Hello!

On Wed, Jul 18, 2018 at 03:10:54PM +0000, Friscia, Michael wrote:

> We have a problem where we have a large number of vanity domain
> names that are redirected. For example we have surgery.yale.edu
> which redirects to medicine.yale.edu/surgery. This works fine
> until someone tries to request https://surgery.yale.edu. For
> administrative reasons, I cannot get a wildcard certificate to
> handle *.yale.edu and make this simple to solve.
>
> My question is if there is any way to redirect a request
> listening on port 80 and 443 but bypass the SSL certificate
> warning so it will redirect? I would assume the order of
> operation with HTTPS is to first validate the certificate but I
> really want the 301 redirect to take place before the SSL cert
> is verified.
>
> I’m open to ideas but we are limited in what we can actually do
> so as it stands the only solution we have is to request a
> certificate for each of the 600+ domains.

Certificate warning appears when client establishes a connection
and cannot verify a certificate. The connection is not
established at this point, and a request is not sent. You cannot
return a redirect unless the client agrees to continue despite the
certificate warning.

That is, if you want redirects to be returned, the only option is
to obtain valid certificates.

Another option might be to reject https connections to domains
when it is not configured to use https. When using SNI, you can
configure nginx to selectively reject connections to some names by
using unsatisfiable ssl_ciphers (see
https://trac.nginx.org/nginx/ticket/195#comment:6).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx