Iis – Using CNAME records to redirect to HTTPS when HSTS is active

cname-recorddomain-name-systemhstsiis

We have a website running in HTTPS on the following URL: abc.example.com.

The problem is that our client thought that any website URL should start with www and has printed www.abc.example.com on all its labels…

No problem, I simply created a redirect rule using IIS's URL Rewrite feature to redirect all hostnames to https://abc.example.com. So far so good.

A few months ago, we received an e-mail from their IS department, stating that abc.example.com was lacking the Strict-Transport-Security header. They asked us to implement the following header:

Strict-Transport-Security = max-age=31536000; includeSubDomains; preload.

At that time I was not fully aware of the exact function of this header, so I blindly added it to the website. I did test the website, I just never tested it using www.abc.example.com.

I only found out just now that this HSTS header will redirect all HTTP URLs to HTTPS URLs by itself, resulting in neglecting my custom redirection rules. The problem now is that users enter http://www.abc.example.com and get redirected to https://www.abc.example.com, instead of https://abc.example.com, resulting in a SSL certificate error because www.abc.example.com does not have a SSL certificate.

As long as includeSubDomains is active, there is very little I seem to be able to do to prevent this from happening on the webserver, unless I'd set up a SSL certificate specifically for www.abc.example.com.

That's why I thought of trying to solving this by redirecting at DNS level, using a CNAME record: www.abc.example.com. CNAME abc.example.com.

My question is, will this work? When a user enters http://www.abc.example.com, will the CNAME record first redirect this URL to http://abc.example.com and then succesfully redirect to https://abc.example.com using the HSTS header? Or will the parameter preload prevent this from happening, even at DNS level?

Any suggestions or help is appreciated.

Best Answer

No, it will not work. There's no such thing as redirecting on the DNS level; redirection is a feature of HTTP protocol, while DNS (both A and CNAME) records are used only for resolving the IP address.

There's also no use trying revoke the situation by removing the header,

Strict-Transport-Security = max-age=31536000; includeSubDomains; preload.

as it will be cached on every browser for 31536000 seconds i.e. 365 days.

However, if you don't implement HSTS this way, you don't gain much of its benefits as someone could try to modify http://www.abc.example.com before it gets redirected to https://.

Here, the only exit might be getting a wildcard certificate covering *.abc.example.com, or a multi-hostname certificate having both as Subject Alternative Names.

Related Solutions

CNAME redirect to external https url

I was expecting that the CNAME entry would "ignore" the server at start.com. The request should go directly to root.com, shouldn't it?

False expectation, and discussed here over and over again: redirection is done on the HTTP protocol. Once resolved using CNAME and A DNS records the request goes directly to the IP address, unaware of what has happened on the DNS level. CNAME won't do HTTP redirection.

Then, the request contains the original hostname on the address bar as a HTTP 1.1 Host header

GET / HTTP/1.1
Host: sub.start.com

and the web server replies with the content configured for that virtualhost. This hostname and this hostname alone is also used when the browser compares the address with the SSL certificate. This comparison is done before the headers are sent and before any redirection occurs at all.

Having all the other hostnames configured as redirections to the canonical hostname at your web server configuration solves the redirection problem. Having all the hostnames as subject alternative names in your certificate solves the error messages your users are getting.

How to configure HSTS redirect prerequisites using CloudFront

I suspect you may have overlooked the need to purge the CloudFront cache after changing the redirect target protocol to https, because the configuration described (in comments) should work as expected -- setting the "protocol" to "https" in the redirecting bucket's configuration should not do this:

https://example.com > http://www.example.com > https://www.example.com

Create a CloudFront invalidation request using the pattern /*. Once the invalidarion request is complete, as shown in the console, test again. If you still see unexpected behavior, please capture the response headers and edit them into the question.

Best Answer

Related Solutions

CNAME redirect to external https url

How to configure HSTS redirect prerequisites using CloudFront

Related Topic