Yeah, well, I haven't worked out how to tell nginx to look at the SNI for a HTTPS request and bomb out completely if it doesn't match any SSL-enabled vhost. Unless you've got pervasive IPv6 -- then I can set everything up so manually mangling URLs to use HTTPS doesn't cause problems (there's no links to HTTPS resources on sslcoop.org)...
Turns out the real scarce resource is IPv4 addresses -- but we already knew that. ipv6coop.org, anyone? (grin)
Possibly a stupid question, but why not make whichever vhost is correctly configured for SSL your default? Any traffic will go there unless another match is found. This is what I do to force SSL and redirect anything not matching another vhost.
Catch-all + HTTP --> HTTPS
server {
# Set server name & make it the default for this IP address
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://EXAMPLE.TLD$request_uri;
}
Or, rewrite HTTPS to HTTP for that vhost only
server {
listen 443;
server_name EXAMPLE.TLD;
return 301 http://EXAMPLE.TLD$request_uri;
}
Mozilla's server-side TLS wiki at https://wiki.mozilla.org/Security/Server_Side_TLS is the best documentation I've found yet, and includes great examples of complete configs for various servers. Hope that helps.
That's not helpful, he doesn't have a cert for www.sslscoop.org, so the link is http; but if you try https://www.sslscoop.org/ you get a cert error, because the IP(s) are running https, but for a different name.
By the time the server can return the redirect you propose, the user agent must have already accepted the non-matching certificate.
Hmm, good to know then. Is there a working Nginx config you can point me to for this use case, because I'd like to solve this issue too. My setup happens to be one HTTPS only server and one HTTP only, but it would be good to know in case I want to mix things up.
Testing a couple third-party sites, our local bus company simply times out when you manually input https://www.libertybus.je. Doing this on the main BBC site https://www.bbc.co.uk/ quickly returns you to the http version. Those are different setups but the cert errors do not happen, which is the goal here.
Womble, I like your idea and I wish you success. But, it is now constructive feedback time. :)
meowtaxi is sooo right! Seriously, I was going to post the same thing. Sure, I expected an SSL error when I manually switched to the https version of your url, but the specific SSL error I ended up getting reflects really, really poorly on an organization that aims to become a CA.
I did check your FAQ first for some mention of the site's current SSL woes...
I'm a little surprised that so many people deliberately mangle URLs to see if there's anything listening on :443, myself. I might just pull SSL off the other domain on IPv4, and put it on a separate IPv6 address...
