My SSL certificate is for mydomain.com, so i am trying to redirect all www.mydomain.com over to without www. Now, all these work:
http://www.mydomain.com
http://mydomain.com
https://mydomain.com
but https://www.mydomain.com is giving the "Site not safe" warning to the browser…
I tried setting up a redirect like the below but please tell me where my script is buggy…
server {
listen 80;
server_name www.mydomain.com mydomain.com;
rewrite ^(.*) https://mydomain.com$1 permanent;
client_max_body_size 100M;
location / {
index index.htm index.html index.php;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /var/www/mysite$fastcgi_script_name;
}
}
server {
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/public.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
server_name www.mydomain.com;
rewrite ^(.*) https://mydomain.com$1 permanent;
}
server {
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/public.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
client_max_body_size 100M;
server_name mydomain.com;
root /var/www/mysite;
index index.php;
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /var/www/mysite$fastcgi_script_name;
}
}
Best Answer
Your configuration script is not buggy.
With your current configuration (assuming that you have a standard single subject SSL Certificate installed), this is not an option.
The reason for this is the way https connections work:
Since the validation process fails, the server never receives the HTTP request for www.mydomain.com on the port 443 listener, and thus cannot send a redirect response to the client/browser.
To enable redirection from https://www.mydomain.com/ to https://mydomain.com, you have a few options, but it all comes down to this: you need a certificate with a subject for each hostname.
SAN Certificate
mydomain.com
andwww.mydomain.com
Multiple IP addresses
www.mydomain.com
www.mydomain.com
httpsserver
to listen on the new IP address (still port 443)www.mydomain.com
httpsserver
to use the new certificateTLS SNI
www.mydomain.com
Since SNI has limited browser support, I would avoid suggestion 3. Check out the nginx documentation on SNI if you like (bottom of the page)
UPDATE: Some Certificate Authorities offer single subject certificates with a free additional SAN for the
www.
prefix.