There is a site bulletin board. He works on subdomains. One city = 1 subdomain. For example: msk.site.ru

There is an ssl certificate (https) that works with all subdomains. Everything works, everything is okay. There is also a redirect from www. *. Site.ru to * .site.ru and accordingly from http to https.

Recently there was a problem with addresses like: https://www.msk.site.ru . It shows something like:

Your connection is not secure. The owner of www.msk.site.ru has incorrectly set up his website. To protect your information from being stolen, Firefox did not connect to this website.

However, this problem is only with https. Ie http://www.msk.site.ru will be redirected to https://msk.site.ru .

I tried to drive the following settings:

server { listen 80; server_name *.msk.site.ru; return 301 https://msk.site.ru$request_uri; } server { listen 443; ssl on; ssl_certificate /home/site/www/prod/ssl-bundle.crt; ssl_certificate_key /home/site/www/prod/site.key; #enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; server_name *.msk.site.ru; return 301 $scheme://msk.site.ru$request_uri; }

The question is: How to redirect from https: // www. (...) .site.ru to https: // (...) .site.ru ?

2 answers 2

Do not do it.

Your SSL certificate is a wildcard certificate, so it fits arbitrary * .site.ru (third level) hosts - but a wildcard certificate cannot protect fourth level subdomains in any way.

For details, read RFCI2818.

Here are some good starting links in English so:

Quote:

A wildcard SSL certificate for * .example.net will match sub.example.net but not sub.sub.example.net.

  • Upset me a little bit. I took the certificate here majordomo.ru/ssl actually here "Comodo Positive Wildcard" - Nepster
  • There is also Comodo UCC Certificate, developed for Microsoft Exchange and Office Communication Server. BUT he protects only 3 subdomains? - Nepster
  • If you want to do with one certificate, then this is not possible. There are no such types of certificates, in general. Both NAC and UCC are all not for that. - AK

Here is the part of the config that runs all (nginx1.11) listen 443 ssl http2 reuseport; server_name test;

  #location = /update.php { return 301 https://test; } keepalive_timeout 70; ssl on; ssl_certificate /etc/nginx/ssl/test.crt; ssl_certificate_key /etc/nginx/ssl/test.key; ssl_dhparam /etc/nginx/ssl/dh.pem; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2; #add_header Strict-Transport-Security max-age=15768000; #ssl_stapling on; #resolver localhost; ssl_session_timeout 24h; ssl_session_cache shared:SSL:12m; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;"; add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";

wipe TLSv1

  • Compiled with openssl 1.0.2h and even chrome eats like a native) - Sey Dee
  • This part of the config does not solve the top-starter problem, it is just a description of the ssl settings. - AK