Insecure Connection with www for nginx

May 19, 2017 653 views
Networking Nginx Ubuntu 16.04

if i go to mydomain.com it will redirect to https://mydomain.com, the same is trye for any other http connection. However, if i type.

https://www.mydomain.com/ i will get a browser warning of Your connection is not secure

mydomain.com

server {
        listen 80;
        listen [::]:80;
        server_name mydomain.com www.mydomain.com *.mydomain.com;

        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        include snippets/ssl-mydomain.com.conf;
        include snippets/ssl-params.conf;

        root /var/www/mydomain.com/html;

        index index.html index.htm index.nginx-debian.html;

        server_name mydomain.com;

        location ~ /.well-known {
                allow all;
        }

        location / {
                try_files $uri $uri/ =404;
        }
}

I've tried adding the listen 443 to the first server tag but that didn't resolve anything. Any help is appreciated :)

2 Answers

@ariziragoran

When it comes to WildCards, the only way to truly support them without buying a specific certificate would be to manually hand-key all the domains and run them through the Let's Encrypt / CertBot.

You can buy a WildCard SSL Certificate from NameCheap -- they run $94-$99 / year. These types of certificates don't have the same limitations, so you'd generate it once and it'd be valid for one domain, but any number of sub-domains.

i.e.

www.domain.com
my.domain.com
sub.domain.com
sub01.domain.com
etc.

The downside there is, of course, that you have to pay for the SSL Certificate each year. The upside, you don't have to key in each sub-domain / sub-domain variation when you add a new one.

You could still use Let's Encrypt / CertBot for domains that don't need WildCards, but to truly support WildCards and not have to go through all the hassle, purchasing the certificate is the only way right now.

  • Can i at least redirect anything that says insecure connection to 404 page not found or unable to connect to server or something? Anything to get rid of the insecure connection message.

    Update: Never mind, i just found my answer on stack

    Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.

    I'll go cry in the corner.

    • @ariziragoran

      This is from Let's Encrypt and is valid as of this post:

      The Let’s Encrypt CA currently has no plans to do so, but it is a possibility in the future. Hopefully wildcards aren’t necessary for the vast majority of potential users because it should be easy to get and manage certificates for all subdomains.

      So as of right now, there's no plans to support WildCard SSL, which limits your options to buying an SSL Certificate if you need WildCard SSL and don't want to manually key in each one.

      I'm hoping they'll change their mind, but it's not happening just yet unfortunately.

@ariziragoran

When you generate an SSL certificate, you must include domain.com and www.domain.com -- this is especially true with Let's Encrypt / CertBot.

If you only specified domain.com when generating the SSL certificate, you'll need to run it again and include both versions of the domain. This applies for all domains that you generate certificates for.

i.e. when passing -d, you'll want:

-d domain.com -d www.domain.com

The only thing Let's Encrypt / CertBot doesn't support is WildCards, so you can't pass:

-d *.domain.com

... at least not yet :-) (not sure if they plan to add this in the future).

  • Oh.

    so what do i do about my wild card cases where if i get a https://test.www.mydomain.com or https://test.mydomain.com i redirect to the https://mydomain.com

    I just want to redirect everything to https://mydomain.com

    My attempt to do this was

    server {
            listen 80;
            listen [::]:80;
    
            server_name mydomain.com www.mydomain.com *.mydomain.com;
    
            return 301 https://$server_name$request_uri;
    }
    
    server {
            listen 443 ssl;
            listen [::]:443 ssl;
            include snippets/ssl-mydomain.com.conf;
            include snippets/ssl-params.conf;
    
            server_name www.mydomain.com *.mydomain.com;
    
            return 301 https://mydomain.com$request_uri;
    }
    
    server {
            listen 443 ssl http2;
            listen [::]:443 ssl http2;
            include snippets/ssl-mydomain.com.conf;
            include snippets/ssl-params.conf;
    
            root /var/www/mydomain.com/html;
    
            index index.html index.htm index.nginx-debian.html;
    
            server_name mydomain.com;
    
            location ~ /.well-known {
                    allow all;
            }
    
            location / {
                    try_files $uri $uri/ =404;
            }
    }
    
    

    but i guess i can't do it? Or at least how do i redirect away from the insecure connection page and redirect to a 404 not found or something?

Have another answer? Share your knowledge.