Question

我有一个域http://careers.newable.co.uk。我通过使用以下重写规则指定所有流量都应通过https重定向来强制用户使用安全连接：

# Redirect http:// to https://
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

但是，我有一个并发症：

用户可以转到http://www.careers.newable.co.uk，并且用户收到浏览器错误消息：This site can’t provide a secure connection。

我已经看到一些用于重定向的.htaccess规则，例如：

RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

但这没有效果，因为浏览器仍然抱怨缺乏安全连接。

Answer 1

经过Chrome测试：

http://careers.newable.co.uk-> https确认（通配符证书* .newable.co.uk）
http://www.careers.newable.co.uk-> https ERR_SSL_PROTOCOL_ERROR

（EDIT2：从Debian运行wget）

（EDIT3：修复获取openssl证书的问题）

me@debian:~$ wget careers.newable.co.uk
--2019-01-26 23:36:14--  http://careers.newable.co.uk/
Resolving careers.newable.co.uk (careers.newable.co.uk)... 217.160.0.82, 2001:8d8:100f:f000::2f3
Connecting to careers.newable.co.uk (careers.newable.co.uk)|217.160.0.82|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://careers.newable.co.uk/ [following]
--2019-01-26 23:36:14--  https://careers.newable.co.uk/
Connecting to careers.newable.co.uk (careers.newable.co.uk)|217.160.0.82|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                             [ <=>                                                                ]  22.54K  --.-KB/s    in 0.02s   

2019-01-26 23:36:14 (1.42 MB/s) - ‘index.html’ saved [23083]

