
Running PHP without extension without using mod_rewrite?
Regular expression for checking website url
Decoding mysql_real_escape_string() for outputting HTML
Should I Abandon Adobe Flash for HTML5 and <canvas>?
Remove all but valid characters
PHP Typecasting - Good or bad?
mkdir() in php is setting folder permission to 755 But I Need 777?
php - replace array value
Break/explode String in smarty
Migrating bad system into our current system with tons of data [closed]
Check if an array only contains one key/value
How can I use regular expressions with Doctrine's Mongodb ODM?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!