Friday, July 25, 2014

ssl - nginx https -> http redirection using wildcard error



I've already search the whole web for an answer, unfortunately there isn't. I hope there is a genius out here.




Context:
My nginx acts as a reverse proxy serving multiple domains



Problem:
the problem occurs when a non-ssl domain gets forced to use https, I am trying to force a redirect back to http but it gives an SSL error before the redirect can be processed



Behavior:




  • The web browser gives an error on Chrome in incognito mode: "This is probably not the site you are looking for! You attempted to reach xxxx.com [client website], but instead you actually reached a server identifying itself as proxydomain.com [proxy identity]."


  • Only once you click "Proceed anyways" the browser will do the rewrite redirection



Config file that is currently in production but does the error:



server {
listen 443 ssl;
server_name _;

ssl_certificate conf.d/proxydomain_com.pem;

ssl_certificate_key conf.d/proxydomain_com.key;

rewrite ^(.*)$ http://$host$request_uri permanent;
}


Attempted solutions:
https://stackoverflow.com/questions/3893839/how-do-i-redirect-https-requests-to-http-in-nginx/3915822#3915822





  • It is whining of an invalid SSL certificat for this domain (obviously) but if I take off the ssl_certificate attribute (error ssl_error_bad_cert_domain)

  • If i try to take off the "ssl" in the listen attribute i get an ssl_error_rx_record_too_long



Spent 4 hours on this going on 5, any ideas?



Thank you very much :)


Answer



The redirect will be done in the HTTP protocol. HTTPS is HTTP wrapped inside a SSL connection, so if establishing the SSL connection fails because of a bad certificate there will never be the redirect to http://. So to make this working you have to use a certificate which the client accepts, e.g. matching the host name and issued by a trusted CA.




If you take off the ssl it will just start a normal non-ssl http server on port 443 but the browser will try to talk SSL and thus you get this error about record_too_long.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...