Nginx listening to 443 in order to redirect a domain without an ssl certificate

nginxssl

I got an ssl certificate for newdomain.org.il

But some requests (images) I'm getting from https://olddomain.org.il

(Since client has schemeless links, which is ok)

I can easily redirect non https requests:

server {
     listen      80;

     server_name  www.olddomain.org.il olddomain.org.il;
     return 301 https://newdomain.org.il$request_uri;
}

But that won't catch requests from old domain with https

but if I add a listen clause for olddomain

server {
     listen      80;
     listen      443 ssl;

     server_name  www.olddomain.org.il olddomain.org.il;
     return 301 https://newdomain.org.il$request_uri;
 }

requests would get an sslError since hostname won't match the certificate domain.

Any workaround this in nginx? (I know I can workaround and another ssl certificate for old domain or with a code change preventing those legacy urls to exists, but Since this is a migration process from a legacy app, I really don't want to.

Best Answer

Short answer, no.

The whole point of HTTPS is to ensure the security of the connection, you need to have a certificate for NGINX to load, and it has to be valid for the browsers to accept loading resources from it. The only way to keep the resources on the old domain and serve them over HTTPS is to add a valid certificate for the old domain.

Related Solutions

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

The [R] flag on its own is a 302 redirection (Moved Temporarily). If you really want people using the HTTPS version of your site (hint: you do), then you should be using [R=301] for a permanent redirect:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

A 301 keeps all your google-fu and hard-earned pageranks intact. Make sure mod_rewrite is enabled:

a2enmod rewrite

To answer your exact question:

Is it bad to redirect http to https?

Hell no. It's very good.

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

Best Answer

Related Solutions

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

Nginx – Properly setting up a “default” nginx server for https

Related Topic