Nginx redirect https://www to https:// non-www without untrusted connection warning

httpsnginxssl

I have a valid SSL certificate for myapp.com, but not for www.myapp.com. Based on this question, it seems to me that it's not possible to immediately redirect from https://www.myapp.com to https://myapp.com without getting another certificate for www.myapp.com.

I'm trying to avoid shelling out more money for another certificate that's only going to be used to redirect to the "correct" site, but I also want to avoid big security warnings when somebody inadvertently accesses the wrong version.

Is it possible to use a self-signed certificate or anything free to get somebody redirected to the right version without buying another certificate?

Best Answer

I think you should have bought the certificate for www.myapp.com, then you would have received a certificate for both myapp.com and www.myapp.com. A wildcard certificate is not necessary.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Ssl – Can Https work without a certificate

No. You must have a certificate. It can be self signed, but there must be a public/private key pair in place to exchange the session symmetric key between server and client to encrypt data.

Best Answer

Related Solutions

Nginx – In Nginx, how can I rewrite all http requests to https while maintaining sub-domain

Correct way in new versions of nginx

Ssl – Can Https work without a certificate

Related Topic