You are not logged in.

#1 2013-05-23 02:15:52

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

[SOLVED] nginx configuration - redirects and self signed certificate

Here is what I am trying to achieve...   All I want people to see is http://allanmcrae.com.   Anything with https:// in front or with www should redirect there.   However, I want to keep my wordpress admin pages through https.

These work:
https://allanmcrae.com
http://www.allanmcrae.com

But this fails
https://www.allanmcrae.com


Here is a stripped down version of my current nginx.conf file:

http {
    ....

    server {
        listen       80;
        server_name  allanmcrae.com;
        root         /srv/http/allanmcrae.com;

        location / {
            index  index.html index.htm index.php;
            try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        ...
    }


    server {
        listen       443;
        server_name  allanmcrae.com;
        root         /srv/http/allanmcrae.com;

        ssl                  on;
        ...

        location ~ /wordpress/wp-(admin|login|includes|content) {
            index  index.html index.htm index.php;
            try_files $uri $uri/ $1/index.php?args;
            ...
        }

        location / {
            rewrite ^ http://allanmcrae.com$uri permanent;
        }
    }

    server {
        server_name  www.allanmcrae.com;
        rewrite ^ $scheme://allanmcrae.com$uri permanent;
    }
}

I think that bottom "server_name www.allanmcrae.com" should catch the "https://www.allanmcrae.com" and make it "https://allanmcrae.com" which then gets redirected to "http://allanmcrae.com".   But that is not working...

What am I doing wrong?

Offline

#2 2013-05-23 05:29:34

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

I have looked into this further.   I have a self signed ssl certificate.  If I accept that in firefox, the redirection is fine.

So why does this work (without having to accept the ssl certificate?:
https://allanmcrae.com -> http://allanmcrae.com

but this does not:
https://www.allanmcrae.com -> https://allanmcrae.com -> http://allanmcrae.com

Edit: I guess it is to do with the double redirection via https.  Doing this is a work around:

    server {
        server_name  www.allanmcrae.com;

        location ~ /wordpress/wp-(admin|login|includes|content) {
           rewrite ^ https://allanmcrae.com$uri permanent;
        }

        location / {
           rewrite ^ http://allanmcrae.com$uri permanent;
        }
    }

I guess it is just hiding whatever I am doing wrong, but anyone access the wordpress admin sites needs to have accepted the ssl certificate anyway...

Offline

#3 2013-05-23 10:39:49

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Hi, I'm a little curious!, you want everyone coming to your page to be redirected to http://allanmcrea.com , whatever used to address your server, right?
And you should be the  only one permitted access to https!, cause you have the certificate. If the certificate is not found redirect to http.

Well as far as I know https relies on a SSL certificate. So, before there is a successful redirect from https to http, a certificate has already been negotiated by the server.


-I can give you a ladder, but you need to climb it yourself-

Offline

#4 2013-05-23 10:55:00

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

https://allanmcrae.com is redirected to http://allanmcrae.com without the user having to deal with the self signed certificate.  So it seems redirects can happen without having to deal with the certificate...

Offline

#5 2013-05-23 11:01:27

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

It doesn't, I first have to import your self signed certificate!
edit:which is kind a logic, what otherwise would  be the purpose of https?

Last edited by qinohe (2013-05-23 11:05:53)


-I can give you a ladder, but you need to climb it yourself-

Offline

#6 2013-05-23 11:12:04

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Hrm...  I get a certificate error in chromium, but not in firefox...

This is weird!

Offline

#7 2013-05-23 11:17:56

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

I'm not an authority in the first place, I have a local CA and do my own requests and sign them!
Now what you want is possible, but for exactly that part you need an official certificate,
otherwise we all need to import your self-signed crt before redirecting to http, if I would use https to address your server!


-I can give you a ladder, but you need to climb it yourself-

Offline

#8 2013-05-24 09:15:00

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Allan wrote:

Hrm...  I get a certificate error in chromium, but not in firefox...

This is weird!

