You are not logged in.
Here is what I am trying to achieve... All I want people to see is http://allanmcrae.com. Anything with https:// in front or with www should redirect there. However, I want to keep my wordpress admin pages through https.
These work:
https://allanmcrae.com
http://www.allanmcrae.com
But this fails
https://www.allanmcrae.com
Here is a stripped down version of my current nginx.conf file:
http {
....
server {
listen 80;
server_name allanmcrae.com;
root /srv/http/allanmcrae.com;
location / {
index index.html index.htm index.php;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
...
}
server {
listen 443;
server_name allanmcrae.com;
root /srv/http/allanmcrae.com;
ssl on;
...
location ~ /wordpress/wp-(admin|login|includes|content) {
index index.html index.htm index.php;
try_files $uri $uri/ $1/index.php?args;
...
}
location / {
rewrite ^ http://allanmcrae.com$uri permanent;
}
}
server {
server_name www.allanmcrae.com;
rewrite ^ $scheme://allanmcrae.com$uri permanent;
}
}
I think that bottom "server_name www.allanmcrae.com" should catch the "https://www.allanmcrae.com" and make it "https://allanmcrae.com" which then gets redirected to "http://allanmcrae.com". But that is not working...
What am I doing wrong?
Offline
I have looked into this further. I have a self signed ssl certificate. If I accept that in firefox, the redirection is fine.
So why does this work (without having to accept the ssl certificate?:
https://allanmcrae.com -> http://allanmcrae.com
but this does not:
https://www.allanmcrae.com -> https://allanmcrae.com -> http://allanmcrae.com
Edit: I guess it is to do with the double redirection via https. Doing this is a work around:
server {
server_name www.allanmcrae.com;
location ~ /wordpress/wp-(admin|login|includes|content) {
rewrite ^ https://allanmcrae.com$uri permanent;
}
location / {
rewrite ^ http://allanmcrae.com$uri permanent;
}
}
I guess it is just hiding whatever I am doing wrong, but anyone access the wordpress admin sites needs to have accepted the ssl certificate anyway...
Offline
Hi, I'm a little curious!, you want everyone coming to your page to be redirected to http://allanmcrea.com , whatever used to address your server, right?
And you should be the only one permitted access to https!, cause you have the certificate. If the certificate is not found redirect to http.
Well as far as I know https relies on a SSL certificate. So, before there is a successful redirect from https to http, a certificate has already been negotiated by the server.
Offline
https://allanmcrae.com is redirected to http://allanmcrae.com without the user having to deal with the self signed certificate. So it seems redirects can happen without having to deal with the certificate...
Offline
It doesn't, I first have to import your self signed certificate!
edit:which is kind a logic, what otherwise would be the purpose of https?
Last edited by qinohe (2013-05-23 11:05:53)
Offline
Hrm... I get a certificate error in chromium, but not in firefox...
This is weird!
Offline
I'm not an authority in the first place, I have a local CA and do my own requests and sign them!
Now what you want is possible, but for exactly that part you need an official certificate,
otherwise we all need to import your self-signed crt before redirecting to http, if I would use https to address your server!
Offline
Hrm... I get a certificate error in chromium, but not in firefox...
This is weird!
Totally missed this, what is going wrong?, need more info!
What was the error you got?
Offline
"error" as in the warning that the certificate is self signed. https://allanmcrae.com redirects to http://... in firefox without showing that warning.
Offline
I have that with seamonkey, first I install CA crt, than I install the website crt and it complains about being self signed!
But then when I look I see the lock and a notification that the certificate is authenticated by the root crt.
If thats the case, I think nothing is wrong! I don't know why firefox is not showing that error, I think it should.
Offline
Strange, I do get an error with firefox too. Also, firefox gives an additional error apart from the self-signed one.
Offline
Ah, well that clears it, I didn't try firefox, so can't say it does.
But I'm willing to try and report back here later on.
Is it this message
Error code: sec_error_untrusted_issuer
For if that is the case, than you need to trust the certificate, and the error will go away, if I'm well informed;)
Offline
Here both chromium and firefox work as expected. I get a "untrusted issuer" warning on both, and if I accept it, both https://allanmcrae.com and https://www.allanmcrae.com redirect to http://allanmcrae.com - which is what you intended.
Chromium has no feature to "permanently add an exception", but firefox has it (and the check box for it is selected by default). So maybe you accepted it permanently in your firefox, or you imported the local CA cert there?
Offline
Here both chromium and firefox work as expected. I get a "untrusted issuer" warning on both, and if I accept it, both https://allanmcrae.com and https://www.allanmcrae.com redirect to http://allanmcrae.com - which is what you intended.
It does this here too, that works, when I first import the crt.
Except, I don't have the issues when I load my own chain, I don't see that eror!
edity; Btw. I checked firefox, and I got the issue there too, after that, I tried my own, without the error.
Now I must be honest, as I still run my CA local, as a test setup!
So maybe the error is triggered because you use a TLD!, just a guess;)
Last edited by qinohe (2013-05-27 10:28:44)
Offline
With a https connection, you the first thing you have to do is to receive and validate the certifiacte. Only after that the encrypted connection can be established in order to send an http request and receive the response.
To make it a bit more obsucre try this: create a secret URI which sets a session cookie. If this cookie is not set, https always results in 404 and http results in 404 for admin pages.
If you want to have a more official certificate, try cacert. I guess not everyone trusts a cacert certificate, but it is more widespread than selfsigned.
Edit: btw, the certifiacte is only valid for subdomains and not your root domain. I gues you have to use SAN
Last edited by progandy (2013-05-27 10:51:33)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Edit: btw, the certifiacte is only valid for subdomains and not your root domain. I gues you have to use SAN
Thanks, learned what that was and fixed it!
Marking as solved. Everything seemed to be me misunderstanding how this works...
Offline