Forum Discussion

Bob_10976's avatar
Bob_10976
Icon for Nimbostratus rankNimbostratus
Aug 21, 2013

SSL Cert warning with irule https to http

Hello all.. We have an issue where we need to redirect the request https://www.domain.com to https://domain.com. We have an irule in place, see below, that does this, however when the end user goes to https://www hey get a cert warning. We do not have a www.domain.com SSL cert, though we do have a domain.com SSL cert and the end users do not receive a warning when accessing that URL. Is there a way to keep them from getting the cert warning, someway to rewrite the URI or modify the request in some manner so when they visit https://www a rule or function takes place and they get redirected to the non www version. Obviously we could purchase a cert with the www version, but were trying to avoid that cost, if possible. Any suggestions or thoughts would be greatly appreciated

 

when HTTP_REQUEST { switch "[string tolower [HTTP::host]]" { "www.domain.com" { HTTP::respond 301 Location "https://domain.com" } } }

 

Thanks, Bob

 

application delivery
devops
iRules

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 21, 2013

    unfortunately, http redirection is done after ssl handshake. i understand you need www.domain.com certificate.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 21, 2013

    Just to amplify, the problem is unavoidable in its current state. You need a certificate with the correct server subject name. A few options are:

     

    1. A wildcard cert
    2. A Subject Alt Name - SAN cert
    3. Server Name Indicator - SNI with separate certs (> winXP)
    4. Separate VIPs and separate certs
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 08, 2013

    So I have a SAN cert with alternate name without www. How do I get traffic forwarding from both http://mysite.com to http://www.mysite.com and https://mysite.com to https://www.mysite.com

    You're HTTP (port 80) VIP would be the simplest, and you probably don't care what URI they're using to get there:

    when HTTP_REQUEST {
    HTTP::redirect "https://www.mysite.com[HTTP::uri]"
}

    And then the HTTPS (port 443) VIP would simply need to catch anything going to "mysite.com" and redirect to "www.mysite.com":

    when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "mysite.com" } {
        HTTP::redirect "https://www.mysite.com[HTTP::uri]"        
    }
}

    The SAN certificate that you apply to the HTTPS VIP should include both the "www.mysite.com" and "mysite.com" subject names.