[CentOS] apache redirection

Nataraj incoming-centos at rjl.com
Wed May 19 21:47:34 UTC 2010 

Ski Dawg wrote:
> On Wed, May 19, 2010 at 3:02 PM, Zack Colgan
> <security-watch-zack at clearbearing.com> wrote:
>   
>> On 05/19/2010 04:08 PM, Ski Dawg wrote:
>>     
>>> The problem I am running into is if they go to https://domainname.com
>>> (straight to the secure site), I am not able to find a solution that
>>> will redirect them to https://www.domainname.com, so that the ssl
>>> certificate matches and they won't get the "This connection is
>>> untrusted" warning.
>>>       
>> The problem you are running into is that SSL sessions are negotiated
>> prior to the browser sending the virtual host name, so there is no
>> opportunity to redirect the client to the www URL before it's too late.
>>  Aside from purchasing a second SSL certificate for the plain domain
>> name or getting a wildcard certificate to cover both, I would just make
>> sure the links on your web site to the secure version of the domain
>> specify the www in the URL.
>>     
>
> Zack,
>
> Thanks for the reply.
>
> All of our links use the correct syntax (with the www), we were just
> trying to catch the corner cases where if someone tries to go directly
> to https://domainname.com instead of https://www.domainname.com then
> it would not give them the error.
>
> I was hoping to be able to do this without another certificate, since
> this is just some corner cases, but I will investigate that as well.
> Thanks.
>   
You might try rewrite instead of redirect.  It would seem that rewrite 
might happen before processing the certificate. 

Here's an example of where I've used rewrite, you'll have to substitute 
the correct regular expressions for your needs.  Also see RewriteCond of 
needed...
    RewriteEngine On
    RewriteRule ^/$ https://www.myhost.org/

Let us know if this works for you.

There are also mechanisms to create single certificates with multiple 
domainnames.  There are apparently many ways to do this, and only 
certain of these methods work with various http servers and/or 
browsers.  I've not spent the time to fully understand this (I tried it 
briefly with cacert.org and never got it working), though if you just 
recently purchased the certificate and you are having a problem, most of 
the CA's will redo the certificate.  You might ask your CA what they 
recommend in this case.

Nataraj

More information about the CentOS mailing list