|
Posted by Chuck Anderson on March 15, 2007, 7:04 pm
Please log in for more thread options
I had to choose one or the other when buying my SSL certificate (to www
or not to www).
I chose example.com as opposed to www.example.com. Having done so, any
request to www.example.com causes a security warning in the browser
(name on the certificate does not match the name of the site).
Is there a way to get around this problem, perhaps by redirecting (using
htacces?) all requests to https://www.example.com/* to
https://example.com/* (redirect to the same page and include any input
variables in the original request). If so, will this actually eliminate
the security warning?
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
|
|
Posted by Steven J. Sobol on March 15, 2007, 8:07 pm
Please log in for more thread options
show/hide quoted text
> Is there a way to get around this problem, perhaps by redirecting (using
> htacces?) all requests to https://www.example.com/* to
> https://example.com/* (redirect to the same page and include any input
> variables in the original request). If so, will this actually eliminate
> the security warning?
You'll still get the security warning. The only reliable way around
this is to get https://whatever-without-www set up, or to buy a
wildcard SSL cert.
Does the website even need to answer at https://www.whatever? How
about having http://www.whatever redirect to https://whatever?
--
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Victorville, California PGP:0xE3AE35ED
It's all fun and games until someone starts a bonfire in the living room.
|
|
Posted by Chuck Anderson on March 15, 2007, 9:19 pm
Please log in for more thread options
Steven J. Sobol wrote:
wrote:
show/hide quoted text
>
>> Is there a way to get around this problem, perhaps by redirecting (using
>> htacces?) all requests to https://www.example.com/* to
>> https://example.com/* (redirect to the same page and include any input
>> variables in the original request). If so, will this actually eliminate
>> the security warning?
>>
> You'll still get the security warning. The only reliable way around
> this is to get https://whatever-without-www set up,
Thanks, ......
I'm not sure what you mean. The site *is* setup as
"https://whatever-without-www".
show/hide quoted text
> or to buy a wildcard SSL cert.
>
Too pricey. (I wonder why certs don't automatically cover both. Most
sites answer to both).
show/hide quoted text
> Does the website even need to answer at https://www.whatever?
No matter what I do, people are going to insert that into a link someway
or another. It *is* happening. (Other agent sites link to my site to
sell a product, and if they put the www in, shoppers see a security
warning. Not good for business)
show/hide quoted text
> How about having http://www.whatever redirect to https://whatever?
>
That's what I'm asking how to do. Can I do it in htaccess, and if so,
will that avoid the security warning?
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
|
|
Posted by Steven J. Sobol on March 15, 2007, 9:19 pm
Please log in for more thread options
show/hide quoted text
>> You'll still get the security warning. The only reliable way around
>> this is to get https://whatever-without-www set up,
>
> Thanks, ......
>
> I'm not sure what you mean. The site *is* setup as
> "https://whatever-without-www".
Eh, brainfart, you can ignore that advice :)
show/hide quoted text
>> or to buy a wildcard SSL cert.
>
> Too pricey. (I wonder why certs don't automatically cover both. Most
> sites answer to both).
>
>> Does the website even need to answer at https://www.whatever?
>
> No matter what I do, people are going to insert that into a link someway
> or another. It *is* happening. (Other agent sites link to my site to
> sell a product, and if they put the www in, shoppers see a security
> warning. Not good for business)
So how about buying a second certificate for https://www.whatever?
Any decent web server will be able to serve up two separate virtual
hosts from the same set of files. Apache can, for sure. I'd bet even
IIS can.
show/hide quoted text
>> How about having http://www.whatever redirect to https://whatever?
>>
> That's what I'm asking how to do. Can I do it in htaccess, and if so,
> will that avoid the security warning?
You can do
Redirect permanent / https://whatever
If you redirect from http://www.whatever you won't get a security
warning. If you redirect from httpS://www.whatever https://www will
get hit first and you will get the security warning.
--
Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows
Victorville, California PGP:0xE3AE35ED
It's all fun and games until someone starts a bonfire in the living room.
|
|
Posted by Chuck Anderson on March 16, 2007, 1:19 am
Please log in for more thread options
Steven J. Sobol wrote:
wrote:
show/hide quoted text
>
>>> You'll still get the security warning. The only reliable way around
>>> this is to get https://whatever-without-www set up,
>>>
>> Thanks, ......
>> I'm not sure what you mean. The site *is* setup as
>> "https://whatever-without-www".
>>
> Eh, brainfart, you can ignore that advice :)
>
Ah, ... had me confused. I understand
show/hide quoted text
>
>>> or to buy a wildcard SSL cert.
>>>
>> Too pricey. (I wonder why certs don't automatically cover both. Most
>> sites answer to both).
>>
>>> Does the website even need to answer at https://www.whatever?
>>>
>> No matter what I do, people are going to insert that into a link someway
>> or another. It *is* happening. (Other agent sites link to my site to
>> sell a product, and if they put the www in, shoppers see a security
>> warning. Not good for business)
>>
> So how about buying a second certificate for https://www.whatever?
>
I was trying to avoid that.
show/hide quoted text
>>> How about having http://www.whatever redirect to https://whatever?
>>>
>>>
>> That's what I'm asking how to do. Can I do it in htaccess, and if so,
>> will that avoid the security warning?
>>
> You can do
> Redirect permanent / https://whatever
> If you redirect from http://www.whatever you won't get a security
> warning.
show/hide quoted text
> If you redirect from httpS://www.whatever https://www will
> get hit first and you will get the security warning.
>
That's the bottom line for me. From what you say, it seems that even if
I do redirect https://www.whatever to https://whatever (in .htaccess),
users will still get a security warning when they use www.
Again, it seems really stupid to have to buy another certificate for
this. You can not you control whether people access your site with the
www or without it. Yet they are the same site. It really shouldn't
require two certificates.
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
|
| Similar Threads | Posted | | Https vs. http? | April 21, 2005, 8:58 pm |
| robots.txt for https but not http | July 29, 2005, 12:02 am |
| https, relative paths and FF3 | May 27, 2009, 7:13 pm |
| Problems with using hyperlinks on a https and IE6/WinXP SP1 | January 3, 2005, 5:20 pm |
| Still got problems with using hyperlinks on a https and IE6/WinXP SP1 | January 7, 2005, 5:14 pm |
| http and https in the same document root. | December 13, 2005, 1:04 pm |
| admin panel's for server in http and https | May 29, 2007, 11:48 am |
| Know any tools to help get Padlock back on httpS:// pages ? | July 30, 2007, 9:14 am |
| how to stop google spidering https links | May 18, 2009, 3:55 pm |
| Why doesnt our https:// page give a padlock sign in browsers | June 14, 2007, 9:37 am |
|
XML Sitemap
> htacces?) all requests to https://www.example.com/* to
> https://example.com/* (redirect to the same page and include any input
> variables in the original request). If so, will this actually eliminate
> the security warning?