Totally missed this, what is going wrong?, need more info!
What was the error you got?


-I can give you a ladder, but you need to climb it yourself-

Offline

#9 2013-05-24 10:06:10

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

"error" as in the warning that the certificate is self signed.   https://allanmcrae.com redirects to http://...  in firefox without showing that warning.

Offline

#10 2013-05-24 10:21:21

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

I have that with seamonkey, first I install CA crt, than I install the website crt and it complains about being self signed!
But then when I look I see the lock and a notification that the certificate is authenticated by the root crt.
If thats the case, I think nothing is wrong! I don't know why firefox is not showing that error, I think it should.


-I can give you a ladder, but you need to climb it yourself-

Offline

#11 2013-05-26 16:54:37

x33a
Forum Moderator
Registered: 2009-08-15
Posts: 3,205
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Strange, I do get an error with firefox too. Also, firefox gives an additional error apart from the self-signed one.

http://imgur.com/wzbZYqI

Offline

#12 2013-05-26 17:17:01

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Ah, well that clears it, I didn't try firefox, so can't say it does.
But I'm willing to try and report back here later on.
Is it this message

Error code: sec_error_untrusted_issuer

For if that is the case, than you need to trust the certificate, and the error will go away, if I'm well informed;)


-I can give you a ladder, but you need to climb it yourself-

Offline

#13 2013-05-27 09:32:37

teekay
Member
Registered: 2011-10-26
Posts: 269

Re: [SOLVED] nginx configuration - redirects and self signed certificate

Here both chromium and firefox work as expected. I get a "untrusted issuer" warning on both, and if I accept it, both https://allanmcrae.com and https://www.allanmcrae.com redirect to http://allanmcrae.com - which is what you intended.

Chromium has no feature to "permanently add an exception", but firefox has it (and the check box for it is selected by default). So maybe you accepted it permanently in your firefox, or you imported the local CA cert there?

Offline

#14 2013-05-27 09:56:46

qinohe
Member
From: A Dutch location..)
Registered: 2012-06-20
Posts: 649

Re: [SOLVED] nginx configuration - redirects and self signed certificate

teekay wrote:

Here both chromium and firefox work as expected. I get a "untrusted issuer" warning on both, and if I accept it, both https://allanmcrae.com and https://www.allanmcrae.com redirect to http://allanmcrae.com - which is what you intended.

It does this here too, that works, when I first import the crt.
Except, I don't have the issues when I load my own chain, I don't see that eror!

edity; Btw. I checked firefox, and I got the issue there too, after that, I tried my own, without the error.
Now I must be honest, as I still run my CA local, as a test setup!
So maybe the error is triggered because you use a TLD!, just a guess;)

Last edited by qinohe (2013-05-27 10:28:44)


-I can give you a ladder, but you need to climb it yourself-

Offline

#15 2013-05-27 10:47:25

progandy
Member
Registered: 2012-05-17
Posts: 2,143

Re: [SOLVED] nginx configuration - redirects and self signed certificate

With a https connection, you the first thing you have to do is to receive and validate the certifiacte. Only after that the encrypted connection can be established in order to send an http request and receive the response.

To make it a bit more obsucre try this: create a secret URI which sets a session cookie. If this cookie is not set, https always results in 404 and http results in 404 for admin pages.

If you want to have a more official certificate, try cacert. I guess not everyone trusts a cacert certificate, but it is more widespread than selfsigned.

Edit: btw, the certifiacte is only valid for subdomains and not your root domain. I gues you have to use SAN

Last edited by progandy (2013-05-27 10:51:33)

Offline

#16 2013-05-27 15:33:44

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,330
Website

Re: [SOLVED] nginx configuration - redirects and self signed certificate

progandy wrote:

Edit: btw, the certifiacte is only valid for subdomains and not your root domain. I gues you have to use SAN

Thanks, learned what that was and fixed it!

Marking as solved.  Everything seemed to be me misunderstanding how this works...

Offline

Board footer

Powered by FluxBB