me@debian:~$ wget www.careers.newable.co.uk
--2019-01-26 23:36:27--  http://www.careers.newable.co.uk/
Resolving www.careers.newable.co.uk (www.careers.newable.co.uk)... 217.160.0.82, 2001:8d8:100f:f000::2f3
Connecting to www.careers.newable.co.uk (www.careers.newable.co.uk)|217.160.0.82|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.careers.newable.co.uk/ [following]
--2019-01-26 23:36:28--  https://www.careers.newable.co.uk/
Connecting to www.careers.newable.co.uk (www.careers.newable.co.uk)|217.160.0.82|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [80]: Internal error
Unable to establish SSL connection.
me@debian:~$ openssl s_client -connect careers.newable.co.uk:443 -servername careers.newable.co.uk
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
verify return:1
depth=0 CN = *.newable.co.uk
verify return:1
---
Certificate chain
 0 s:/CN=*.newable.co.uk
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFuDCCBKCgAwIBAgIQB1+12liS8q4ucvnaL6vgzDANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0xODA2MDgwMDAwMDBaFw0xOTA2MDgxMjAwMDBaMBoxGDAWBgNVBAMMDyoubmV3
YWJsZS5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALwnjijw
iueOu6okNyLQseCeTrwE3n95Qut+gsdZ1asS31cGyYcBlP1d/4H/EH+e1Q1CAXIQ
P8yrdG9LBMOATIEpPXtS6eWrOUmOPwdY/9SrUsqfg5bWLh7z8cvtysm6lhvqgz/r
0VZ9CkyEH8tEVHlyBFafWoQ2or75/y669lDOoK9oT7nxMqCXD67V/cO5WVBZRb1V
TsQ5s7kxpGNvNeqghI/4QJglryLhsvcaFZdHMq+CWWrjL1luH+0SolMpk7VEUKTJ
OlZoEj+HLZ+XXXVMaea2fZIeVYXatOFyXE+QqvDczo3pHMj6LsLzYb17YrK/s7Sp
OiaDWoFcxhWjvEMCAwEAAaOCArQwggKwMB8GA1UdIwQYMBaAFJBY/7CcdahRVHex
7fKjQxY4nmzFMB0GA1UdDgQWBBRjlHhDIDD0QOEgd5gbmyuP28ddujApBgNVHREE
IjAggg8qLm5ld2FibGUuY28udWuCDW5ld2FibGUuY28udWswDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA+BgNVHR8ENzA1MDOg
MaAvhi1odHRwOi8vY2RwLmdlb3RydXN0LmNvbS9HZW9UcnVzdFJTQUNBMjAxOC5j
cmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBn
MCYGCCsGAQUFBzABhhpodHRwOi8vc3RhdHVzLmdlb3RydXN0LmNvbTA9BggrBgEF
BQcwAoYxaHR0cDovL2NhY2VydHMuZ2VvdHJ1c3QuY29tL0dlb1RydXN0UlNBQ0Ey
MDE4LmNydDAJBgNVHRMEAjAAMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUApLkJ
kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFj33hNlAAABAMARjBEAiA4
7bSmNyjpbzu1w5bl1wmM59iJ3ra+2K2fC3ht8ojQNAIgCnYd2wsGyfkjHUZOmHYk
O4mOJ0HLWTV69N4h+kkQG30AdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/
XqCDDwAAAWPfeE5TAAAEAwBGMEQCIFmaySX1U63uCXCfXumEmlu3U+1SNoMPws0D
Roa1tq14AiBkHrY5RAFJemSow3hWU8SuGFZP31tWA+GpBHUko5aywjANBgkqhkiG
9w0BAQsFAAOCAQEAoiC0i9g1qEHPYUVx/c1bnMfPdMdVbwiOTefo6AQG1oj1WH/6
S5KkhN8LniXBKiVJeK6HPxrSj3ScwVqEySzT4UK/qtfFuo3nhyc703frnZ403EeT
wCKluP30KpqQnaWYaM5eER1S4VrmKw0sPePaj5aNpBQsIDvz8t+2yOJdzelGenQs
7BtDgquQ4FC0GPAZd6YIkxdKkb4JU95VRW9FFcStpeOpZId+9KvdjUtgcnrFpyc6
7ETHAR58c+bSyUvmIozSjMtnMGZm3UkygXSo5Vsb6GRnJLDKTFBxBHQK1+lyonnn
CHzwmKWV7SBQon9dBSrtvZJp4MFcS+4wfSWt0Q==
-----END CERTIFICATE-----
subject=/CN=*.newable.co.uk
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3340 bytes and written 332 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E52F94F0D9AC068747F883CAC856DABB91F33373267FF0A51B12CF624ED8CB51
    Session-ID-ctx: 
    Master-Key: 945F32F3AEA441AD9A610BA479A466817AC680AC6B9A3B0159B87FBA8A5371F1ACF6BE520073B85CE6AD3AAD0B89BC37
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1f 82 a5 15 da 37 a1 28-a4 f9 57 5c 64 c0 76 89   .....7.(..W\d.v.
    0010 - c1 8a 4f ed 1a c2 ab 90-fd a8 43 3f e7 c4 3d 5c   ..O.......C?..=\
    0020 - 98 22 07 fa 57 9d 18 cb-cd bb 0c 30 6a 21 1f fb   ."..W......0j!..
    0030 - 5b 02 3d 25 88 09 70 ba-b6 bc 71 ae 1f c4 7e e3   [.=%..p...q...~.
    0040 - 5f 85 8b 42 db cf 5d 8a-d2 45 51 6f 88 b5 95 19   _..B..]..EQo....
    0050 - 23 bf 3a 32 9c 3c 83 3d-e8 5c 48 45 57 ba 1b 72   #.:2.<.=.\HEW..r
    0060 - 00 10 5c 42 e5 fc 2f a0-5e 9f ed 75 09 e7 a7 bd   ..\B../.^..u....
    0070 - 8a d9 ef 39 b3 f9 c2 38-4e c5 db 6a fb c7 8d 1c   ...9...8N..j....
    0080 - 79 cb e4 0f 35 82 29 a9-7a a1 29 4b 98 55 00 f2   y...5.).z.)K.U..
    0090 - bf c7 76 fa 29 a1 e8 45-3c c6 ec 92 d7 e3 30 e3   ..v.)..E<.....0.
    00a0 - 3d 68 79 5d 71 28 a7 d4-ed f9 83 3f 36 04 88 95   =hy]q(.....?6...
    00b0 - 72 98 7d b9 ba 04 44 b1-63 4f 21 4e b7 3a b9 65   r.}...D.cO!N.:.e
    00c0 - 71 2a d3 1c f9 cc 38 84-7a 4b 85 1b 13 22 8b 8b   q*....8.zK..."..

    Start Time: 1548543090
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

重定向按预期工作。看来，www.careers.newable.co.uk的SSL配置错误/未配置。也许您只需要在定义端口443的ServerAlias www.careers.newable.co.uk部分中设置<VirtualHost>。

使用.htaccess重定向子域

1 个答案: