I've already search the whole web for an answer, unfortunately there isn't. I hope there is a genius out here.
Context:
My nginx acts as a reverse proxy serving multiple domains
Problem:
the problem occurs when a non-ssl domain gets forced to use https, I am trying to force a redirect back to http but it gives an SSL error before the redirect can be processed
Behavior:
- The web browser gives an error on Chrome in incognito mode: "This is probably not the site you are looking for! You attempted to reach xxxx.com [client website], but instead you actually reached a server identifying itself as proxydomain.com [proxy identity]."
- Only once you click "Proceed anyways" the browser will do the rewrite redirection
Config file that is currently in production but does the error:
server {
listen 443 ssl;
server_name _;
ssl_certificate conf.d/proxydomain_com.pem;
ssl_certificate_key conf.d/proxydomain_com.key;
rewrite ^(.*)$ http://$host$request_uri permanent;
}
Attempted solutions:
https://stackoverflow.com/questions/3893839/how-do-i-redirect-https-requests-to-http-in-nginx/3915822#3915822
- It is whining of an invalid SSL certificat for this domain (obviously) but if I take off the ssl_certificate attribute (error ssl_error_bad_cert_domain)
- If i try to take off the "ssl" in the listen attribute i get an ssl_error_rx_record_too_long
Spent 4 hours on this going on 5, any ideas?
Thank you very much :)
Answer
The redirect will be done in the HTTP protocol. HTTPS is HTTP wrapped inside a SSL connection, so if establishing the SSL connection fails because of a bad certificate there will never be the redirect to http://. So to make this working you have to use a certificate which the client accepts, e.g. matching the host name and issued by a trusted CA.
If you take off the ssl it will just start a normal non-ssl http server on port 443 but the browser will try to talk SSL and thus you get this error about record_too_long.
No comments:
Post a Comment