Problem
I currently have the problem where https://domain.com does not redirect to https://www.domain.com and shows an untrusted ssl certificate.
This is Related to which is a ruby-on-rails solution redirect to 'www' before force_ssl
Question
Is there a way to redirect to the www domain before the SSL requirement kicks in?
I am using PHP.
In order to be able to set up a secure connection for your funnel where there is a redirection, you need to enable the SSL certificate for your domain.
You don't need a separate SSL for www and non www, although the specifics depend on which certificate type you have: Single domain: secures www and non-www by default. Wildcard: secures www and non-www by default. Multi-domain: need to add separate SANs for www and non-www.
Why you need an SSL certificate. Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.
HTTPS is HTTP over TLS/SSL (see RFC 2818), which first establishes the SSL/TLS connection before any HTTP traffic is sent. Any redirection (via mod_rewrite
, custom PHP code or other) will always apply after the SSL/TLS connection is established.
Not doing so would actually be a security issue, since an attacker could rewrite and redirect the client before the certificate has been verified.
If you want to redirect from https://domain.com
to https://www.domain.com
, the certificate obtained for https://domain.com
must be valid for domain.com
(and then, the certificate obtained for https://www.domain.com
must be valid for www.domain.com
).
(You could use two different certificates with Server Name Indication if the two hosts are served on the same IP address, but this is rather convoluted.)
The easiest would be to obtain a certificate that's valid for both domain.com
and www.domain.com
. This can be done using a single certificate with multiple Subject Alternative Name entries. Most CAs should be able to issue such certificates. Some do it without additional fee.
A redirect response is issued through the HTTP protocol. In order to receive such a response/command, the client first needs to establish an HTTP connection. If the client is trying to establish an HTTP_S_ connection, then the SSL negotiation needs to complete first.
In other words, no. The URL https://domain.com
is invalid for your app. No client should even know about this particular address and hence should not try to access it. You should avoid giving out this URL anywhere so clients won't try to access it. In fact, you do not seem to want to run an HTTPS server for that domain, so you should actually turn it off, so clients won't be able to connect to domain.com
via HTTPS at all.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With