strip away www. and redirect to https:// without cert mismatch error

Unfortunately there's really not a way to do this other than getting a wildcard cert that will match both names.

 

 

Denny

So, https://www.sub.mycompany.com not equal as https://sub.mycompany.com ? Somehow I thought www is generic and shouldn't be matter.

I did some searches on this forum but wonder if this would work or not

 

 

when HTTP_REQUEST {

 

strip away www. before BigIP check for SSL cert

 

if { [HTTP::host] starts_with "www." } {

 

HTTP::header replace "Host" [string range [HTTP::host] 4 end]

 

}

 

if { [TCP::local_port] equals 80} {

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

if {$::debug}{log local0. "redirecting client [IP::client_addr] to https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"}

 

} else {

 

Rewrite the HTTP::path to lower case if the option is enabled globally or in a separate rule

 

if {$::rewrite_uri_to_lower_case or ([info exists rewrite_uri_to_lower_case] and $rewrite_uri_to_lower_case)}{

 

HTTP::path [string tolower [HTTP::path]]

 

}

 

}

 

}

 

 

I have no way to test this since the site is in production.

Now I have another question and would like to get a confirm that if I can get CA such as Verisign to issue a SSL cert to www.sub.mycompany.com and sub.mycompany.com then this would re solve the whole mismatch cert? and user can either enter https://www.sub.mycompany.com or https://sub.mycompany.com and get directed to a single VIP on Big IP.

 

Thanks.

 

We actually do exactly what you are doing at our operations, just in a different approach.

 

 

First I have the project manager tell me what is the official main URL to the web site. Let's say for this it is:

 

1) https://sub.mycompany.com

 

 

Then I ask, what are the other unoffical URLs desired to be used, which will redirect to the official web site. Let's say for this they are:

 

1) http://sub.mycompany.com

 

2) http://www.sub.mycompany.com

 

3) https://www.sub.mycompany.com

 

 

The project manager has indicated the web site will be only SSL.

 

At this point I have to tell the project manager they have three options for SSL certificates:

 

 

1) purchase 2 SSL Certificates for https://sub.mycompany.com and https://www.sub.mycompany.com - two 1-year basic SSL certs from Network Solutions is about $200.

 

 

2) purchase 1 wildcard SSL certificate for https://*.mycompany.com which will cover both https://sub.mycompany.com and https://www.sub.mycompany.com, and also *theoretically* even https://www.one.two.three.four.sub.mycompany.com - one 1-year wildcard SSL Cert from Network Solutions is about $500.

 

 

3) purchase 1 SSL Certificate for https://sub.mycompany.com , and eliminate the desired URL https://www.sub.mycompany.com as one of the redirects.

 

 

 

Then I write the iRule to say

 

1) if the traffic comes in on port 80, and matches a redirect URL, redirect to the official URL.

 

2) if the traffic comes in on port 443, and matches a redirect URL, redirect to the offical URL.

 

 

With these two iRules in place, it does not matter which of the three SSL Cert choices they choose to go with.

 

 

 

A note about SSL.

 

When a user types https://whatever.com/ into a web browser, the first thing the browser does is:

 

1) make a connection to the domain at port 443

 

2) initiate an encrypted SSL handshake

 

 

As a side note, if the web user types in http://whatever.com:443/ then for the second step it is a normal unencrypted HTTP session.

 

 

Using the protocol "https://" causes the browser to communicate via SSL, so the server will never receive any HTTP packets unless it is also communicating via SSL.

 

And thus, if you do not want an SSL mismatch in your scenerio, you need the SSL cert(s) to protect every domain that is going to be accessed via "https://".

 

 

-RG

 

 

 

 

Posted By puma on 02/19/2009 6:54 AM

 

Now I have another question and would like to get a confirm that if I can get CA such as Verisign to issue a SSL cert to www.sub.mycompany.com and sub.mycompany.com then this would re solve the whole mismatch cert? and user can either enter https://www.sub.mycompany.com or https://sub.mycompany.com and get directed to a single VIP on Big IP.

 

Thanks.

 

 

 

 

So if you get CA Signed SSL Certs for both of these domains in your case, then yes you will not get a SSL Cert mismatch error.

 

-RG

 

Do note, however, that each SSL Cert and matching domain must be assigned to, and responding on, two different IP numbers

 

 

So, sub.mydomain.com must be assigned to one IP number in DNS

 

And, www.sub.mydomain.com must be assigned to another IP in DNS

 

 

This will be two different Virtual Servers on the BigIP.

 

-RG

 

Thanks a lot RG. Your quick response cleared up my head.

Actually, you can get a single CA signed cert that is valid for multiple subjects like example.com and www.example.com (or even www.example.com and www.example.co.uk), using Subject Alternate Names (SANs). Most modern browsers support SANs. Try searching the iRule and/or Advanced Config forums for some related links.

 

 

This would allow you to handle requests for each of the SAN's on a single IP address:port combination. RG's idea with a wildcard cert is novel idea for handling this though.

 

 

Aaron

Regarding Subject Alternate Name SSL Certificates

 

 

About and How to get:

 

http://www.digicert.com/subject-alternative-name.htm

 

http://www.digicert.com/unified-communications-ssl-tls.htm

 

 

Compatibility:

 

https://www.digicert.com/subject-alternative-name-compatibility.htm

 

 

-RG