Welcome! Log In Create A New Profile

Advanced

Re: Redirect www to not-www

Previous Message Next Message
Forum List Message List New Topic Print View
Paul
January 10, 2023 06:46PM
On 2023-01-10 13:43, Francis Daly wrote:

>> Using nginx (1.18.0 on Ubuntu 20.04.5) as proxy to back-end, I have three
>> sites (a|b|c.example.com) in a fast, reliable production environment. I have
>> DNS records set up for www.a|b|c.example.com. I have CertBot set up for
>> only a|b|c.example.com.
>>
>> To avoid "doubling" the number of sites-available and security scripts, and
>> to avoid the unnecessary "www." I would like to add something like:
>> /.../
> There are 4 families of requests that the client can make:
>
> * http://www.a.example.com
> * http://a.example.com
> * https://www.a.example.com
> * https://a.example.com
>
> It looks like you want each of the first three to be redirected to
> the fourth?

Many thanks. That is totally correct. Given your comment re "lack of
certificate" and "validation will fail" I have now expanded CertBot to
include the three "www." names. All works fine (as far as I can see
using Firefox, Opera, Vivaldi clients -- and Edge, had to boot up an old
laptop!)

BUT... for that one step further and have all server (nginx) responses
go back to the end-client as:
https://a.example.com
and NOT as:
https://www.a.example.com
^^^
I have written an /etc/nginx/conf.d/redirect.conf as:
server {
server_name www.a.example.com;
return 301 $scheme://a.example.com$request_uri;
}

which seems to work, but I would appreciate your opinion - is this the
best, most elegant, secure way? Does it need "permanent" somewhere?

I've never used "scheme" before today, but we've got an external
advisory audit going on, and I'm trying to keep them happy.

Many thanks and best regards,
Paul

>
> It is straightforward to redirect the first two to the fourth --
> something like
>
> server {
> server_name a.example.com www.a.example.com;
> return 301 https://a.example.com$request_uri;
> }
>
> should cover both.
>
> (Optionally with "listen 80;", it replaces your similar no-ssl server{}
> block.)
>
> But for the third family, the client will first try to validate the
> certificate that it is given when it connects to www.a.example.com,
> before it will make the http(s) request that you can reply to with
> a redirect. And since you do not (appear to) have a certificate for
> www.a.example.com, that validation will fail and there is nothing you
> can do about it. (Other that get a certificate.)
>
> Cheers,
>
> f

\\\||//
(@ @)
ooO_(_)_Ooo__________________________________
|______|_____|_____|_____|_____|_____|_____|_____|
|___|____|_____|_____|_____|_____|_____|_____|____|
|_____|_____| mailto:paul@stormy.ca _|____|____|
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Redirect www to not-www

Paul January 10, 2023 12:04PM

Re: Redirect www to not-www

Francis Daly January 10, 2023 01:44PM

Re: Redirect www to not-www

Paul January 10, 2023 06:46PM

Re: Redirect www to not-www

Francis Daly January 10, 2023 07:38PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 187
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready